Bug 855311
| Summary: | AVCs when running tgtd test with disabled unconfined and unlabelednet | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Michal Trunecka <mtruneck> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Michal Trunecka <mtruneck> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.4 | CC: | dwalsh, ebenes, mmalik |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.7.19-162.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-02-21 08:28:54 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0314.html |
Description of problem: Running tgtd daemon involves running tgtadm, which causes AVCs listed below with disabled unconfined and unlabeled modules. The test PASSed with no AVCs with both mentioned modules enabled. ---- time->Fri Sep 7 13:03:33 2012 type=SYSCALL msg=audit(1347015813.527:1115): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fff4dc15e40 a2=6e a3=7fff4dc15ac0 items=0 ppid=1237 pid=1238 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="tgtadm" exe="/usr/sbin/tgtadm" subj=unconfined_u:system_r:initrc_t:s0 key=(null) type=AVC msg=audit(1347015813.527:1115): avc: denied { write } for pid=1238 comm="tgtadm" name="tgtd.ipc_abstract_namespace.0" dev=sda3 ino=27288 scontext=unconfined_u:system_r:initrc_t:s0 tcontext=unconfined_u:object_r:tgtd_var_run_t:s0 tclass=sock_file ---- time->Fri Sep 7 13:03:33 2012 type=SYSCALL msg=audit(1347015813.531:1116): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fffa64810a0 a2=6e a3=7fffa6480d20 items=0 ppid=1237 pid=1240 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="tgtadm" exe="/usr/sbin/tgtadm" subj=unconfined_u:system_r:initrc_t:s0 key=(null) type=AVC msg=audit(1347015813.531:1116): avc: denied { write } for pid=1240 comm="tgtadm" name="tgtd.ipc_abstract_namespace.0" dev=sda3 ino=27288 scontext=unconfined_u:system_r:initrc_t:s0 tcontext=unconfined_u:object_r:tgtd_var_run_t:s0 tclass=sock_file ---- time->Fri Sep 7 13:03:33 2012 type=SYSCALL msg=audit(1347015813.535:1117): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fffe49483b0 a2=6e a3=7fffe4948030 items=0 ppid=1231 pid=1242 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="tgtadm" exe="/usr/sbin/tgtadm" subj=unconfined_u:system_r:initrc_t:s0 key=(null) type=AVC msg=audit(1347015813.535:1117): avc: denied { write } for pid=1242 comm="tgtadm" name="tgtd.ipc_abstract_namespace.0" dev=sda3 ino=27288 scontext=unconfined_u:system_r:initrc_t:s0 tcontext=unconfined_u:object_r:tgtd_var_run_t:s0 tclass=sock_file ---- time->Fri Sep 7 13:03:42 2012 type=SYSCALL msg=audit(1347015822.748:1119): arch=c000003e syscall=42 success=yes exit=0 a0=3 a1=7fff27b8fb00 a2=6e a3=7fff27b8f780 items=0 ppid=1539 pid=1540 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="tgtadm" exe="/usr/sbin/tgtadm" subj=unconfined_u:system_r:initrc_t:s0 key=(null) type=AVC msg=audit(1347015822.748:1119): avc: denied { connectto } for pid=1540 comm="tgtadm" path="/var/run/tgtd.ipc_abstract_namespace.0" scontext=unconfined_u:system_r:initrc_t:s0 tcontext=unconfined_u:system_r:tgtd_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1347015822.748:1119): avc: denied { write } for pid=1540 comm="tgtadm" name="tgtd.ipc_abstract_namespace.0" dev=sda3 ino=27288 scontext=unconfined_u:system_r:initrc_t:s0 tcontext=unconfined_u:object_r:tgtd_var_run_t:s0 tclass=sock_file ---- time->Fri Sep 7 13:03:45 2012 type=SYSCALL msg=audit(1347015825.861:1120): arch=c000003e syscall=42 success=yes exit=0 a0=3 a1=7fff5ed4c760 a2=6e a3=7fff5ed4c3e0 items=0 ppid=1635 pid=1636 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="tgtadm" exe="/usr/sbin/tgtadm" subj=unconfined_u:system_r:initrc_t:s0 key=(null) type=AVC msg=audit(1347015825.861:1120): avc: denied { connectto } for pid=1636 comm="tgtadm" path="/var/run/tgtd.ipc_abstract_namespace.0" scontext=unconfined_u:system_r:initrc_t:s0 tcontext=unconfined_u:system_r:tgtd_t:s0 tclass=unix_stream_socket Version-Release number of selected component (if applicable): scsi-target-utils-1.0.24-2.el6.x86_64 selinux-policy-3.7.19-155.el6_3.noarch selinux-policy-targeted-3.7.19-155.el6_3.noarch selinux-policy-mls-3.7.19-155.el6_3.noarch How reproducible: always Steps to Reproduce: 1. semodule -d unconfined; semodule -d unlabelednet 2. service tgtd start; service tgtd restart; service tgtd stop Actual results: AVCs and tgtd is not running Expected results: No AVCs and tgtd started.