Bug 855324

Summary: AVC denials for openswan when it is started and stopped quickly on freshly booted system
Product: Red Hat Enterprise Linux 5 Reporter: Patrik Kis <pkis>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: high    
Version: 5.8CC: amarecek, dwalsh, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-2.4.6-334.el5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-01-08 03:34:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Patrik Kis 2012-09-07 11:50:06 UTC 
Description of problem:
After a fresh boot when openswan is started and suddenly stopped an avc denial appears. If openswan was already started the issue cannot be reproduced.
It appears also with automated test, when run manually after a fresh reboot.
/CoreOS/openswan/Regression/bz587669-selinux-read-access-on-home-dir
When planned in beaker the issue appears only sometimes.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.4.6-327.el5
selinux-policy-2.4.6-327.el5
openswan-2.6.32-4.el5

How reproducible:
always

Steps to Reproduce:
1. Reboot the test system
2. Start and suddenly stop openswan:
# _TEST_ST=`date "+%m/%d/%Y %T"`
# ausearch -m avc -ts $_TEST_ST -i
3. Check AVCs
# ausearch -m avc -ts $_TEST_ST -i
----
type=SYSCALL msg=audit(09/07/2012 13:44:32.327:16) : arch=x86_64 syscall=stat success=no exit=-13(Permission denied) a0=2b87b2b9a338 a1=7fffa3c6aaf0 a2=7fffa3c6aaf0 a3=4000 items=0 ppid=2693 pid=2705 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=pluto exe=/usr/libexec/ipsec/pluto subj=root:system_r:ipsec_t:s0 key=(null) 
type=AVC msg=audit(09/07/2012 13:44:32.327:16) : avc:  denied  { search } for  pid=2705 comm=pluto name=net dev=proc ino=4026531985 scontext=root:system_r:ipsec_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir 

Actual results:
avc denial

Expected results:
no avc denial
Comment 1 RHEL Program Management 2012-09-07 11:57:04 UTC 
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 2 Milos Malik 2012-09-07 12:38:03 UTC 
If the automated test is executed in beaker environment then 2 AVCs appear. First of them is already mentioned in comment#0:
----
time->Fri Sep  7 05:43:27 2012
type=SYSCALL msg=audit(1347011007.242:20): arch=c0000032 syscall=1210 success=no exit=-13 a0=200000080018ddd0 a1=60000fffffc5a470 a2=0 a3=0 items=0 ppid=7289 pid=7290 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=root:system_r:ipsec_t:s0 key=(null)
type=AVC msg=audit(1347011007.242:20): avc:  denied  { search } for  pid=7290 comm="pluto" name="net" dev=proc ino=4026531979 scontext=root:system_r:ipsec_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir
----
time->Fri Sep  7 05:43:27 2012
type=SYSCALL msg=audit(1347011007.891:21): arch=c0000032 syscall=1026 success=yes exit=176 a0=6 a1=200000000007b0b8 a2=3ff a3=2000000000065180 items=0 ppid=7542 pid=7546 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ps" exe="/bin/ps" subj=root:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1347011007.891:21): avc:  denied  { ptrace } for  pid=7546 comm="ps" scontext=root:system_r:ipsec_mgmt_t:s0 tcontext=root:system_r:ipsec_t:s0 tclass=process
----
Comment 3 Miroslav Grepl 2012-09-11 08:25:35 UTC 
Yes, "ps" causes "ptrace" on RHEL5.
Comment 8 errata-xmlrpc 2013-01-08 03:34:35 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0060.html