Bug 856095

Summary: AVCs when running postgres test with disabled unconfined and unlabelednet
Product: Red Hat Enterprise Linux 6 Reporter: Michal Trunecka <mtruneck>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NEXTRELEASE QA Contact: Michal Trunecka <mtruneck>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.4CC: dwalsh, ebenes
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-01-04 07:47:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michal Trunecka 2012-09-11 08:11:15 UTC 
Description of problem:
selinux blocked postgres during automated test when unconfined and unlabelednet selinux modules were disabled. The test passes with no AVCs with both moduels enabled. AVCs reported in permissive mode are listed below. All the AVCs are probably caused by commands in init.d/postgres script in initdb function.

----
time->Tue Sep 11 09:47:54 2012
type=PATH msg=audit(1347349674.074:3754): item=0 name="/var/lib/pgsql/data" inode=399673 dev=08:03 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:var_lib_t:s0
type=CWD msg=audit(1347349674.074:3754):  cwd="/"
type=SYSCALL msg=audit(1347349674.074:3754): arch=c000003e syscall=260 success=yes exit=0 a0=ffffffffffffff9c a1=23786e0 a2=1a a3=1a items=1 ppid=31088 pid=31096 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="chown" exe="/bin/chown" subj=unconfined_u:system_r:initrc_t:s0 key=(null)
type=AVC msg=audit(1347349674.074:3754): avc:  denied  { setattr } for  pid=31096 comm="chown" name="data" dev=sda3 ino=399673 scontext=unconfined_u:system_r:initrc_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir
----
time->Tue Sep 11 09:47:54 2012
type=PATH msg=audit(1347349674.072:3753): item=1 name="data" inode=399673 dev=08:03 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:var_lib_t:s0
type=PATH msg=audit(1347349674.072:3753): item=0 name="/var/lib/pgsql" inode=399647 dev=08:03 mode=040700 ouid=26 ogid=26 rdev=00:00 obj=system_u:object_r:var_lib_t:s0
type=CWD msg=audit(1347349674.072:3753):  cwd="/var/lib/pgsql"
type=SYSCALL msg=audit(1347349674.072:3753): arch=c000003e syscall=83 success=yes exit=0 a0=7fff22efbf67 a1=1ed a2=7fff22efbf67 a3=a items=2 ppid=31088 pid=31095 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="mkdir" exe="/bin/mkdir" subj=unconfined_u:system_r:initrc_t:s0 key=(null)
type=AVC msg=audit(1347349674.072:3753): avc:  denied  { create } for  pid=31095 comm="mkdir" name="data" scontext=unconfined_u:system_r:initrc_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir
----
time->Tue Sep 11 09:48:05 2012
type=PATH msg=audit(1347349685.552:3759): item=1 name="/var/lib/pgsql/data/pg_log" inode=405609 dev=08:03 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:postgresql_db_t:s0
type=PATH msg=audit(1347349685.552:3759): item=0 name="/var/lib/pgsql/data/" inode=399673 dev=08:03 mode=040700 ouid=26 ogid=26 rdev=00:00 obj=unconfined_u:object_r:postgresql_db_t:s0
type=CWD msg=audit(1347349685.552:3759):  cwd="/"
type=SYSCALL msg=audit(1347349685.552:3759): arch=c000003e syscall=83 success=yes exit=0 a0=7ffffbfd7f51 a1=1ff a2=7ffffbfd7f51 a3=a items=2 ppid=31088 pid=31171 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="mkdir" exe="/bin/mkdir" subj=unconfined_u:system_r:initrc_t:s0 key=(null)
type=AVC msg=audit(1347349685.552:3759): avc:  denied  { create } for  pid=31171 comm="mkdir" name="pg_log" scontext=unconfined_u:system_r:initrc_t:s0 tcontext=unconfined_u:object_r:postgresql_db_t:s0 tclass=dir
----
time->Tue Sep 11 09:48:05 2012
type=PATH msg=audit(1347349685.563:3760): item=0 name="/var/lib/pgsql/data/pg_log" inode=405609 dev=08:03 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:postgresql_db_t:s0
type=CWD msg=audit(1347349685.563:3760):  cwd="/"
type=SYSCALL msg=audit(1347349685.563:3760): arch=c000003e syscall=260 success=yes exit=0 a0=ffffffffffffff9c a1=1c466e0 a2=1a a3=1a items=1 ppid=31088 pid=31172 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="chown" exe="/bin/chown" subj=unconfined_u:system_r:initrc_t:s0 key=(null)
type=AVC msg=audit(1347349685.563:3760): avc:  denied  { setattr } for  pid=31172 comm="chown" name="pg_log" dev=sda3 ino=405609 scontext=unconfined_u:system_r:initrc_t:s0 tcontext=unconfined_u:object_r:postgresql_db_t:s0 tclass=dir


Version-Release number of selected component (if applicable):
postgresql-contrib-8.4.12-1.el6_2.x86_64
postgresql-libs-8.4.12-1.el6_2.x86_64
postgresql-server-8.4.12-1.el6_2.x86_64
postgresql-8.4.12-1.el6_2.x86_64
selinux-policy-3.7.19-161.el6.noarch
selinux-policy-minimum-3.7.19-161.el6.noarch
selinux-policy-targeted-3.7.19-161.el6.noarch
selinux-policy-mls-3.7.19-161.el6.noarch
selinux-policy-doc-3.7.19-161.el6.noarch


How reproducible:
always

Steps to Reproduce:
1. semodule -d unconfined; semodule -d unlabelednet
2. service postgres initdb

  
Actual results:
postgresql is blocked

Expected results:
postgresql running with no AVCs
Comment 2 Daniel Walsh 2012-09-18 15:57:11 UTC 
Is /var/lib/pgsql/data and /var/lib/pgsql in the postgresql rpm payload?  If not that is where the bug belongs.

What does

matchpathcon /var/lib/pgsql/data/
and 

matchpathcon /var/lib/pgsql

Show?
Comment 3 Michal Trunecka 2012-09-19 06:31:20 UTC 
# matchpathcon /var/lib/pgsql/data/
/var/lib/pgsql/data	system_u:object_r:postgresql_db_t:s0
# matchpathcon /var/lib/pgsql
/var/lib/pgsql	system_u:object_r:var_lib_t:s0

Both are from the postgresql-server rpm, which I believe is correct.
Comment 4 Miroslav Grepl 2012-10-09 12:32:14 UTC 
Are you still getting this one?
Comment 5 RHEL Program Management 2012-12-14 08:17:41 UTC 
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.