Bug 859338
Summary: | pulse fails to start IPVS sync daemon | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Milos Malik <mmalik> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 5.9 | CC: | dwalsh, mmalik, rohara |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-2.4.6-335.el5 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | 858784 | Environment: | |
Last Closed: | 2013-01-08 03:34:38 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 858784 | ||
Bug Blocks: |
Description
Milos Malik
2012-09-21 08:12:31 UTC
Following AVCs appear in permissive mode: ---- type=SOCKETCALL msg=audit(09/21/2012 10:14:35.417:224) : nargs=3 a0=2 a1=3 a2=ff type=SYSCALL msg=audit(09/21/2012 10:14:35.417:224) : arch=i386 syscall=socketcall(socket) success=yes exit=3 a0=1 a1=bfa7d2e0 a2=3 a3=bfa7d404 items=0 ppid=8416 pid=8417 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=34 comm=ipvsadm exe=/sbin/ipvsadm subj=root:system_r:piranha_pulse_t:s0 key=(null) type=AVC msg=audit(09/21/2012 10:14:35.417:224) : avc: denied { net_raw } for pid=8417 comm=ipvsadm capability=net_raw scontext=root:system_r:piranha_pulse_t:s0 tcontext=root:system_r:piranha_pulse_t:s0 tclass=capability type=AVC msg=audit(09/21/2012 10:14:35.417:224) : avc: denied { create } for pid=8417 comm=ipvsadm scontext=root:system_r:piranha_pulse_t:s0 tcontext=root:system_r:piranha_pulse_t:s0 tclass=rawip_socket ---- type=PATH msg=audit(09/21/2012 10:14:35.413:223) : item=1 name=(null) inode=561338 dev=03:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 type=PATH msg=audit(09/21/2012 10:14:35.413:223) : item=0 name=/sbin/ipvsadm inode=131250 dev=03:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:iptables_exec_t:s0 type=CWD msg=audit(09/21/2012 10:14:35.413:223) : cwd=/ type=EXECVE msg=audit(09/21/2012 10:14:35.413:223) : argc=3 a0=/sbin/ipvsadm a1=--stop-daemon a2=backup type=SYSCALL msg=audit(09/21/2012 10:14:35.413:223) : arch=i386 syscall=execve success=yes exit=0 a0=824d008 a1=bfa6e31c a2=bfa6ebac a3=40000003 items=2 ppid=8416 pid=8417 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=34 comm=ipvsadm exe=/sbin/ipvsadm subj=root:system_r:piranha_pulse_t:s0 key=(null) type=AVC msg=audit(09/21/2012 10:14:35.413:223) : avc: denied { read } for pid=8417 comm=pulse path=/sbin/ipvsadm dev=hda3 ino=131250 scontext=root:system_r:piranha_pulse_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file type=AVC msg=audit(09/21/2012 10:14:35.413:223) : avc: denied { execute_no_trans } for pid=8417 comm=pulse path=/sbin/ipvsadm dev=hda3 ino=131250 scontext=root:system_r:piranha_pulse_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file type=AVC msg=audit(09/21/2012 10:14:35.413:223) : avc: denied { execute } for pid=8417 comm=pulse name=ipvsadm dev=hda3 ino=131250 scontext=root:system_r:piranha_pulse_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file ---- type=SOCKETCALL msg=audit(09/21/2012 10:14:35.417:225) : nargs=5 a0=3 a1=0 a2=481 a3=804fc64 a4=bfa7d304 type=SYSCALL msg=audit(09/21/2012 10:14:35.417:225) : arch=i386 syscall=socketcall(getsockopt) success=yes exit=0 a0=f a1=bfa7d2e0 a2=3 a3=bfa7d404 items=0 ppid=8416 pid=8417 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=34 comm=ipvsadm exe=/sbin/ipvsadm subj=root:system_r:piranha_pulse_t:s0 key=(null) type=AVC msg=audit(09/21/2012 10:14:35.417:225) : avc: denied { getopt } for pid=8417 comm=ipvsadm lport=255 scontext=root:system_r:piranha_pulse_t:s0 tcontext=root:system_r:piranha_pulse_t:s0 tclass=rawip_socket ---- type=SOCKETCALL msg=audit(09/21/2012 10:14:35.417:226) : nargs=5 a0=3 a1=0 a2=48c a3=bfa7d2d4 a4=18 type=SYSCALL msg=audit(09/21/2012 10:14:35.417:226) : arch=i386 syscall=socketcall(setsockopt) success=no exit=-3(No such process) a0=e a1=bfa7cd40 a2=15 a3=804e467 items=0 ppid=8416 pid=8417 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=34 comm=ipvsadm exe=/sbin/ipvsadm subj=root:system_r:piranha_pulse_t:s0 key=(null) type=AVC msg=audit(09/21/2012 10:14:35.417:226) : avc: denied { setopt } for pid=8417 comm=ipvsadm lport=255 scontext=root:system_r:piranha_pulse_t:s0 tcontext=root:system_r:piranha_pulse_t:s0 tclass=rawip_socket ---- type=PATH msg=audit(09/21/2012 10:14:38.030:227) : item=1 name=(null) inode=561338 dev=03:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 type=PATH msg=audit(09/21/2012 10:14:38.030:227) : item=0 name=/sbin/ipvsadm inode=131250 dev=03:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:iptables_exec_t:s0 type=CWD msg=audit(09/21/2012 10:14:38.030:227) : cwd=/ type=EXECVE msg=audit(09/21/2012 10:14:38.030:227) : argc=3 a0=/sbin/ipvsadm a1=--stop-daemon a2=backup type=SYSCALL msg=audit(09/21/2012 10:14:38.030:227) : arch=i386 syscall=execve success=yes exit=0 a0=824d008 a1=bfa6e2dc a2=bfa6ebac a3=40000003 items=2 ppid=8416 pid=8475 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=34 comm=ipvsadm exe=/sbin/ipvsadm subj=root:system_r:piranha_pulse_t:s0 key=(null) type=AVC msg=audit(09/21/2012 10:14:38.030:227) : avc: denied { read } for pid=8475 comm=pulse path=/sbin/ipvsadm dev=hda3 ino=131250 scontext=root:system_r:piranha_pulse_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file type=AVC msg=audit(09/21/2012 10:14:38.030:227) : avc: denied { execute_no_trans } for pid=8475 comm=pulse path=/sbin/ipvsadm dev=hda3 ino=131250 scontext=root:system_r:piranha_pulse_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file type=AVC msg=audit(09/21/2012 10:14:38.030:227) : avc: denied { execute } for pid=8475 comm=pulse name=ipvsadm dev=hda3 ino=131250 scontext=root:system_r:piranha_pulse_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file ---- This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release. We will need to add iptables_domtrans() in RHEL5 and probably another rules. Milos, could you test it with iptables_domtrans() in the local policy. Thank you. When following policy module is enabled then no AVCs appear. policy_module(mypol, 1.0) require{ type piranha_pulse_t; } iptables_domtrans(piranha_pulse_t) Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0060.html |