Bug 886210
Summary: | selinux prevents RHEV-M SSO plugin from accessing credentials channel created by ovirt/rhevm-guest-agent | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Chris Pelland <cpelland> | ||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | high | ||||||
Version: | 6.3 | CC: | bazulay, cpelland, dwalsh, ghammer, jbelka, mgrepl, michal.skrivanek, mmalik, pm-eus, pstehlik, vfeenstr | ||||
Target Milestone: | rc | Keywords: | ZStream | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | selinux-policy-3.7.19-155.el6_3.13 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2012-12-18 08:19:12 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 885432 | ||||||
Bug Blocks: | 707622, 881879 | ||||||
Attachments: |
|
Description
Chris Pelland
2012-12-11 19:12:34 UTC
Fixed in selinux-policy-3.7.19-155.el6_3.10 Justtried and failed: [root@rhel6ws64 log]# rpm -qa | egrep '^(rhevm|selinux-policy)' selinux-policy-targeted-3.7.19-155.el6_3.10.noarch rhevm-guest-agent-gdm-plugin-1.0.5-7.el6ev.x86_64 selinux-policy-3.7.19-155.el6_3.10.noarch rhevm-guest-agent-pam-module-1.0.5-7.el6ev.x86_64 rhevm-guest-agent-1.0.5-7.el6ev.x86_64 type=AVC msg=audit(1355323141.600:30760): avc: denied { append } for pid=2018 comm="ovirt-locksessi" path="/var/log/ovirt-guest-agent/ovirt-guest-agent.log" dev=dm-0 ino=272408 scontext=system_u:system_r:rhev_agentd_consolehelper_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1355323141.608:30763): avc: denied { execute } for pid=2018 comm="userhelper" name="LockActiveSession.py" dev=dm-0 ino=13221 scontext=system_u:system_r:rhev_agentd_consolehelper_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. -- [root@rhel6ws64 log]# ausearch -m avc -te recent | audit2allow #============= rhev_agentd_consolehelper_t ============== allow rhev_agentd_consolehelper_t usr_t:file execute; allow rhev_agentd_consolehelper_t var_log_t:file append; #============= rhev_agentd_t ============== allow rhev_agentd_t initrc_var_run_t:file { write setattr }; #!!!! The source type 'rhev_agentd_t' can write to a 'dir' of the following types: # tmp_t, rhev_agentd_log_t, rhev_agentd_tmp_t, var_run_t, rhev_agentd_var_run_t, root_t allow rhev_agentd_t var_log_t:dir { write add_name }; allow rhev_agentd_t var_log_t:file create; #============= shutdown_t ============== allow shutdown_t user_tmp_t:file read; #============= xdm_t ============== #!!!! This avc can be allowed using the boolean 'allow_polyinstantiation' allow xdm_t admin_home_t:dir read; Jiri, could you attach all AVC msgs? (In reply to comment #10) > Jiri, > could you attach all AVC msgs? Also please test in in permissive mode. Where is "LockActiveSession.py" exactly located and what does it do? (In reply to comment #13) > Where is "LockActiveSession.py" exactly located and what does it do? Because we have in the policy /usr/share/rhev-agent/LockActiveSession\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0) Actually I see it now /usr/share/ovirt-guest-agent/LockActiveSession.py So Jiri, please test it with the latest build selinux-policy-3.7.19-155.el6_3.11 and execute # setenforce 0 # chcon -R -t bin_t /usr/share/ovirt-guest-agent # chcon -t rhev_agentd_exec_t /usr/share/ovirt-guest-agent/LockActiveSession.py re-test it and # ausearch -m avc -ts recent SSO works (previous comment was issue with auth setup on client), tested with selinux-policy-3.7.19-155.el6_3.10 and selinux-policy-3.7.19-155.el6_3.11. [root@rhel6ws64 ~]# ausearch -m avc -ts recent ---- time->Wed Dec 12 17:21:17 2012 type=SYSCALL msg=audit(1355329277.275:30951): arch=c000003e syscall=21 success=no exit=-13 a0=7aaa80 a1=7 a2=20 a3=7fff87803070 items=0 ppid=6109 pid=6130 auid=4294967295 uid=16777216 gid=16777218 euid=16777216 suid=16777216 fsuid=16777216 egid=16777218 sgid=16777218 fsgid=16777218 tty=(none) ses=4294967295 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1355329277.275:30951): avc: denied { read write } for pid=6130 comm="gdm-session-wor" name="portaluser3" dev=dm-2 ino=13 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir ---- time->Wed Dec 12 17:21:17 2012 type=SYSCALL msg=audit(1355329277.275:30952): arch=c000003e syscall=2 success=no exit=-13 a0=7aa9f0 a1=442 a2=180 a3=7fff87803070 items=0 ppid=6109 pid=6130 auid=4294967295 uid=16777216 gid=16777218 euid=16777216 suid=16777216 fsuid=16777216 egid=16777218 sgid=16777218 fsgid=16777218 tty=(none) ses=4294967295 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1355329277.275:30952): avc: denied { write } for pid=6130 comm="gdm-session-wor" name="portaluser3" dev=dm-2 ino=13 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir ---- time->Wed Dec 12 17:21:17 2012 type=SYSCALL msg=audit(1355329277.275:30953): arch=c000003e syscall=2 success=no exit=-13 a0=7fdbe0 a1=c2 a2=180 a3=7fff87803070 items=0 ppid=6109 pid=6130 auid=4294967295 uid=16777216 gid=16777218 euid=16777216 suid=16777216 fsuid=16777216 egid=16777218 sgid=16777218 fsgid=16777218 tty=(none) ses=4294967295 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1355329277.275:30953): avc: denied { write } for pid=6130 comm="gdm-session-wor" name="portaluser3" dev=dm-2 ino=13 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir And do these AVC msgs happen on testing? And did you do # chcon -R -t bin_t /usr/share/ovirt-guest-agent # chcon -t rhev_agentd_exec_t /usr/share/ovirt-guest-agent/LockActiveSession.py ? getenforce ; ps -efZ | grep '[o]virt-guest-agent'; ls -lZ ; ausearch -m avc -m user_avc -ts 09:47 Permissive unconfined_u:system_r:initrc_t:s0 175 2303 1 0 09:42 ? 00:00:01 /usr/bin/python /usr/share/ovirt-guest-agent/ovirt-guest-agent.py -p /var/run/ovirt-guest-agent.pid -d -rw-r--r--. root root system_u:object_r:bin_t:s0 CredServer.py -rw-r--r--. root root system_u:object_r:bin_t:s0 CredServer.pyc -rw-r--r--. root root system_u:object_r:bin_t:s0 CredServer.pyo -rw-r--r--. root root system_u:object_r:bin_t:s0 GuestAgentLinux2.py -rw-r--r--. root root system_u:object_r:bin_t:s0 GuestAgentLinux2.pyc -rw-r--r--. root root system_u:object_r:bin_t:s0 GuestAgentLinux2.pyo -rwxr-xr-x. root root system_u:object_r:rhev_agentd_exec_t:s0 LockActiveSession.py -rwxr-xr-x. root root system_u:object_r:bin_t:s0 LockActiveSession.pyc -rwxr-xr-x. root root system_u:object_r:bin_t:s0 LockActiveSession.pyo -rw-r--r--. root root system_u:object_r:bin_t:s0 OVirtAgentLogic.py -rw-r--r--. root root system_u:object_r:bin_t:s0 OVirtAgentLogic.pyc -rw-r--r--. root root system_u:object_r:bin_t:s0 OVirtAgentLogic.pyo -rw-r--r--. root root system_u:object_r:bin_t:s0 VirtIoChannel.py -rw-r--r--. root root system_u:object_r:bin_t:s0 VirtIoChannel.pyc -rw-r--r--. root root system_u:object_r:bin_t:s0 VirtIoChannel.pyo -rwxr-xr-x. root root system_u:object_r:bin_t:s0 hibernate -rwxr-xr-x. root root system_u:object_r:bin_t:s0 ovirt-guest-agent.py -rwxr-xr-x. root root system_u:object_r:bin_t:s0 ovirt-guest-agent.pyc -rwxr-xr-x. root root system_u:object_r:bin_t:s0 ovirt-guest-agent.pyo lrwxrwxrwx. root root system_u:object_r:bin_t:s0 ovirt-hibernate -> /usr/bin/consolehelper lrwxrwxrwx. root root system_u:object_r:bin_t:s0 ovirt-locksession -> /usr/bin/consolehelper lrwxrwxrwx. root root system_u:object_r:bin_t:s0 ovirt-shutdown -> /usr/bin/consolehelper ---- time->Thu Dec 13 09:47:12 2012 type=SYSCALL msg=audit(1355388432.323:31991): arch=c000003e syscall=42 success=yes exit=0 a0=8 a1=7fff29ed54d0 a2=1a a3=7 items=0 ppid=2554 pid=2613 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1355388432.323:31991): avc: denied { connectto } for pid=2613 comm="gdm-session-wor" path=002F746D702F6F766972742D637265642D6368616E6E656C scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=unix_stream_socket ---- time->Thu Dec 13 09:47:12 2012 type=SYSCALL msg=audit(1355388432.836:31998): arch=c000003e syscall=21 success=yes exit=0 a0=78ca80 a1=7 a2=20 a3=a0 items=0 ppid=2613 pid=2640 auid=4294967295 uid=16777216 gid=16777218 euid=16777216 suid=16777216 fsuid=16777216 egid=16777218 sgid=16777218 fsgid=16777218 tty=(none) ses=4294967295 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1355388432.836:31998): avc: denied { read write } for pid=2640 comm="gdm-session-wor" name="portaluser3" dev=dm-2 ino=13 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir ---- time->Thu Dec 13 09:47:12 2012 type=SYSCALL msg=audit(1355388432.836:31999): arch=c000003e syscall=21 success=yes exit=0 a0=78c9f0 a1=6 a2=20 a3=a0 items=0 ppid=2613 pid=2640 auid=4294967295 uid=16777216 gid=16777218 euid=16777216 suid=16777216 fsuid=16777216 egid=16777218 sgid=16777218 fsgid=16777218 tty=(none) ses=4294967295 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1355388432.836:31999): avc: denied { write } for pid=2640 comm="gdm-session-wor" name=".xsession-errors" dev=dm-2 ino=81 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_home_t:s0 tclass=file ---- time->Thu Dec 13 09:47:12 2012 type=SYSCALL msg=audit(1355388432.837:32000): arch=c000003e syscall=82 success=yes exit=0 a0=78c9f0 a1=7dfbe0 a2=0 a3=6e6f697373657378 items=0 ppid=2613 pid=2640 auid=4294967295 uid=16777216 gid=16777218 euid=16777216 suid=16777216 fsuid=16777216 egid=16777218 sgid=16777218 fsgid=16777218 tty=(none) ses=4294967295 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1355388432.837:32000): avc: denied { add_name } for pid=2640 comm="gdm-session-wor" name=".xsession-errors.old" dev=dm-2 ino=39 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir type=AVC msg=audit(1355388432.837:32000): avc: denied { rename } for pid=2640 comm="gdm-session-wor" name=".xsession-errors" dev=dm-2 ino=81 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_home_t:s0 tclass=file type=AVC msg=audit(1355388432.837:32000): avc: denied { remove_name } for pid=2640 comm="gdm-session-wor" name=".xsession-errors" dev=dm-2 ino=81 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir ---- time->Thu Dec 13 09:47:12 2012 type=SYSCALL msg=audit(1355388432.837:32001): arch=c000003e syscall=2 success=yes exit=12 a0=78c9f0 a1=442 a2=180 a3=1 items=0 ppid=2613 pid=2640 auid=4294967295 uid=16777216 gid=16777218 euid=16777216 suid=16777216 fsuid=16777216 egid=16777218 sgid=16777218 fsgid=16777218 tty=(none) ses=4294967295 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1355388432.837:32001): avc: denied { read append open } for pid=2640 comm="gdm-session-wor" name=".xsession-errors" dev=dm-2 ino=39 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=file type=AVC msg=audit(1355388432.837:32001): avc: denied { create } for pid=2640 comm="gdm-session-wor" name=".xsession-errors" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=file ---- time->Thu Dec 13 09:47:12 2012 type=SYSCALL msg=audit(1355388432.837:32002): arch=c000003e syscall=5 success=yes exit=0 a0=c a1=7fff29ed5560 a2=7fff29ed5560 a3=1 items=0 ppid=2613 pid=2640 auid=4294967295 uid=16777216 gid=16777218 euid=16777216 suid=16777216 fsuid=16777216 egid=16777218 sgid=16777218 fsgid=16777218 tty=(none) ses=4294967295 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1355388432.837:32002): avc: denied { getattr } for pid=2640 comm="gdm-session-wor" path="/home/RHEV/portaluser3/.xsession-errors" dev=dm-2 ino=39 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=file ---- time->Thu Dec 13 09:47:12 2012 type=SYSCALL msg=audit(1355388432.837:32003): arch=c000003e syscall=77 success=yes exit=0 a0=c a1=0 a2=7fff29ed5560 a3=1 items=0 ppid=2613 pid=2640 auid=4294967295 uid=16777216 gid=16777218 euid=16777216 suid=16777216 fsuid=16777216 egid=16777218 sgid=16777218 fsgid=16777218 tty=(none) ses=4294967295 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1355388432.837:32003): avc: denied { write } for pid=2640 comm="gdm-session-wor" name=".xsession-errors" dev=dm-2 ino=39 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=file ---- time->Thu Dec 13 09:47:12 2012 type=SYSCALL msg=audit(1355388432.837:32004): arch=c000003e syscall=91 success=yes exit=0 a0=c a1=180 a2=7fff29ed5560 a3=1 items=0 ppid=2613 pid=2640 auid=4294967295 uid=16777216 gid=16777218 euid=16777216 suid=16777216 fsuid=16777216 egid=16777218 sgid=16777218 fsgid=16777218 tty=(none) ses=4294967295 comm="gdm-session-wor" exe="/usr/libexec/gdm-session-worker" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1355388432.837:32004): avc: denied { setattr } for pid=2640 comm="gdm-session-wor" name=".xsession-errors" dev=dm-2 ino=39 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=file ---- time->Thu Dec 13 09:47:24 2012 type=SYSCALL msg=audit(1355388444.081:32007): arch=c000003e syscall=59 success=yes exit=0 a0=2314c10 a1=7fff855f1440 a2=2315100 a3=4000 items=0 ppid=2303 pid=2759 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="LockActiveSessi" exe="/usr/bin/python" subj=unconfined_u:system_r:rhev_agentd_t:s0 key=(null) type=AVC msg=audit(1355388444.081:32007): avc: denied { read write } for pid=2759 comm="LockActiveSessi" path=2F746D702F666669614D39723136202864656C6574656429 dev=dm-0 ino=652820 scontext=unconfined_u:system_r:rhev_agentd_t:s0 tcontext=unconfined_u:object_r:initrc_tmp_t:s0 tclass=file ---- time->Thu Dec 13 09:47:24 2012 type=SYSCALL msg=audit(1355388444.102:32008): arch=c000003e syscall=105 success=yes exit=0 a0=1000000 a1=7fa58e310170 a2=31a305836c a3=7fff99b4f0b8 items=0 ppid=2759 pid=2760 auid=0 uid=16777216 gid=0 euid=16777216 suid=16777216 fsuid=16777216 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="LockActiveSessi" exe="/usr/bin/python" subj=unconfined_u:system_r:rhev_agentd_t:s0 key=(null) type=AVC msg=audit(1355388444.102:32008): avc: denied { setuid } for pid=2760 comm="LockActiveSessi" capability=7 scontext=unconfined_u:system_r:rhev_agentd_t:s0 tcontext=unconfined_u:system_r:rhev_agentd_t:s0 tclass=capability ---- time->Thu Dec 13 09:47:24 2012 type=SYSCALL msg=audit(1355388444.104:32009): arch=c000003e syscall=42 success=yes exit=0 a0=3 a1=7fff31fb4db0 a2=14 a3=7fff31fb4db3 items=0 ppid=2760 pid=2761 auid=0 uid=16777216 gid=0 euid=16777216 suid=16777216 fsuid=16777216 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="dbus-launch" exe="/usr/bin/dbus-launch" subj=unconfined_u:system_r:rhev_agentd_t:s0 key=(null) type=AVC msg=audit(1355388444.104:32009): avc: denied { connectto } for pid=2761 comm="dbus-launch" path=002F746D702F2E5831312D756E69782F5830 scontext=unconfined_u:system_r:rhev_agentd_t:s0 tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=unix_stream_socket ---- time->Thu Dec 13 09:47:24 2012 type=SYSCALL msg=audit(1355388444.108:32010): arch=c000003e syscall=42 success=yes exit=0 a0=a a1=7fff99b4e580 a2=17 a3=0 items=0 ppid=2759 pid=2760 auid=0 uid=16777216 gid=0 euid=16777216 suid=16777216 fsuid=16777216 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="LockActiveSessi" exe="/usr/bin/python" subj=unconfined_u:system_r:rhev_agentd_t:s0 key=(null) type=AVC msg=audit(1355388444.108:32010): avc: denied { connectto } for pid=2760 comm="LockActiveSessi" path=002F746D702F646275732D685976784A776C6F5244 scontext=unconfined_u:system_r:rhev_agentd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket Ah I missed # chcon -t rhev_agentd_exec_t /usr/share/ovirt-guest-agent/ovirt-guest-agent.py which is default labeling in the policy. Also it looks you have mislabeled homedir. # restorecon -Rv /home I am going to do a new build with additional fixes. As for /home... This is SSO against AD and user dirs are created by pam_mkhomedir in /home/$domain, policy should be change so gdm (xdm_t) can write to user dirs. The problem is the homedirs are badly labeled. So you have /home/$domain/$user What does ls -dZ /home/$domain/$user for a test user? AD user [root@rhel6ws64 ~]# ls -ldZ /home/RHEV/portaluser3 drwxr-xr-x. portaluser3 domain users unconfined_u:object_r:home_root_t:s0 /home/RHEV/portaluser3 local user [root@rhel6ws64 ~]# ls -ldZ /home/testovic drwx------. testovic testovic unconfined_u:object_r:user_home_dir_t:s0 /home/testovic If /home/$domain/$user is mislabeled, it must be repaired in a tool which generated this labeling, or a policy should be tuned to allow gdm to be able to write to home_root_t dirs, for sure no manual intervention. This is what I wanted to say in my previous comment. Yes, this is an issue with AD. We can not allow it beucase a homedir is mislabeled. Basically it needs to execute # semanage fcontext -e /home /home/RHEV AFAIK we did some work for this but it looks like only for RHEL6.4. Dan, Milos, do you remember? I used last rpm buils and did: * semanage fcontext -a -e /home /home/RHEV * restorecon -Rv /home/RHEV (Basically SSO works but screen is still logged when an user tries to reopen spice console.) [root@rhel6ws64 ~]# ausearch -m avc -m user_avc -ts 12:43 ---- time->Thu Dec 13 12:43:43 2012 type=SYSCALL msg=audit(1355399023.759:31186): arch=c000003e syscall=59 success=yes exit=0 a0=7fa804003850 a1=7fa804000e10 a2=7fffc3661658 a3=6c2d747269766f2f items=0 ppid=1718 pid=2930 auid=4294967295 uid=175 gid=175 euid=175 suid=175 fsuid=175 egid=175 sgid=175 fsgid=175 tty=(none) ses=4294967295 comm="ovirt-locksessi" exe="/usr/bin/consolehelper" subj=system_u:system_r:rhev_agentd_consolehelper_t:s0 key=(null) type=AVC msg=audit(1355399023.759:31186): avc: denied { write } for pid=2930 comm="ovirt-locksessi" path="/var/log/ovirt-guest-agent/ovirt-guest-agent.log" dev=dm-0 ino=272359 scontext=system_u:system_r:rhev_agentd_consolehelper_t:s0 tcontext=system_u:object_r:rhev_agentd_log_t:s0 tclass=file ---- time->Thu Dec 13 12:44:15 2012 type=SYSCALL msg=audit(1355399055.100:31195): arch=c000003e syscall=59 success=yes exit=0 a0=7fa804003850 a1=7fa804000e10 a2=7fffc3661658 a3=6c2d747269766f2f items=0 ppid=1718 pid=3087 auid=4294967295 uid=175 gid=175 euid=175 suid=175 fsuid=175 egid=175 sgid=175 fsgid=175 tty=(none) ses=4294967295 comm="ovirt-locksessi" exe="/usr/bin/consolehelper" subj=system_u:system_r:rhev_agentd_consolehelper_t:s0 key=(null) type=AVC msg=audit(1355399055.100:31195): avc: denied { write } for pid=3087 comm="ovirt-locksessi" path="/var/log/ovirt-guest-agent/ovirt-guest-agent.log" dev=dm-0 ino=272359 scontext=system_u:system_r:rhev_agentd_consolehelper_t:s0 tcontext=system_u:object_r:rhev_agentd_log_t:s0 tclass=file ---- time->Thu Dec 13 12:46:54 2012 type=SYSCALL msg=audit(1355399214.906:31198): arch=c000003e syscall=59 success=yes exit=0 a0=7fa804003850 a1=7fa804000e10 a2=7fffc3661658 a3=6c2d747269766f2f items=0 ppid=1718 pid=3130 auid=4294967295 uid=175 gid=175 euid=175 suid=175 fsuid=175 egid=175 sgid=175 fsgid=175 tty=(none) ses=4294967295 comm="ovirt-locksessi" exe="/usr/bin/consolehelper" subj=system_u:system_r:rhev_agentd_consolehelper_t:s0 key=(null) type=AVC msg=audit(1355399214.906:31198): avc: denied { write } for pid=3130 comm="ovirt-locksessi" path="/var/log/ovirt-guest-agent/ovirt-guest-agent.log" dev=dm-0 ino=272359 scontext=system_u:system_r:rhev_agentd_consolehelper_t:s0 tcontext=system_u:object_r:rhev_agentd_log_t:s0 tclass=file And does it work in permissive mode? # setenforce 0 to know if it is a SELinux issue. agent's pid is wrong. [root@rhel6ws64 ~]# ls -lZ /var/run/ovirt-guest-agent.pid -rw-rw-r--. ovirtagent ovirtagent unconfined_u:object_r:initrc_var_run_t:s0 /var/run/ovirt-guest-agent.pid [root@rhel6ws64 ~]# service ovirt-guest-agent stop Stopping ovirt-guest-agent: [ OK ] [root@rhel6ws64 ~]# ls -lZ /var/run/ovirt-guest-agent.pid ls: cannot access /var/run/ovirt-guest-agent.pid: No such file or directory [root@rhel6ws64 ~]# service ovirt-guest-agent start Starting ovirt-guest-agent: [ OK ] [root@rhel6ws64 ~]# ls -lZ /var/run/ovirt-guest-agent.pid -rw-rw-r--. ovirtagent ovirtagent unconfined_u:object_r:initrc_var_run_t:s0 /var/run/ovirt-guest-agent.pid ---- time->Thu Dec 13 15:07:48 2012 type=SYSCALL msg=audit(1355407668.489:31411): arch=c000003e syscall=2 success=yes exit=8 a0=186ee60 a1=241 a2=1b6 a3=0 items=0 ppid=1 pid=7002 auid=0 uid=175 gid=175 euid=175 suid=175 fsuid=175 egid=175 sgid=175 fsgid=175 tty=(none) ses=1 comm="ovirt-guest-age" exe="/usr/bin/python" subj=unconfined_u:system_r:rhev_agentd_t:s0 key=(null) type=AVC msg=audit(1355407668.489:31411): avc: denied { write } for pid=7002 comm="ovirt-guest-age" name="ovirt-guest-agent.pid" dev=dm-0 ino=261661 scontext=unconfined_u:system_r:rhev_agentd_t:s0 tcontext=unconfined_u:object_r:initrc_var_run_t:s0 tclass=file ---- time->Thu Dec 13 15:07:48 2012 type=SYSCALL msg=audit(1355407668.490:31414): arch=c000003e syscall=90 success=yes exit=0 a0=186ee60 a1=1b4 a2=31a33b4a88 a3=7fff74eefb18 items=0 ppid=1 pid=7002 auid=0 uid=175 gid=175 euid=175 suid=175 fsuid=175 egid=175 sgid=175 fsgid=175 tty=(none) ses=1 comm="ovirt-guest-age" exe="/usr/bin/python" subj=unconfined_u:system_r:rhev_agentd_t:s0 key=(null) type=AVC msg=audit(1355407668.490:31414): avc: denied { setattr } for pid=7002 comm="ovirt-guest-age" name="ovirt-guest-agent.pid" dev=dm-0 ino=261661 scontext=unconfined_u:system_r:rhev_agentd_t:s0 tcontext=unconfined_u:object_r:initrc_var_run_t:s0 tclass=file How is this pid file created? It looks like it is create by init script? Ok, I see it now. You need to run restorecon in the init script. Created attachment 663006 [details]
ovirt-agent init script patch
SELinux issues fixed in selinux-policy-3.7.19-155.el6_3.12 Following rule is missing, switching to ASSIGNED: allow rhev_agentd_t xserver_t : unix_stream_socket { connectto } Added to selinux-policy-3.7.19-155.el6_3.13 Just building a scratch build. http://brewweb.devel.redhat.com/brew/taskinfo?taskID=5192902 Actions done: * new rpms * restorecon -Rv /etc /var /usr/share * modified ovirg-guest-agent init script && restart * semanage fcontext -a -e /home /home/RHEV ; restorecon -Rv /home/RHEV time->Fri Dec 14 16:50:21 2012 type=SYSCALL msg=audit(1355500221.461:137): arch=c000003e syscall=42 success=no exit=-13 a0=9 a1=c449d0 a2=1c a3=7fff140dc390 items=0 ppid=2478 pid=2594 auid=0 uid=175 gid=175 euid=175 suid=175 fsuid=175 egid=175 sgid=175 fsgid=175 tty=(none) ses=1 comm="consolehelper-g" exe="/usr/bin/consolehelper-gtk" subj=unconfined_u:system_r:rhev_agentd_consolehelper_t:s0 key=(null) type=AVC msg=audit(1355500221.461:137): avc: denied { name_connect } for pid=2594 comm="consolehelper-g" dest=6010 scontext=unconfined_u:system_r:rhev_agentd_consolehelper_t:s0 tcontext=system_u:object_r:xserver_port_t:s0 tclass=tcp_socket ---- time->Fri Dec 14 16:50:21 2012 type=SYSCALL msg=audit(1355500221.461:138): arch=c000003e syscall=42 success=no exit=-13 a0=9 a1=c44980 a2=10 a3=7fff140dc698 items=0 ppid=2478 pid=2594 auid=0 uid=175 gid=175 euid=175 suid=175 fsuid=175 egid=175 sgid=175 fsgid=175 tty=(none) ses=1 comm="consolehelper-g" exe="/usr/bin/consolehelper-gtk" subj=unconfined_u:system_r:rhev_agentd_consolehelper_t:s0 key=(null) type=AVC msg=audit(1355500221.461:138): avc: denied { name_connect } for pid=2594 comm="consolehelper-g" dest=6010 scontext=unconfined_u:system_r:rhev_agentd_consolehelper_t:s0 tcontext=system_u:object_r:xserver_port_t:s0 tclass=tcp_socket SSO comment: Surprisingly SSO works from UP (I restarted winbind), when I closed spice client while logged in as AD user, then I opened console from Admin Portal and screen was locked. If you execute # grep xserver_port_t /var/log/audit/audit.log |audit2allow -M mypol # semodule -i mypol.pp does it work then? Is it enough to have SSO working from UP for this bug? (In reply to comment #38) > SSO comment: Surprisingly SSO works from UP (I restarted winbind), when I > closed spice client while logged in as AD user, then I opened console from > Admin Portal and screen was locked. The Admin Portal does not support SSO. This is only implemented for the User Portal. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-1581.html |