Bug 891779

Summary: lldpad runs as initrc_t
Product: Red Hat Enterprise Linux 6 Reporter: trustedsubject
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.3CC: dwalsh, mmalik, mtruneck
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-210.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1004665 1021984 (view as bug list) Environment:
Last Closed: 2013-11-21 10:12:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 832330, 1004665, 1021984    

Description trustedsubject 2013-01-04 00:11:12 UTC 
Description of problem:

When running MLS policy, SELinux generates AVC for lldpad as per previous bug: 723958.

Version-Release number of selected component (if applicable):

selinux-policy-mls-3.7.19-154.el6

How reproducible:

Create minimal install of EL 6.3, and apply MLS policy as per slightly modified process from: http://fedoraproject.org/wiki/SELinux/FedoraMLSHowto

Steps to Reproduce:
1. yum update
2. reboot
3. yum install selinux-policy-mls
4. change /etc/sysconfig/selinux values to SELINUX=permissive and SELINUXTYPE=mls
5. touch /.autorelabel
6. reboot
7. give grub kernel argument '1' to boot into single user mode
8. change /etc/sysconfig/selinux value for SELINUX back to 'enforcing'
9. reboot

Actual results:

audit2allow generates the following policy for lldpad from the audit log:

allow initrc_t self:netlink_route_socket nlmsg_write;
allow initrc_t self:packet_socket { bind create ioctl setopt };
allow initrc_t self:shm { write unix_read unix_write associate read create };
Comment 2 Miroslav Grepl 2013-01-04 13:21:16 UTC 
initrc_t should not exist in MLS. You can allow it by these rules for now. We need to turn on lldpad policy in MLS.
Comment 4 Miroslav Grepl 2013-08-06 12:24:55 UTC 
I back ported policy and made it as unconfined.
Comment 8 Miroslav Grepl 2013-08-27 14:16:28 UTC 
Ok, it has been added only for targeted policy. Is lldpad needed on MLS system?
Comment 11 Milos Malik 2013-10-22 12:40:57 UTC 
lldpad works in targeted policy, but does not have a special SELinux domain in MLS policy now. There will be another bug filed for this purpose.
Comment 13 errata-xmlrpc 2013-11-21 10:12:13 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html