Bug 913673

Summary: cgrulesengd has "AVC" record in /var/log/audit/audit.log
Product: Red Hat Enterprise Linux 6 Reporter: Brenton Leanhardt <bleanhar>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: high    
Version: 6.4CC: bleanhar, dwalsh, inode0, jialiu, jpallich, libra-onpremise-devel, lmeyer, mgrepl, mjw, mmalik, sforsber, xjia
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-196.el6 Doc Type: Bug Fix
Doc Text:
Previously, the cgrulesengd daemon attempted to use inotifyfs scripts for monitoring filesystem changes. Due to a missing rule, the SELinux subsystem denied access to inotifyfs. This update adds an allow rule to selinux-policy and cgrulesengd can now use inotifyfs.
 Story Points: ---
Clone Of: 906684 Environment:
Last Closed: 2013-11-21 10:16:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 913537, 915519, 917966    

Comment 2 Mark Wielaard 2013-02-21 22:28:07 UTC 
I just upgraded to 6.4 and I am seeing a lot of audit messages:

$ sudo ls -lah /var/log/audit
total 25M
drwxr-x---.  2 root root 4.0K Feb 21 23:16 .
drwxr-xr-x. 18 root root 4.0K Feb 21 22:55 ..
-rw-------.  1 root root 549K Feb 21 23:16 audit.log
-r--------.  1 root root 6.1M Feb 21 23:16 audit.log.1
-r--------.  1 root root 6.1M Feb 21 23:16 audit.log.2
-r--------.  1 root root 6.1M Feb 21 23:15 audit.log.3
-r--------.  1 root root 6.1M Feb 21 23:14 audit.log.4

They all look similar:

type=AVC msg=audit(1361485377.617:6769463): avc:  denied  { read } for  pid=2405 comm="cgrulesengd" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:cgred_t:s0 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1361485377.617:6769463): arch=c000003e syscall=0 success=no exit=-13 a0=3 a1=7fffef90a3f0 a2=400 a3=0 items=0 ppid=1 pid=2405 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=system_u:system_r:cgred_t:s0 key=(null)
Comment 3 Miroslav Grepl 2013-02-22 08:23:12 UTC 
I added a fix to RHEL6.5. I guess we need to get it to RHEL6.4, rght?
Comment 4 Mark Wielaard 2013-02-22 10:49:06 UTC 
BTW. As a quick workaround you can feed the log messages to audit2allow -R -M cgrulesengd. This will generate a cgrulesengd.pp that can be added with semodule -i cgrulesengd.pp. The cgrulesengd.te file will show the policy generated:

policy_module(cgrulesengd, 1.0)

require {
	type cgred_t;
}

#============= cgred_t ==============
fs_list_inotifyfs(cgred_t)
Comment 5 Milos Malik 2013-02-22 11:03:20 UTC 
I know that cgrulesengd can use inotifyfs,

# strings `which cgrulesengd` | grep inotify
Error intializing inotify subsystem
inotify_init
inotify_add_watch
#

but I'm unable to persuade cgrulesengd to actually use it, therefore no AVCs appeared on my machine. Could you help me?
Comment 6 Brenton Leanhardt 2013-02-22 14:00:21 UTC 
(In reply to comment #3)
> I added a fix to RHEL6.5. I guess we need to get it to RHEL6.4, rght?

Yes, we would like this bug Z-Streamed for RHEL 6.4.
Comment 7 Milos Malik 2013-02-26 15:23:20 UTC 
I don't see any AVCs when the policy module (comment#4) is loaded.
Comment 11 errata-xmlrpc 2013-11-21 10:16:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html