Bug 1011963 - selinux avc denial on cluster nodes
selinux avc denial on cluster nodes
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.5
All Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: Miroslav Grepl
Michal Trunecka
:
Depends On:
Blocks: 1016462
  Show dependency treegraph
 
Reported: 2013-09-25 08:59 EDT by michal novacek
Modified: 2014-09-30 19:35 EDT (History)
5 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-218.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1016462 (view as bug list)
Environment:
Last Closed: 2013-11-21 05:52:46 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
selinux messages (14.63 KB, text/x-log)
2013-09-25 08:59 EDT, michal novacek
no flags Details

  None (edit)
Description michal novacek 2013-09-25 08:59:36 EDT
Created attachment 802843 [details]
selinux messages

Description of problem:
There are selinux problem reported. This happens on automatic cluster creation
but I'm not sure however that this is cluster related problem.

Version-Release number of selected component (if applicable):
RHEL6.5-20130919.n.0
selinux-policy-3.7.19-216.el6.noarch
Comment 2 Milos Malik 2013-09-25 09:05:43 EDT
Let's skip AVCs caused by prelink - here is the bug (BZ#1008464) which deals with them.
Comment 3 Milos Malik 2013-09-25 09:11:14 EDT
The rest of AVCs consists of:
----
time->Mon Sep 23 10:24:43 2013
type=USER_AVC msg=audit(1379924683.286:28): user pid=1107 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.5 spid=1160 tpid=7704 scontext=system_u:system_r:hald_t:s0 tcontext=unconfined_u:system_r:qarshd_t:s0-s0:c0.c1023 tclass=dbus  exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
----
time->Mon Sep 23 10:26:06 2013
type=SYSCALL msg=audit(1379924766.715:64): arch=c000003e syscall=2 success=no exit=-13 a0=7f81f8bd50dd a1=0 a2=1b6 a3=0 items=0 ppid=9387 pid=10202 auid=4294967295 uid=140 gid=0 euid=140 suid=140 fsuid=140 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="virsh" exe="/usr/bin/virsh" subj=unconfined_u:system_r:xm_t:s0 key=(null)
type=AVC msg=audit(1379924766.715:64): avc:  denied  { read } for  pid=10202 comm="virsh" name="tmp" dev=dm-0 ino=261235 scontext=unconfined_u:system_r:xm_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
----
Comment 4 Miroslav Grepl 2013-09-25 15:01:57 EDT
We have in Fedora

cat /tmp/log |audit2allow


#============= xm_t ==============

#!!!! This avc is allowed in the current policy
allow xm_t tmp_t:dir read

type=USER_AVC msg=audit(1379924683.286:28): user pid=1107 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.5 spid=1160 tpid=7704 scontext=system_u:system_r:hald_t:s0 tcontext=unconfined_u:system_r:qarshd_t:s0-s0:c0.c1023 tclass=dbus  exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

is a qarshd policy issue.
Comment 8 errata-xmlrpc 2013-11-21 05:52:46 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html

Note You need to log in before you can comment on or make changes to this bug.