Bug 1011963 - selinux avc denial on cluster nodes
Summary: selinux avc denial on cluster nodes
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.5
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Michal Trunecka
URL:
Whiteboard:
Depends On:
Blocks: 1016462
TreeView+ depends on / blocked
 
Reported: 2013-09-25 12:59 UTC by michal novacek
Modified: 2014-09-30 23:35 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.7.19-218.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1016462 (view as bug list)
Environment:
Last Closed: 2013-11-21 10:52:46 UTC
Target Upstream Version:


Attachments (Terms of Use)
selinux messages (14.63 KB, text/x-log)
2013-09-25 12:59 UTC, michal novacek
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:1598 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2013-11-20 21:39:24 UTC

Description michal novacek 2013-09-25 12:59:36 UTC
Created attachment 802843 [details]
selinux messages

Description of problem:
There are selinux problem reported. This happens on automatic cluster creation
but I'm not sure however that this is cluster related problem.

Version-Release number of selected component (if applicable):
RHEL6.5-20130919.n.0
selinux-policy-3.7.19-216.el6.noarch

Comment 2 Milos Malik 2013-09-25 13:05:43 UTC
Let's skip AVCs caused by prelink - here is the bug (BZ#1008464) which deals with them.

Comment 3 Milos Malik 2013-09-25 13:11:14 UTC
The rest of AVCs consists of:
----
time->Mon Sep 23 10:24:43 2013
type=USER_AVC msg=audit(1379924683.286:28): user pid=1107 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.5 spid=1160 tpid=7704 scontext=system_u:system_r:hald_t:s0 tcontext=unconfined_u:system_r:qarshd_t:s0-s0:c0.c1023 tclass=dbus  exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
----
time->Mon Sep 23 10:26:06 2013
type=SYSCALL msg=audit(1379924766.715:64): arch=c000003e syscall=2 success=no exit=-13 a0=7f81f8bd50dd a1=0 a2=1b6 a3=0 items=0 ppid=9387 pid=10202 auid=4294967295 uid=140 gid=0 euid=140 suid=140 fsuid=140 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="virsh" exe="/usr/bin/virsh" subj=unconfined_u:system_r:xm_t:s0 key=(null)
type=AVC msg=audit(1379924766.715:64): avc:  denied  { read } for  pid=10202 comm="virsh" name="tmp" dev=dm-0 ino=261235 scontext=unconfined_u:system_r:xm_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
----

Comment 4 Miroslav Grepl 2013-09-25 19:01:57 UTC
We have in Fedora

cat /tmp/log |audit2allow


#============= xm_t ==============

#!!!! This avc is allowed in the current policy
allow xm_t tmp_t:dir read

type=USER_AVC msg=audit(1379924683.286:28): user pid=1107 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.5 spid=1160 tpid=7704 scontext=system_u:system_r:hald_t:s0 tcontext=unconfined_u:system_r:qarshd_t:s0-s0:c0.c1023 tclass=dbus  exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

is a qarshd policy issue.

Comment 8 errata-xmlrpc 2013-11-21 10:52:46 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html


Note You need to log in before you can comment on or make changes to this bug.