RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1021984 - create a MLS policy for lldpad
Summary: create a MLS policy for lldpad
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.5
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On: 891779
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-10-22 12:47 UTC by Milos Malik
Modified: 2014-10-14 07:57 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.7.19-252.el6
Doc Type: Bug Fix
Doc Text:
Clone Of: 891779
Environment:
Last Closed: 2014-10-14 07:57:22 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:1568 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2014-10-14 01:27:37 UTC

Description Milos Malik 2013-10-22 12:47:47 UTC 
Description of problem:
When running MLS policy, SELinux generates AVC for lldpad as per previous bug: 723958.

Version-Release number of selected component (if applicable):
selinux-policy-mls-3.7.19-154.el6

How reproducible:

Create minimal install of EL 6.3, and apply MLS policy as per slightly modified process from: http://fedoraproject.org/wiki/SELinux/FedoraMLSHowto

Steps to Reproduce:
1. yum update
2. reboot
3. yum install selinux-policy-mls
4. change /etc/sysconfig/selinux values to SELINUX=permissive and SELINUXTYPE=mls
5. touch /.autorelabel
6. reboot
7. give grub kernel argument '1' to boot into single user mode
8. change /etc/sysconfig/selinux value for SELINUX back to 'enforcing'
9. reboot

Actual results:
audit2allow generates the following policy for lldpad from the audit log:

allow initrc_t self:netlink_route_socket nlmsg_write;
allow initrc_t self:packet_socket { bind create ioctl setopt };
allow initrc_t self:shm { write unix_read unix_write associate read create };
Comment 1 Lukas Vrabec 2014-07-04 10:02:22 UTC 
Patch sent.
Comment 4 Lukas Vrabec 2014-08-12 12:25:44 UTC 
fixed patch sent.
Comment 7 Lukas Vrabec 2014-08-25 13:27:08 UTC 
# rpm -q selinux-policy
selinux-policy-3.7.19-251.el6.noarch

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: TEST PROTOCOL
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: Package       : unknown
:: [   LOG    ] :: beakerlib RPM : beakerlib-1.9-3.el6 
:: [   LOG    ] :: bl-redhat RPM : beakerlib-redhat-1-12.el6eso 
:: [   LOG    ] :: Test started  : 2014-08-25 15:18:35 CEST
:: [   LOG    ] :: Test finished : 2014-08-25 15:19:26 CEST
:: [   LOG    ] :: Test name     : unknown
:: [   LOG    ] :: Distro:       : Red Hat Enterprise Linux Workstation release 6.6 Beta (Santiago)
:: [   LOG    ] :: Hostname      : localhost.localdomain
:: [   LOG    ] :: Architecture  : x86_64

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Test description
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

PURPOSE of /CoreOS/selinux-policy/Regression/bz723958-lldpad-and-similar

Description: SELinux interferes with lldpad and related tools

Author: Milos Malik <mmalik>



::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Setup
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   INFO   ] :: rlImport: Found 'selinux-policy/common' in /mnt/tests
:: [   INFO   ] :: rlImport: Will try to import selinux-policy/common from /mnt/tests/CoreOS/selinux-policy/Library/common/lib.sh
:: [   PASS   ] :: Command 'rlImport 'selinux-policy/common'' (Expected 0, got 0)
:: [   PASS   ] :: Checking for the presence of selinux-policy rpm 
:: [   LOG    ] :: Package versions:
:: [   LOG    ] ::   selinux-policy-3.7.19-251.el6.noarch
:: [   PASS   ] :: Checking for the presence of selinux-policy-mls rpm 
:: [   LOG    ] :: Package versions:
:: [   LOG    ] ::   selinux-policy-mls-3.7.19-251.el6.noarch
:: [   PASS   ] :: Checking for the presence of selinux-policy-targeted rpm 
:: [   LOG    ] :: Package versions:
:: [   LOG    ] ::   selinux-policy-targeted-3.7.19-251.el6.noarch
:: [   PASS   ] :: Checking for the presence of lldpad rpm 
:: [   LOG    ] :: Package versions:
:: [   LOG    ] ::   lldpad-0.9.46-2.el6.x86_64
:: [   PASS   ] :: Command 'setenforce 1' (Expected 0, got 0)
:: [   PASS   ] :: Command 'sestatus' (Expected 0, got 0)
:: [   LOG    ] :: Setting timestamp 'TIMESTAMP' [08/25/2014 15:18:37]
:: [   LOG    ] :: Duration: 4s
:: [   LOG    ] :: Assertions: 7 good, 0 bad
:: [   PASS   ] :: RESULT: Setup

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: bz#723958
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Result of matchpathcon /etc/rc.d/init.d/lldpad should contain lldpad_initrc_exec_t (Assert: expected 0, got 0)
:: [   PASS   ] :: Result of matchpathcon /usr/sbin/dcbtool should contain bin_t (Assert: expected 0, got 0)
:: [   PASS   ] :: Result of matchpathcon /usr/sbin/lldpad should contain lldpad_exec_t (Assert: expected 0, got 0)
:: [   PASS   ] :: Result of matchpathcon /usr/sbin/lldptool should contain bin_t (Assert: expected 0, got 0)
:: [   PASS   ] :: Result of matchpathcon /var/lib/lldpad should contain lldpad_var_lib_t (Assert: expected 0, got 0)
:: [   PASS   ] :: sesearch --type -C -s initrc_t -t lldpad_exec_t -c process -p lldpad_t  (Expected 0, got 0)
:: [   LOG    ] :: Checking rule 'allow lldpad_t unconfined_t : unix_dgram_socket { sendto }'
:: [   PASS   ] :: sesearch --allow -C -s lldpad_t -t unconfined_t -c unix_dgram_socket -p sendto  (Expected 0, got 0)
:: [   LOG    ] :: Duration: 9s
:: [   LOG    ] :: Assertions: 7 good, 0 bad
:: [   PASS   ] :: RESULT: bz#723958

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: bz#727290
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Result of matchpathcon /usr/sbin/lldpad should contain lldpad_exec_t (Assert: expected 0, got 0)
:: [   LOG    ] :: Checking rule 'allow lldpad_t lldpad_t : capability { sys_module }'
:: [   PASS   ] :: sesearch --allow -C -s lldpad_t -t lldpad_t -c capability -p sys_module  (Expected 0, got 0)
:: [   LOG    ] :: Duration: 2s
:: [   LOG    ] :: Assertions: 2 good, 0 bad
:: [   PASS   ] :: RESULT: bz#727290

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: bz#891779
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Result of matchpathcon /usr/sbin/lldpad should contain lldpad_exec_t (Assert: expected 0, got 0)
:: [   LOG    ] :: Checking rule 'allow lldpad_t lldpad_t : netlink_route_socket { nlmsg_write }'
:: [   PASS   ] :: sesearch --allow -C -s lldpad_t -t lldpad_t -c netlink_route_socket -p nlmsg_write  (Expected 0, got 0)
:: [   LOG    ] :: Checking rule 'allow lldpad_t lldpad_t : packet_socket { bind create ioctl setopt }'
:: [   PASS   ] :: sesearch --allow -C -s lldpad_t -t lldpad_t -c packet_socket -p bind  (Expected 0, got 0)
:: [   PASS   ] :: sesearch --allow -C -s lldpad_t -t lldpad_t -c packet_socket -p create  (Expected 0, got 0)
:: [   PASS   ] :: sesearch --allow -C -s lldpad_t -t lldpad_t -c packet_socket -p ioctl  (Expected 0, got 0)
:: [   PASS   ] :: sesearch --allow -C -s lldpad_t -t lldpad_t -c packet_socket -p setopt  (Expected 0, got 0)
:: [   LOG    ] :: Checking rule 'allow lldpad_t lldpad_t : shm { create destroy read write associate unix_read unix_write }'
:: [   PASS   ] :: sesearch --allow -C -s lldpad_t -t lldpad_t -c shm -p create  (Expected 0, got 0)
:: [   PASS   ] :: sesearch --allow -C -s lldpad_t -t lldpad_t -c shm -p destroy  (Expected 0, got 0)
:: [   PASS   ] :: sesearch --allow -C -s lldpad_t -t lldpad_t -c shm -p read  (Expected 0, got 0)
:: [   PASS   ] :: sesearch --allow -C -s lldpad_t -t lldpad_t -c shm -p write  (Expected 0, got 0)
:: [   PASS   ] :: sesearch --allow -C -s lldpad_t -t lldpad_t -c shm -p associate  (Expected 0, got 0)
:: [   PASS   ] :: sesearch --allow -C -s lldpad_t -t lldpad_t -c shm -p unix_read  (Expected 0, got 0)
:: [   PASS   ] :: sesearch --allow -C -s lldpad_t -t lldpad_t -c shm -p unix_write  (Expected 0, got 0)
:: [   LOG    ] :: Duration: 5s
:: [   LOG    ] :: Assertions: 13 good, 0 bad
:: [   PASS   ] :: RESULT: bz#891779

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: bz#986870
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Result of matchpathcon /usr/sbin/lldpad should contain lldpad_exec_t (Assert: expected 0, got 0)
:: [   LOG    ] :: Checking rule 'allow lldpad_t lldpad_t : capability { sys_resource }'
:: [   PASS   ] :: sesearch --allow -C -s lldpad_t -t lldpad_t -c capability -p sys_resource  (Expected 0, got 0)
:: [   LOG    ] :: Duration: 3s
:: [   LOG    ] :: Assertions: 2 good, 0 bad
:: [   PASS   ] :: RESULT: bz#986870

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: bz#995434
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Result of matchpathcon /usr/sbin/lldpad should contain lldpad_exec_t (Assert: expected 0, got 0)
:: [   LOG    ] :: Checking rule 'allow lldpad_t fcoemon_t : unix_dgram_socket { sendto }'
:: [   PASS   ] :: sesearch --allow -C -s lldpad_t -t fcoemon_t -c unix_dgram_socket -p sendto  (Expected 0, got 0)
:: [   LOG    ] :: Duration: 2s
:: [   LOG    ] :: Assertions: 2 good, 0 bad
:: [   PASS   ] :: RESULT: bz#995434

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: bz#1021984
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Result of matchpathcon /usr/sbin/lldpad should contain lldpad_exec_t (Assert: expected 0, got 0)
:: [   PASS   ] :: Result of matchpathcon /etc/localtime should contain locale_t (Assert: expected 0, got 0)
:: [   LOG    ] :: Checking rule 'allow lldpad_t lldpad_t : capability { sys_resource } mls'
:: [   PASS   ] :: sesearch --allow -C -s lldpad_t -t lldpad_t -c capability -p sys_resource /etc/selinux/mls/policy/policy.24 (Expected 0, got 0)
:: [   LOG    ] :: Checking rule 'allow lldpad_t locale_t : file { getattr open read } mls'
:: [   PASS   ] :: sesearch --allow -C -s lldpad_t -t locale_t -c file -p getattr /etc/selinux/mls/policy/policy.24 (Expected 0, got 0)
:: [   PASS   ] :: sesearch --allow -C -s lldpad_t -t locale_t -c file -p open /etc/selinux/mls/policy/policy.24 (Expected 0, got 0)
:: [   PASS   ] :: sesearch --allow -C -s lldpad_t -t locale_t -c file -p read /etc/selinux/mls/policy/policy.24 (Expected 0, got 0)
:: [   LOG    ] :: Duration: 4s
:: [   LOG    ] :: Assertions: 6 good, 0 bad
:: [   PASS   ] :: RESULT: bz#1021984

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: real scenario
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Command 'echo redhat | passwd --stdin root' (Expected 0, got 0)
:: [   PASS   ] :: Command 'semodule -l | grep lldpad' (Expected 0, got 0)
:: [   PASS   ] :: Command 'service lldpad start' (Expected 0, got 0)
:: [   PASS   ] :: Command 'ps -efZ | egrep -v " egrep " | egrep "lldpad_t.*lldpad"' (Expected 0, got 0)
:: [   PASS   ] :: Command 'service lldpad status' (Expected 0,1,3, got 0)
:: [   PASS   ] :: Command 'service lldpad restart' (Expected 0, got 0)
:: [   PASS   ] :: Command 'ps -efZ | egrep -v " egrep " | egrep "lldpad_t.*lldpad"' (Expected 0, got 0)
:: [   PASS   ] :: Command 'service lldpad status' (Expected 0,1,3, got 0)
:: [   PASS   ] :: Command 'lldptool -t -i eth0' (Expected 0,1, got 1)
:: [   PASS   ] :: Command 'lldptool -l -i eth0' (Expected 0,1, got 1)
:: [   PASS   ] :: Command 'lldptool -S -i eth0' (Expected 0,1, got 1)
:: [   PASS   ] :: Command 'dcbtool gc dcbx' (Expected 0, got 0)
:: [   PASS   ] :: Command 'dcbtool go dcbx' (Expected 0, got 0)
:: [   PASS   ] :: Command 'dcbtool gc eth0 dcb' (Expected 0-255, got 2)
:: [   PASS   ] :: Command 'dcbtool gc eth0 pg' (Expected 0-255, got 2)
:: [   PASS   ] :: Command 'dcbtool gc eth0 pfc' (Expected 0-255, got 2)
:: [   PASS   ] :: Command 'dcbtool gc eth0 app:0' (Expected 0-255, got 2)
:: [   PASS   ] :: Command 'dcbtool gc eth0 app:1' (Expected 0-255, got 2)
:: [   PASS   ] :: Command 'dcbtool gc eth0 ll:0' (Expected 0-255, got 2)
:: [   PASS   ] :: Command 'dcbtool go eth0 dcb' (Expected 0-255, got 2)
:: [   PASS   ] :: Command 'dcbtool go eth0 pg' (Expected 0-255, got 2)
:: [   PASS   ] :: Command 'dcbtool go eth0 pfc' (Expected 0-255, got 2)
:: [   PASS   ] :: Command 'dcbtool go eth0 app:0' (Expected 0-255, got 2)
:: [   PASS   ] :: Command 'dcbtool go eth0 app:1' (Expected 0-255, got 2)
:: [   PASS   ] :: Command 'dcbtool go eth0 ll:0' (Expected 0-255, got 2)
:: [   PASS   ] :: Command 'dcbtool gp eth0 dcb' (Expected 0-255, got 255)
:: [   PASS   ] :: Command 'dcbtool gp eth0 pg' (Expected 0-255, got 2)
:: [   PASS   ] :: Command 'dcbtool gp eth0 pfc' (Expected 0-255, got 2)
:: [   PASS   ] :: Command 'dcbtool gp eth0 app:0' (Expected 0-255, got 2)
:: [   PASS   ] :: Command 'dcbtool gp eth0 app:1' (Expected 0-255, got 2)
:: [   PASS   ] :: Command 'dcbtool gp eth0 ll:0' (Expected 0-255, got 2)
:: [   PASS   ] :: Command 'service lldpad stop' (Expected 0, got 0)
:: [   PASS   ] :: Command 'service lldpad status' (Expected 0,1,3, got 3)
:: [   LOG    ] :: Duration: 19s
:: [   LOG    ] :: Assertions: 33 good, 0 bad
:: [   PASS   ] :: RESULT: real scenario

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Cleanup
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: Search for AVCs and SELINUX_ERRs since timestamp 'TIMESTAMP' [08/25/2014 15:18:37]
:: [   PASS   ] :: Command 'LC_TIME='en_US.UTF-8' ausearch -m AVC -m SELINUX_ERR -ts 08/25/2014 15:18:37 2>&1 | grep -v '<no matches>'' (Expected 1, got 1)
:: [   LOG    ] :: Duration: 2s
:: [   LOG    ] :: Assertions: 1 good, 0 bad
:: [   PASS   ] :: RESULT: Cleanup

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: unknown
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: Phases: 9 good, 0 bad
:: [   PASS   ] :: RESULT: unknown
:: [ 15:19:26 ] :: JOURNAL XML: /var/tmp/beakerlib-NhvRIfU/journal.xml
:: [ 15:19:27 ] :: JOURNAL TXT: /var/tmp/beakerlib-NhvRIfU/journal.txt

rhel6:/var/log/audit
# service lldpad status
lldpad (pid  27985) is running...
rhel6:/var/log/audit
# lldptool -p
27985

I'm without any AVC. Could you re-test it, or I have bad reproducer?
Comment 8 Miroslav Grepl 2014-08-25 13:47:47 UTC 
Milos,
then you need to have

lldpad_admin()
Comment 9 Milos Malik 2014-08-25 14:38:01 UTC 
(In reply to Lukas Vrabec from comment #7)

> I'm without any AVC. Could you re-test it, or I have bad reproducer?

You need to run the automated TC (to be precise - the real scenario phase) on a machine where the MLS policy is active. The TC is unable to switch the machine from targeted to MLS.
Comment 10 Milos Malik 2014-08-25 14:57:34 UTC 
Following AVCs appear when "lldptool -p" is executed in permissive mode:
----
type=SOCKADDR msg=audit(08/25/2014 16:54:28.606:88) : saddr=local /com/intel/lldpad 
type=SYSCALL msg=audit(08/25/2014 16:54:28.606:88) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x3 a1=0x9c7352 a2=0x14 a3=0x7fff949f9210 items=0 ppid=2600 pid=2665 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=lldptool exe=/usr/sbin/lldptool subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null) 
type=AVC msg=audit(08/25/2014 16:54:28.606:88) : avc:  denied  { sendto } for  pid=2665 comm=lldptool path=/com/intel/lldpad scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:lldpad_t:s0-s15:c0.c1023 tclass=unix_dgram_socket 
----
type=SOCKADDR msg=audit(08/25/2014 16:54:28.607:89) : saddr=local /com/intel/lldpad/2665 
type=SYSCALL msg=audit(08/25/2014 16:54:28.607:89) : arch=x86_64 syscall=sendto success=yes exit=12 a0=0x4 a1=0x21ffb60 a2=0xc a3=0x0 items=0 ppid=1 pid=1375 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lldpad exe=/usr/sbin/lldpad subj=system_u:system_r:lldpad_t:s0-s15:c0.c1023 key=(null) 
type=AVC msg=audit(08/25/2014 16:54:28.607:89) : avc:  denied  { sendto } for  pid=1375 comm=lldpad path=/com/intel/lldpad/2665 scontext=system_u:system_r:lldpad_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tclass=unix_dgram_socket 
----

Following rules seem to be needed:
allow lldpad_t sysadm_t:unix_dgram_socket sendto;
allow sysadm_t lldpad_t:unix_dgram_socket sendto;
Comment 11 Lukas Vrabec 2014-08-26 14:01:52 UTC 
commit a37f930d9fa6293c2a724e09c79207cda0854ae5
Author: Miroslav Grepl <mgrepl>
Date:   Tue Aug 26 15:52:39 2014 +0200

    Allow sysadm to talk with lldpad over unix dgram socket.
Comment 14 errata-xmlrpc 2014-10-14 07:57:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1568.html
Note You need to log in before you can comment on or make changes to this bug.