Bug 1023336 - system-config-kdump runs chkconfig which reads various initscript files
Summary: system-config-kdump runs chkconfig which reads various initscript files
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.5
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-10-25 08:36 UTC by Milos Malik
Modified: 2014-10-14 07:57 UTC (History)
2 users (show)

Fixed In Version: selinux-policy-3.7.19-247.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-10-14 07:57:26 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:1568 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2014-10-14 01:27:37 UTC

Description Milos Malik 2013-10-25 08:36:53 UTC 
Description of problem:
# seinfo -topenshift_initrc_exec_t -x
   openshift_initrc_exec_t
      file_type
      exec_type
      entry_type
      non_security_file_type
#

init_script_file_type attribute is missing in the definition, therefore following rule does not apply:
dontaudit kdumpgui_t init_script_file_type : file { ioctl read getattr lock open } ; 

Version-Release number of selected component (if applicable):
selinux-policy-doc-3.7.19-228.el6.noarch
selinux-policy-mls-3.7.19-228.el6.noarch
selinux-policy-minimum-3.7.19-228.el6.noarch
selinux-policy-3.7.19-228.el6.noarch
selinux-policy-targeted-3.7.19-228.el6.noarch
system-config-kdump-2.0.5-15.el6.noarch
mcollective-client-2.2.3-1.el6.noarch
mcollective-2.2.3-1.el6.noarch
mcollective-common-2.2.3-1.el6.noarch

How reproducible:
always

Steps to Reproduce:
1. install mcollective package
2. follow the reproducer in https://bugzilla.redhat.com/show_bug.cgi?id=915729#c91
3. search fior AVCs

Actual results (enforcing mode):
----
type=PATH msg=audit(10/25/2013 09:42:26.388:186) : item=0 name=/etc/init.d/mcollective inode=162560 dev=fc:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:openshift_initrc_exec_t:s0 nametype=NORMAL 
type=CWD msg=audit(10/25/2013 09:42:26.388:186) :  cwd=/ 
type=SYSCALL msg=audit(10/25/2013 09:42:26.388:186) : arch=x86_64 syscall=stat success=no exit=-13(Permission denied) a0=7fffc5f96720 a1=7fffc5f96690 a2=7fffc5f96690 a3=0 items=1 ppid=9572 pid=9663 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chkconfig exe=/sbin/chkconfig subj=system_u:system_r:kdumpgui_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(10/25/2013 09:42:26.388:186) : avc:  denied  { getattr } for  pid=9663 comm=chkconfig path=/etc/rc.d/init.d/mcollective dev=vda3 ino=162560 scontext=system_u:system_r:kdumpgui_t:s0-s0:c0.c1023 tcontext=system_u:object_r:openshift_initrc_exec_t:s0 tclass=file 
----

Actual results (permissive mode):
----
type=PATH msg=audit(10/25/2013 09:44:43.402:188) : item=0 name=/etc/init.d/mcollective inode=162560 dev=fc:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:openshift_initrc_exec_t:s0 nametype=NORMAL 
type=CWD msg=audit(10/25/2013 09:44:43.402:188) :  cwd=/ 
type=SYSCALL msg=audit(10/25/2013 09:44:43.402:188) : arch=x86_64 syscall=stat success=yes exit=0 a0=7fffcb916570 a1=7fffcb9164e0 a2=7fffcb9164e0 a3=0 items=1 ppid=9572 pid=15518 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chkconfig exe=/sbin/chkconfig subj=system_u:system_r:kdumpgui_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(10/25/2013 09:44:43.402:188) : avc:  denied  { getattr } for  pid=15518 comm=chkconfig path=/etc/rc.d/init.d/mcollective dev=vda3 ino=162560 scontext=system_u:system_r:kdumpgui_t:s0-s0:c0.c1023 tcontext=system_u:object_r:openshift_initrc_exec_t:s0 tclass=file 
----
type=PATH msg=audit(10/25/2013 09:44:43.402:189) : item=0 name=/etc/init.d/mcollective inode=162560 dev=fc:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:openshift_initrc_exec_t:s0 nametype=NORMAL 
type=CWD msg=audit(10/25/2013 09:44:43.402:189) :  cwd=/ 
type=SYSCALL msg=audit(10/25/2013 09:44:43.402:189) : arch=x86_64 syscall=open success=yes exit=5 a0=1e4c670 a1=0 a2=0 a3=18 items=1 ppid=9572 pid=15518 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chkconfig exe=/sbin/chkconfig subj=system_u:system_r:kdumpgui_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(10/25/2013 09:44:43.402:189) : avc:  denied  { open } for  pid=15518 comm=chkconfig name=mcollective dev=vda3 ino=162560 scontext=system_u:system_r:kdumpgui_t:s0-s0:c0.c1023 tcontext=system_u:object_r:openshift_initrc_exec_t:s0 tclass=file 
type=AVC msg=audit(10/25/2013 09:44:43.402:189) : avc:  denied  { read } for  pid=15518 comm=chkconfig name=mcollective dev=vda3 ino=162560 scontext=system_u:system_r:kdumpgui_t:s0-s0:c0.c1023 tcontext=system_u:object_r:openshift_initrc_exec_t:s0 tclass=file 
----

Expected results:
 * no AVCs
Comment 3 Lukas Vrabec 2014-07-25 14:44:40 UTC 
patch sent.
Comment 6 errata-xmlrpc 2014-10-14 07:57:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1568.html
Note You need to log in before you can comment on or make changes to this bug.