Bug 1028099 - SELinux prevents lsmd from executing various lsmplugins
SELinux prevents lsmd from executing various lsmplugins
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.0
x86_64 Linux
medium Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-11-07 11:29 EST by Milos Malik
Modified: 2014-07-09 11:11 EDT (History)
1 user (show)

See Also:
Fixed In Version: selinux-policy-3.12.1-118.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-13 05:32:45 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Milos Malik 2013-11-07 11:29:39 EST
Description of problem:


Version-Release number of selected component (if applicable):
libstoragemgmt-0.0.22-4.el7.x86_64
libstoragemgmt-devel-0.0.22-4.el7.x86_64
libstoragemgmt-netapp-plugin-0.0.22-4.el7.noarch
libstoragemgmt-nstor-plugin-0.0.22-4.el7.noarch
libstoragemgmt-python-0.0.22-4.el7.noarch
libstoragemgmt-smis-plugin-0.0.22-4.el7.noarch
libstoragemgmt-targetd-plugin-0.0.22-4.el7.noarch
selinux-policy-3.12.1-98.el7.noarch
selinux-policy-devel-3.12.1-98.el7.noarch
selinux-policy-doc-3.12.1-98.el7.noarch
selinux-policy-minimum-3.12.1-98.el7.noarch
selinux-policy-mls-3.12.1-98.el7.noarch
selinux-policy-targeted-3.12.1-98.el7.noarch

How reproducible:
always

Steps to Reproduce:
# service libstoragemgmt start
# for I in VOLUMES INITIATORS POOLS FS SNAPSHOTS EXPORTS NFS_CLIENT_AUTH ACCESS_GROUPS SYSTEMS ; do lsmcli -l $I -u 'sim://' ; done
# search for AVCs

Actual results:
----
type=PATH msg=audit(11/07/2013 17:16:27.410:7783) : item=0 name=/usr/bin/sim_lsmplugin inode=6433551 dev=08:04 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 objtype=NORMAL 
type=CWD msg=audit(11/07/2013 17:16:27.410:7783) :  cwd=/ 
type=SYSCALL msg=audit(11/07/2013 17:16:27.410:7783) : arch=x86_64 syscall=execve success=no exit=-13(Permission denied) a0=0x7f0c2738c050 a1=0x7fff756f1960 a2=0x7fff756f1bc0 a3=0x0 items=1 ppid=32719 pid=32746 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=lsmd exe=/usr/bin/lsmd subj=system_u:system_r:lsmd_t:s0 key=(null) 
type=AVC msg=audit(11/07/2013 17:16:27.410:7783) : avc:  denied  { execute } for  pid=32746 comm=lsmd name=sim_lsmplugin dev="sda4" ino=6433551 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file 
----

Expected results:
 * no AVCs
Comment 1 Milos Malik 2013-11-07 14:38:08 EST
If you replace 'sim://' with 'simc://' then you will get similar AVCs. sim_lsmplugin is a script, but simc_lsmplugin is a binary. After execution of "chcon -t lsmd_exec_t /usr/bin/simc_lsmplugin" the AVCs stopped appearing. But the reproducer from comment#0 still triggers AVCs.
Comment 2 Milos Malik 2013-11-07 14:50:08 EST
Each of these plugins can be triggered via the reproducer:

# ls -l /usr/bin/*_lsmplugin
-rwxr-xr-x. 1 root root  1340 Oct 14 17:00 /usr/bin/nstor_lsmplugin
-rwxr-xr-x. 1 root root  1298 Oct 14 17:00 /usr/bin/ontap_lsmplugin
-rwxr-xr-x. 1 root root 48312 Oct 14 16:58 /usr/bin/simc_lsmplugin
-rwxr-xr-x. 1 root root  1324 Oct 14 17:00 /usr/bin/sim_lsmplugin
-rwxr-xr-x. 1 root root  1297 Oct 14 17:00 /usr/bin/smispy_lsmplugin
-rwxr-xr-x. 1 root root 23904 Oct 14 17:00 /usr/bin/targetd_lsmplugin
# file /usr/bin/*_lsmplugin
/usr/bin/nstor_lsmplugin:   Python script, ASCII text executable
/usr/bin/ontap_lsmplugin:   Python script, ASCII text executable
/usr/bin/simc_lsmplugin:    ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=0xe19f870782280067178acabafa6fd1c34373d922, stripped
/usr/bin/sim_lsmplugin:     Python script, ASCII text executable
/usr/bin/smispy_lsmplugin:  Python script, ASCII text executable
/usr/bin/targetd_lsmplugin: Python script, ASCII text executable
#
Comment 3 Miroslav Grepl 2013-11-08 03:02:16 EST
Milos,
could you try to add

corecmd_exec_bin(lsmd)

to the local policy, and re-run and collect AVC msgs?


commit c07234231b3ef9de9129c257d1ef1245bf1b9a4b
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Fri Nov 8 09:01:45 2013 +0100

    Allow lsmd to execute various lsmplugins
Comment 4 Milos Malik 2013-11-08 04:26:43 EST
After compiling and loading of following module a bunch of AVCs showed up in enfocing mode:

policy_module(mypolicy,1.0)

require {
  type lsmd_t;
}

corecmd_exec_bin(lsmd_t)

----
type=PATH msg=audit(11/08/2013 10:22:24.897:861) : item=0 name=/proc/meminfo inode=4026532027 dev=00:03 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:proc_t:s0 objtype=NORMAL 
type=CWD msg=audit(11/08/2013 10:22:24.897:861) :  cwd=/ 
type=SYSCALL msg=audit(11/08/2013 10:22:24.897:861) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x38ca37c8cf a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x1 items=1 ppid=4541 pid=4565 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null) 
type=AVC msg=audit(11/08/2013 10:22:24.897:861) : avc:  denied  { read } for  pid=4565 comm=python2.7 name=meminfo dev="proc" ino=4026532027 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file 
----
type=PATH msg=audit(11/08/2013 10:22:24.974:862) : item=0 name=/dev/urandom inode=4910 dev=00:05 mode=character,666 ouid=root ogid=root rdev=01:09 obj=system_u:object_r:urandom_device_t:s0 objtype=NORMAL 
type=CWD msg=audit(11/08/2013 10:22:24.974:862) :  cwd=/ 
type=SYSCALL msg=audit(11/08/2013 10:22:24.974:862) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x38cf7410bd a1=O_RDONLY a2=0x38cf9bbf88 a3=0x0 items=1 ppid=4541 pid=4565 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null) 
type=AVC msg=audit(11/08/2013 10:22:24.974:862) : avc:  denied  { read } for  pid=4565 comm=python2.7 name=urandom dev="devtmpfs" ino=4910 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file 
----
type=PATH msg=audit(11/08/2013 10:22:24.980:864) : item=1 name=/tmp/1MsK71 objtype=CREATE 
type=PATH msg=audit(11/08/2013 10:22:24.980:864) : item=0 name=/tmp/ inode=25165953 dev=fd:03 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 objtype=PARENT 
type=CWD msg=audit(11/08/2013 10:22:24.980:864) :  cwd=/ 
type=SYSCALL msg=audit(11/08/2013 10:22:24.980:864) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x25fec40 a1=O_RDWR|O_CREAT|O_EXCL|O_NOFOLLOW a2=0600 a3=0x0 items=2 ppid=4541 pid=4565 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null) 
type=AVC msg=audit(11/08/2013 10:22:24.980:864) : avc:  denied  { write } for  pid=4565 comm=python2.7 name=tmp dev="vda3" ino=25165953 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir 
----
Comment 5 Milos Malik 2013-11-08 04:37:35 EST
Following AVCs were caught in permissive mode:
----
type=PATH msg=audit(11/08/2013 10:33:30.753:1330) : item=0 name=/proc/meminfo inode=4026532027 dev=00:03 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:proc_t:s0 objtype=NORMAL 
type=CWD msg=audit(11/08/2013 10:33:30.753:1330) :  cwd=/ 
type=SYSCALL msg=audit(11/08/2013 10:33:30.753:1330) : arch=x86_64 syscall=open success=yes exit=6 a0=0x38ca37c8cf a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x1 items=1 ppid=29521 pid=29545 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null) 
type=AVC msg=audit(11/08/2013 10:33:30.753:1330) : avc:  denied  { open } for  pid=29545 comm=python2.7 path=/proc/meminfo dev="proc" ino=4026532027 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file 
type=AVC msg=audit(11/08/2013 10:33:30.753:1330) : avc:  denied  { read } for  pid=29545 comm=python2.7 name=meminfo dev="proc" ino=4026532027 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file 
----
type=SYSCALL msg=audit(11/08/2013 10:33:30.755:1331) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x6 a1=0x7fff1932c4a0 a2=0x7fff1932c4a0 a3=0x0 items=0 ppid=29521 pid=29545 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null) 
type=AVC msg=audit(11/08/2013 10:33:30.755:1331) : avc:  denied  { getattr } for  pid=29545 comm=python2.7 path=/proc/meminfo dev="proc" ino=4026532027 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file 
----
type=PATH msg=audit(11/08/2013 10:33:30.835:1332) : item=0 name=/dev/urandom inode=4910 dev=00:05 mode=character,666 ouid=root ogid=root rdev=01:09 obj=system_u:object_r:urandom_device_t:s0 objtype=NORMAL 
type=CWD msg=audit(11/08/2013 10:33:30.835:1332) :  cwd=/ 
type=SYSCALL msg=audit(11/08/2013 10:33:30.835:1332) : arch=x86_64 syscall=open success=yes exit=7 a0=0x38cf7410bd a1=O_RDONLY a2=0x38cf9bbf88 a3=0x0 items=1 ppid=29521 pid=29545 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null) 
type=AVC msg=audit(11/08/2013 10:33:30.835:1332) : avc:  denied  { open } for  pid=29545 comm=python2.7 path=/dev/urandom dev="devtmpfs" ino=4910 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file 
type=AVC msg=audit(11/08/2013 10:33:30.835:1332) : avc:  denied  { read } for  pid=29545 comm=python2.7 name=urandom dev="devtmpfs" ino=4910 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file 
----
type=PATH msg=audit(11/08/2013 10:33:30.841:1333) : item=1 name=/tmp/jGemB5 inode=26154463 dev=fd:03 mode=file,600 ouid=libstoragemgmt ogid=libstoragemgmt rdev=00:00 obj=system_u:object_r:tmp_t:s0 objtype=CREATE 
type=PATH msg=audit(11/08/2013 10:33:30.841:1333) : item=0 name=/tmp/ inode=25165953 dev=fd:03 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 objtype=PARENT 
type=CWD msg=audit(11/08/2013 10:33:30.841:1333) :  cwd=/ 
type=SYSCALL msg=audit(11/08/2013 10:33:30.841:1333) : arch=x86_64 syscall=open success=yes exit=6 a0=0x1ea7c40 a1=O_RDWR|O_CREAT|O_EXCL|O_NOFOLLOW a2=0600 a3=0x0 items=2 ppid=29521 pid=29545 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null) 
type=AVC msg=audit(11/08/2013 10:33:30.841:1333) : avc:  denied  { create } for  pid=29545 comm=python2.7 name=jGemB5 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file 
type=AVC msg=audit(11/08/2013 10:33:30.841:1333) : avc:  denied  { add_name } for  pid=29545 comm=python2.7 name=jGemB5 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir 
type=AVC msg=audit(11/08/2013 10:33:30.841:1333) : avc:  denied  { write } for  pid=29545 comm=python2.7 name=tmp dev="vda3" ino=25165953 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir 
----
type=PATH msg=audit(11/08/2013 10:33:30.841:1334) : item=1 name=/tmp/jGemB5 inode=26154463 dev=fd:03 mode=file,600 ouid=libstoragemgmt ogid=libstoragemgmt rdev=00:00 obj=system_u:object_r:tmp_t:s0 objtype=DELETE 
type=PATH msg=audit(11/08/2013 10:33:30.841:1334) : item=0 name=/tmp/ inode=25165953 dev=fd:03 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 objtype=PARENT 
type=CWD msg=audit(11/08/2013 10:33:30.841:1334) :  cwd=/ 
type=SYSCALL msg=audit(11/08/2013 10:33:30.841:1334) : arch=x86_64 syscall=unlink success=yes exit=0 a0=0x1e2d4d0 a1=0xffffffff a2=0x38cf9bbf88 a3=0x0 items=2 ppid=29521 pid=29545 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null) 
type=AVC msg=audit(11/08/2013 10:33:30.841:1334) : avc:  denied  { unlink } for  pid=29545 comm=python2.7 name=jGemB5 dev="vda3" ino=26154463 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file 
type=AVC msg=audit(11/08/2013 10:33:30.841:1334) : avc:  denied  { remove_name } for  pid=29545 comm=python2.7 name=jGemB5 dev="vda3" ino=26154463 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir 
----
type=PATH msg=audit(11/08/2013 10:33:31.270:1337) : item=0 name=/etc/resolv.conf inode=9210153 dev=fd:03 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL 
type=CWD msg=audit(11/08/2013 10:33:31.270:1337) :  cwd=/ 
type=SYSCALL msg=audit(11/08/2013 10:33:31.270:1337) : arch=x86_64 syscall=open success=yes exit=5 a0=0x38ca37d3e8 a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x38ca288210 items=1 ppid=29521 pid=29574 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null) 
type=AVC msg=audit(11/08/2013 10:33:31.270:1337) : avc:  denied  { open } for  pid=29574 comm=python2.7 path=/etc/resolv.conf dev="vda3" ino=9210153 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file 
type=AVC msg=audit(11/08/2013 10:33:31.270:1337) : avc:  denied  { read } for  pid=29574 comm=python2.7 name=resolv.conf dev="vda3" ino=9210153 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file 
----
type=SYSCALL msg=audit(11/08/2013 10:33:31.270:1338) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x5 a1=0x7fffed10f7b0 a2=0x7fffed10f7b0 a3=0x0 items=0 ppid=29521 pid=29574 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null) 
type=AVC msg=audit(11/08/2013 10:33:31.270:1338) : avc:  denied  { getattr } for  pid=29574 comm=python2.7 path=/etc/resolv.conf dev="vda3" ino=9210153 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file 
----
type=SYSCALL msg=audit(11/08/2013 10:33:31.270:1339) : arch=x86_64 syscall=socket success=yes exit=5 a0=inet a1=SOCK_DGRAM a2=ip a3=0x1 items=0 ppid=29521 pid=29574 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null) 
type=AVC msg=audit(11/08/2013 10:33:31.270:1339) : avc:  denied  { create } for  pid=29574 comm=python2.7 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:system_r:lsmd_t:s0 tclass=udp_socket 
----
type=SOCKADDR msg=audit(11/08/2013 10:33:31.271:1340) : saddr=inet host:192.168.122.1 serv:53 
type=SYSCALL msg=audit(11/08/2013 10:33:31.271:1340) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x5 a1=0xaf1350 a2=0x10 a3=0x1 items=0 ppid=29521 pid=29574 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null) 
type=AVC msg=audit(11/08/2013 10:33:31.271:1340) : avc:  denied  { connect } for  pid=29574 comm=python2.7 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:system_r:lsmd_t:s0 tclass=udp_socket 
----
type=SYSCALL msg=audit(11/08/2013 10:33:31.313:1341) : arch=x86_64 syscall=ioctl success=yes exit=0 a0=0x5 a1=0x541b a2=0x7fffed10fb80 a3=0x4000 items=0 ppid=29521 pid=29574 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null) 
type=AVC msg=audit(11/08/2013 10:33:31.313:1341) : avc:  denied  { getattr } for  pid=29574 comm=python2.7 path=socket:[119147] dev="sockfs" ino=119147 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:system_r:lsmd_t:s0 tclass=udp_socket 
----
type=PATH msg=audit(11/08/2013 10:33:31.863:1343) : item=1 name=/tmp/BqLXuZ inode=26154463 dev=fd:03 mode=file,600 ouid=libstoragemgmt ogid=libstoragemgmt rdev=00:00 obj=system_u:object_r:tmp_t:s0 objtype=DELETE 
type=PATH msg=audit(11/08/2013 10:33:31.863:1343) : item=0 name=/tmp/ inode=25165953 dev=fd:03 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 objtype=PARENT 
type=CWD msg=audit(11/08/2013 10:33:31.863:1343) :  cwd=/ 
type=SYSCALL msg=audit(11/08/2013 10:33:31.863:1343) : arch=x86_64 syscall=unlink success=yes exit=0 a0=0x24fa4d0 a1=0xffffffff a2=0x38cf9bbf88 a3=0x0 items=2 ppid=29521 pid=29620 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null) 
type=AVC msg=audit(11/08/2013 10:33:31.863:1343) : avc:  denied  { unlink } for  pid=29620 comm=python2.7 name=BqLXuZ dev="vda3" ino=26154463 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file 
----
type=PATH msg=audit(11/08/2013 10:33:31.865:1344) : item=0 name=/tmp/lsm_sim_data inode=25908111 dev=fd:03 mode=file,666 ouid=libstoragemgmt ogid=libstoragemgmt rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 objtype=NORMAL 
type=CWD msg=audit(11/08/2013 10:33:31.865:1344) :  cwd=/ 
type=SYSCALL msg=audit(11/08/2013 10:33:31.865:1344) : arch=x86_64 syscall=open success=yes exit=5 a0=0x2579490 a1=O_RDONLY a2=0x1b6 a3=0x0 items=1 ppid=29521 pid=29620 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null) 
type=AVC msg=audit(11/08/2013 10:33:31.865:1344) : avc:  denied  { open } for  pid=29620 comm=python2.7 path=/tmp/lsm_sim_data dev="vda3" ino=25908111 scontext=system_u:system_r:lsmd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file 
----
type=PATH msg=audit(11/08/2013 10:33:31.942:1345) : item=0 name=/tmp/lsm_sim_data inode=25908111 dev=fd:03 mode=file,666 ouid=libstoragemgmt ogid=libstoragemgmt rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 objtype=NORMAL 
type=CWD msg=audit(11/08/2013 10:33:31.942:1345) :  cwd=/ 
type=SYSCALL msg=audit(11/08/2013 10:33:31.942:1345) : arch=x86_64 syscall=chmod success=yes exit=0 a0=0x2539640 a1=0666 a2=0x38cf9bbf88 a3=0x0 items=1 ppid=29521 pid=29620 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_t:s0 key=(null) 
type=AVC msg=audit(11/08/2013 10:33:31.942:1345) : avc:  denied  { setattr } for  pid=29620 comm=python2.7 name=lsm_sim_data dev="vda3" ino=25908111 scontext=system_u:system_r:lsmd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file 
----
Comment 6 Milos Malik 2013-11-08 04:38:37 EST
Here is the output from audit2allow:

#============= lsmd_t ==============
allow lsmd_t net_conf_t:file { read getattr open };
allow lsmd_t proc_t:file { read getattr open };
allow lsmd_t self:udp_socket { create connect getattr };
allow lsmd_t tmp_t:dir { write remove_name add_name };
allow lsmd_t tmp_t:file { create unlink };

#!!!! This avc can be allowed using the boolean 'global_ssp'
allow lsmd_t urandom_device_t:chr_file { read open };
allow lsmd_t user_tmp_t:file { open setattr };
#
Comment 7 Miroslav Grepl 2013-11-08 15:41:53 EST
Ok, the question now is if we need to have a new domain (lsmd_plugin_t for example). Probably we should ask lsmd folks what these plugins do.
Comment 8 Miroslav Grepl 2013-11-26 11:50:08 EST
commit 4f72504c1cb09d526f75302b5d5ab3cf39dc5588
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Tue Nov 26 17:49:39 2013 +0100

    Add lsmd_plugin_t for lsm plugins
Comment 10 Miroslav Grepl 2013-11-29 05:40:46 EST
commit bb9750eb405cd031fa32385664418bb629553b82
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Fri Nov 29 11:40:22 2013 +0100

    Allow lsmd_plugin_t send system log messages
Comment 15 Milos Malik 2014-01-09 06:04:16 EST
# ps -efZ | grep init_t
system_u:system_r:init_t:s0     root         1     0  0 10:19 ?        00:00:02 /usr/lib/systemd/systemd --system --deserialize 24
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 3875 7641  0 11:45 pts/0 00:00:00 grep --color=auto init_t
#

Even "watch -n 1 'ps -efZ | grep init_t'" command (which was running at the same time as the test case) did not show other processes running as init_t.
Comment 16 Miroslav Grepl 2014-01-10 03:59:22 EST
commit 82f025f878e67aac45f527cee63fa290897679f5
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Fri Jan 10 09:58:57 2014 +0100

    Allow lsmd plugins stream connect to lsmd/init
Comment 23 Ludek Smid 2014-06-13 05:32:45 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.