1030446 – SELinux AVCs in RHEL-7 tuned

Bug 1030446 - SELinux AVCs in RHEL-7 tuned

Summary: SELinux AVCs in RHEL-7 tuned

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.0
Hardware:	All
OS:	Linux
Priority:	high
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-11-14 13:15 UTC by Branislav Blaškovič
Modified:	2015-11-02 13:53 UTC (History)
CC List:	5 users (show)
Fixed In Version:	selinux-policy-3.12.1-126.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-06-13 09:56:32 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Branislav Blaškovič 2013-11-14 13:15:11 UTC

Description of problem:
tuned has a new 'sap' profile. When running in beaker, there are several AVCs.

Version-Release number of selected component (if applicable):


How reproducible:
tuned-2.3.0-3.el7.noarch
selinux-policy-3.12.1-99.el7.noarch

Steps to Reproduce:
I am not able to successfuly reproduce this manualy - just in beaker:
See https://beaker.engineering.redhat.com/jobs/543503

Actual results:
http://beaker-archive.app.eng.bos.redhat.com/beaker-logs/2013/11/5435/543503/1131188/17252259/86799352/test_log-Test-avc.log
type=SYSCALL msg=audit(1384433349.813:164): arch=c000003e syscall=4 success=no exit=-13 a0=c6b260 a1=7fff5c4eb9e0 a2=7fff5c4eb9e0 a3=0 items=0 ppid=9567 pid=11739 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="script.sh" exe="/usr/bin/bash" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1384433349.813:164): avc:  denied  { getattr } for  pid=11739 comm="script.sh" path="/usr/bin/kmod" dev="dm-1" ino=201511287 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file

type=SYSCALL msg=audit(1384433349.825:165): arch=c000003e syscall=4 success=no exit=-13 a0=7fff1405df76 a1=7fff1405ca50 a2=7fff1405ca50 a3=7fff1405c780 items=0 ppid=11739 pid=11759 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mv" exe="/usr/bin/mv" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1384433349.825:165): avc:  denied  { getattr } for  pid=11759 comm="mv" path="/etc/rsyslog.conf" dev="dm-1" ino=135328036 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:syslog_conf_t:s0 tclass=file

Expected results:
No AVCs..

Additional info:

Comment 2 Miroslav Grepl 2013-11-25 13:13:34 UTC

Could you please run it in permissive mode do collect all AVC msgs?

Comment 3 Branislav Blaškovič 2013-11-26 11:26:14 UTC

We will see soon:
https://beaker.engineering.redhat.com/jobs/552075

Comment 4 Jaroslav Škarvada 2013-11-26 12:50:00 UTC

The following AVCs were detected in the beaker job ran by Branislav. All are from the same bash code as was used in RHEL-6. I think the problem could appear because the way how the bash code is executed changed in RHEL-7 tuned.

Rsyslog.conf is patched in the spindown-disk profile for the logging not to spin-up the disk frequently. This is the same functionality as in RHEL-6. But in RHEL-7 it was moved to compat-profiles (for backward compatibility). From  devel point of view, it is phasing out, but it shouldn't emit AVCs.

Modprobe is used for bluetooth enabling/disabling. Also it is the same mechanism as was used in RHEL-6.

time->Tue Nov 26 06:42:33 2013
type=SYSCALL msg=audit(1385466153.242:59): arch=c000003e syscall=4 success=yes exit=0 a0=deb030 a1=7ffffd4665e0 a2=7ffffd4665e0 a3=1 items=0 ppid=11693 pid=11707 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="script.sh" exe="/usr/bin/bash" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1385466153.242:59): avc:  denied  { getattr } for  pid=11707 comm="script.sh" path="/usr/bin/kmod" dev="dm-1" ino=134462252 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
----
time->Tue Nov 26 06:42:33 2013
type=SYSCALL msg=audit(1385466153.243:60): arch=c000003e syscall=59 success=yes exit=0 a0=deb030 a1=deb100 a2=deaad0 a3=7ffffd4664a0 items=0 ppid=11693 pid=11707 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lsmod" exe="/usr/bin/kmod" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1385466153.243:60): avc:  denied  { execute_no_trans } for  pid=11707 comm="script.sh" path="/usr/bin/kmod" dev="dm-1" ino=134462252 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=AVC msg=audit(1385466153.243:60): avc:  denied  { open } for  pid=11707 comm="script.sh" path="/usr/bin/kmod" dev="dm-1" ino=134462252 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
----
time->Tue Nov 26 06:42:33 2013
type=SYSCALL msg=audit(1385466153.262:61): arch=c000003e syscall=4 success=yes exit=0 a0=7fffb385ff5d a1=7fffb385e9a0 a2=7fffb385e9a0 a3=2 items=0 ppid=11693 pid=11715 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cp" exe="/usr/bin/cp" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1385466153.262:61): avc:  denied  { getattr } for  pid=11715 comm="cp" path="/etc/rsyslog.conf" dev="dm-1" ino=68342303 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:syslog_conf_t:s0 tclass=file
----
time->Tue Nov 26 06:42:33 2013
type=SYSCALL msg=audit(1385466153.262:62): arch=c000003e syscall=2 success=yes exit=3 a0=7fffb385ff5d a1=0 a2=0 a3=7fffb385e5e0 items=0 ppid=11693 pid=11715 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cp" exe="/usr/bin/cp" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1385466153.262:62): avc:  denied  { open } for  pid=11715 comm="cp" path="/etc/rsyslog.conf" dev="dm-1" ino=68342303 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:syslog_conf_t:s0 tclass=file
type=AVC msg=audit(1385466153.262:62): avc:  denied  { read } for  pid=11715 comm="cp" name="rsyslog.conf" dev="dm-1" ino=68342303 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:syslog_conf_t:s0 tclass=file
----
time->Tue Nov 26 06:42:33 2013
type=SYSCALL msg=audit(1385466153.265:63): arch=c000003e syscall=16 success=no exit=-25 a0=3 a1=5401 a2=7fffaff64480 a3=7fffaff642d0 items=0 ppid=11693 pid=11718 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sed" exe="/usr/bin/sed" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1385466153.265:63): avc:  denied  { ioctl } for  pid=11718 comm="sed" path="/etc/rsyslog.conf" dev="dm-1" ino=68342303 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:syslog_conf_t:s0 tclass=file
----
time->Tue Nov 26 06:42:33 2013
type=SYSCALL msg=audit(1385466153.266:64): arch=c000003e syscall=2 success=yes exit=4 a0=cbb120 a1=c2 a2=180 a3=0 items=0 ppid=11693 pid=11718 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sed" exe="/usr/bin/sed" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1385466153.266:64): avc:  denied  { write } for  pid=11718 comm="sed" path="/etc/sedBpzBpU" dev="dm-1" ino=68509728 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:syslog_conf_t:s0 tclass=file
type=AVC msg=audit(1385466153.266:64): avc:  denied  { create } for  pid=11718 comm="sed" name="sedBpzBpU" scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:syslog_conf_t:s0 tclass=file
----
time->Tue Nov 26 06:42:33 2013
type=SYSCALL msg=audit(1385466153.268:65): arch=c000003e syscall=93 success=yes exit=0 a0=4 a1=0 a2=0 a3=7fffaff642d0 items=0 ppid=11693 pid=11718 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sed" exe="/usr/bin/sed" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1385466153.268:65): avc:  denied  { setattr } for  pid=11718 comm="sed" name="sedBpzBpU" dev="dm-1" ino=68509728 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:syslog_conf_t:s0 tclass=file
----
time->Tue Nov 26 06:42:33 2013
type=SYSCALL msg=audit(1385466153.268:66): arch=c000003e syscall=82 success=yes exit=0 a0=cbb120 a1=7fffaff64f74 a2=cbb120 a3=7fffaff642b0 items=0 ppid=11693 pid=11718 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sed" exe="/usr/bin/sed" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1385466153.268:66): avc:  denied  { unlink } for  pid=11718 comm="sed" name="rsyslog.conf" dev="dm-1" ino=68342303 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:syslog_conf_t:s0 tclass=file
type=AVC msg=audit(1385466153.268:66): avc:  denied  { rename } for  pid=11718 comm="sed" name="sedBpzBpU" dev="dm-1" ino=68509728 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:syslog_conf_t:s0 tclass=file

----
time->Tue Nov 26 06:42:45 2013
type=SYSCALL msg=audit(1385466165.410:160): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7fff5170efb0 a2=7fff5170efb0 a3=7fff5170ed50 items=0 ppid=11875 pid=11888 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/usr/bin/kmod" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1385466165.410:160): avc:  denied  { getattr } for  pid=11888 comm="modprobe" path="/usr/lib/modules/3.10.0-54.el7.x86_64/modules.dep.bin" dev="dm-1" ino=68180536 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file
----
time->Tue Nov 26 06:42:45 2013
type=SYSCALL msg=audit(1385466165.515:161): arch=c000003e syscall=190 success=yes exit=0 a0=4 a1=7fff6bab6ae0 a2=1d02920 a3=25 items=0 ppid=11875 pid=11898 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mv" exe="/usr/bin/mv" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1385466165.515:161): avc:  denied  { relabelto } for  pid=11898 comm="mv" name="rsyslog.conf" dev="dm-1" ino=68509728 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:tuned_var_run_t:s0 tclass=file
type=AVC msg=audit(1385466165.515:161): avc:  denied  { relabelfrom } for  pid=11898 comm="mv" name="rsyslog.conf" dev="dm-1" ino=68509728 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:tuned_var_run_t:s0 tclass=file
----
time->Tue Nov 26 06:42:45 2013
type=SYSCALL msg=audit(1385466165.409:159): arch=c000003e syscall=2 success=yes exit=3 a0=7fff5170f090 a1=80000 a2=1b392a0 a3=3 items=0 ppid=11875 pid=11888 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/usr/bin/kmod" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1385466165.409:159): avc:  denied  { open } for  pid=11888 comm="modprobe" path="/usr/lib/modules/3.10.0-54.el7.x86_64/modules.dep.bin" dev="dm-1" ino=68180536 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file
type=AVC msg=audit(1385466165.409:159): avc:  denied  { read } for  pid=11888 comm="modprobe" name="modules.dep.bin" dev="dm-1" ino=68180536 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file
type=AVC msg=audit(1385466165.409:159): avc:  denied  { search } for  pid=11888 comm="modprobe" name="modules" dev="dm-1" ino=362392 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=dir

Comment 5 Jaroslav Škarvada 2013-11-26 14:18:10 UTC

AVCs from the run with the latest version of tuned (2.3.0-4) in permissive mode:

time->Tue Nov 26 08:37:27 2013
type=SYSCALL msg=audit(1385473047.878:107): arch=c000003e syscall=4 success=yes exit=0 a0=1213010 a1=7fff71c01a20 a2=7fff71c01a20 a3=1 items=0 ppid=31011 pid=31032 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="script.sh" exe="/usr/bin/bash" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1385473047.878:107): avc:  denied  { getattr } for  pid=31032 comm="script.sh" path="/usr/bin/kmod" dev="dm-1" ino=251663437 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
----
time->Tue Nov 26 08:37:27 2013
type=SYSCALL msg=audit(1385473047.878:108): arch=c000003e syscall=59 success=yes exit=0 a0=1213010 a1=12130e0 a2=1212ab0 a3=7fff71c018e0 items=0 ppid=31011 pid=31032 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lsmod" exe="/usr/bin/kmod" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1385473047.878:108): avc:  denied  { execute_no_trans } for  pid=31032 comm="script.sh" path="/usr/bin/kmod" dev="dm-1" ino=251663437 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=AVC msg=audit(1385473047.878:108): avc:  denied  { open } for  pid=31032 comm="script.sh" path="/usr/bin/kmod" dev="dm-1" ino=251663437 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
----
time->Tue Nov 26 08:37:27 2013
type=SYSCALL msg=audit(1385473047.891:109): arch=c000003e syscall=4 success=yes exit=0 a0=7fff1d2b6f5d a1=7fff1d2b4e20 a2=7fff1d2b4e20 a3=2 items=0 ppid=31011 pid=31039 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cp" exe="/usr/bin/cp" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1385473047.891:109): avc:  denied  { getattr } for  pid=31039 comm="cp" path="/etc/rsyslog.conf" dev="dm-1" ino=100755502 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:syslog_conf_t:s0 tclass=file
----
time->Tue Nov 26 08:37:27 2013
type=SYSCALL msg=audit(1385473047.892:110): arch=c000003e syscall=2 success=yes exit=3 a0=7fff1d2b6f5d a1=0 a2=0 a3=7fff1d2b4a60 items=0 ppid=31011 pid=31039 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cp" exe="/usr/bin/cp" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1385473047.892:110): avc:  denied  { open } for  pid=31039 comm="cp" path="/etc/rsyslog.conf" dev="dm-1" ino=100755502 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:syslog_conf_t:s0 tclass=file
type=AVC msg=audit(1385473047.892:110): avc:  denied  { read } for  pid=31039 comm="cp" name="rsyslog.conf" dev="dm-1" ino=100755502 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:syslog_conf_t:s0 tclass=file
----
time->Tue Nov 26 08:37:27 2013
type=SYSCALL msg=audit(1385473047.894:111): arch=c000003e syscall=16 success=no exit=-25 a0=3 a1=5401 a2=7fffe0bbe990 a3=7fffe0bbe7e0 items=0 ppid=31011 pid=31040 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sed" exe="/usr/bin/sed" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1385473047.894:111): avc:  denied  { ioctl } for  pid=31040 comm="sed" path="/etc/rsyslog.conf" dev="dm-1" ino=100755502 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:syslog_conf_t:s0 tclass=file
----
time->Tue Nov 26 08:37:27 2013
type=SYSCALL msg=audit(1385473047.894:112): arch=c000003e syscall=2 success=yes exit=4 a0=143f120 a1=c2 a2=180 a3=3017 items=0 ppid=31011 pid=31040 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sed" exe="/usr/bin/sed" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1385473047.894:112): avc:  denied  { write } for  pid=31040 comm="sed" path="/etc/sedJ52FJ7" dev="dm-1" ino=100714542 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:syslog_conf_t:s0 tclass=file
type=AVC msg=audit(1385473047.894:112): avc:  denied  { create } for  pid=31040 comm="sed" name="sedJ52FJ7" scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:syslog_conf_t:s0 tclass=file
----
time->Tue Nov 26 08:37:27 2013
type=SYSCALL msg=audit(1385473047.895:113): arch=c000003e syscall=93 success=yes exit=0 a0=4 a1=0 a2=0 a3=7fffe0bbe7e0 items=0 ppid=31011 pid=31040 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sed" exe="/usr/bin/sed" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1385473047.895:113): avc:  denied  { setattr } for  pid=31040 comm="sed" name="sedJ52FJ7" dev="dm-1" ino=100714542 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:syslog_conf_t:s0 tclass=file
----
time->Tue Nov 26 08:37:27 2013
type=SYSCALL msg=audit(1385473047.895:114): arch=c000003e syscall=82 success=yes exit=0 a0=143f120 a1=7fffe0bbff74 a2=143f120 a3=7fffe0bbe7c0 items=0 ppid=31011 pid=31040 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sed" exe="/usr/bin/sed" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1385473047.895:114): avc:  denied  { unlink } for  pid=31040 comm="sed" name="rsyslog.conf" dev="dm-1" ino=100755502 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:syslog_conf_t:s0 tclass=file
type=AVC msg=audit(1385473047.895:114): avc:  denied  { rename } for  pid=31040 comm="sed" name="sedJ52FJ7" dev="dm-1" ino=100714542 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:syslog_conf_t:s0 tclass=file
----
time->Tue Nov 26 08:37:38 2013
type=SYSCALL msg=audit(1385473058.982:116): arch=c000003e syscall=257 success=yes exit=3 a0=ffffffffffffff9c a1=7fca35087f0f a2=90800 a3=0 items=0 ppid=31183 pid=31196 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/usr/bin/kmod" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1385473058.982:116): avc:  denied  { open } for  pid=31196 comm="modprobe" path="/etc/modprobe.d" dev="dm-1" ino=16781358 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir
type=AVC msg=audit(1385473058.982:116): avc:  denied  { read } for  pid=31196 comm="modprobe" name="modprobe.d" dev="dm-1" ino=16781358 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir
----
time->Tue Nov 26 08:37:38 2013
type=SYSCALL msg=audit(1385473058.982:117): arch=c000003e syscall=2 success=yes exit=3 a0=7fffa5a8d6d0 a1=80000 a2=12922a0 a3=3 items=0 ppid=31183 pid=31196 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/usr/bin/kmod" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1385473058.982:117): avc:  denied  { open } for  pid=31196 comm="modprobe" path="/usr/lib/modules/3.10.0-54.el7.x86_64/modules.dep.bin" dev="dm-1" ino=117941373 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file
type=AVC msg=audit(1385473058.982:117): avc:  denied  { read } for  pid=31196 comm="modprobe" name="modules.dep.bin" dev="dm-1" ino=117941373 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file
type=AVC msg=audit(1385473058.982:117): avc:  denied  { search } for  pid=31196 comm="modprobe" name="modules" dev="dm-1" ino=100715533 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=dir
----
time->Tue Nov 26 08:37:38 2013
type=SYSCALL msg=audit(1385473058.982:118): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7fffa5a8d5f0 a2=7fffa5a8d5f0 a3=7fffa5a8d390 items=0 ppid=31183 pid=31196 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/usr/bin/kmod" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1385473058.982:118): avc:  denied  { getattr } for  pid=31196 comm="modprobe" path="/usr/lib/modules/3.10.0-54.el7.x86_64/modules.dep.bin" dev="dm-1" ino=117941373 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file
----
time->Tue Nov 26 08:37:39 2013
type=SYSCALL msg=audit(1385473059.205:119): arch=c000003e syscall=4 success=yes exit=0 a0=7fff92306f76 a1=7fff923050a0 a2=7fff923050a0 a3=7fff92304dd0 items=0 ppid=31183 pid=31206 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mv" exe="/usr/bin/mv" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1385473059.205:119): avc:  denied  { getattr } for  pid=31206 comm="mv" path="/etc/rsyslog.conf" dev="dm-1" ino=100714542 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:syslog_conf_t:s0 tclass=file
----
time->Tue Nov 26 08:37:39 2013
type=SYSCALL msg=audit(1385473059.206:120): arch=c000003e syscall=87 success=yes exit=0 a0=7fff92306f76 a1=7fff92306f76 a2=12 a3=7fff92304970 items=0 ppid=31183 pid=31206 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mv" exe="/usr/bin/mv" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1385473059.206:120): avc:  denied  { unlink } for  pid=31206 comm="mv" name="rsyslog.conf" dev="dm-1" ino=100714542 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:syslog_conf_t:s0 tclass=file
----
time->Tue Nov 26 08:37:39 2013
type=SYSCALL msg=audit(1385473059.206:121): arch=c000003e syscall=190 success=yes exit=0 a0=4 a1=7fff92304ac0 a2=17b1920 a3=25 items=0 ppid=31183 pid=31206 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mv" exe="/usr/bin/mv" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1385473059.206:121): avc:  denied  { relabelto } for  pid=31206 comm="mv" name="rsyslog.conf" dev="dm-1" ino=100714542 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:tuned_var_run_t:s0 tclass=file
type=AVC msg=audit(1385473059.206:121): avc:  denied  { relabelfrom } for  pid=31206 comm="mv" name="rsyslog.conf" dev="dm-1" ino=100714542 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:tuned_var_run_t:s0 tclass=file
----
time->Tue Nov 26 08:37:38 2013
type=SYSCALL msg=audit(1385473058.981:115): arch=c000003e syscall=4 success=yes exit=0 a0=7fca35087f0f a1=7fffa5a8d550 a2=7fffa5a8d550 a3=7fffa5a8d240 items=0 ppid=31183 pid=31196 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/usr/bin/kmod" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1385473058.981:115): avc:  denied  { getattr } for  pid=31196 comm="modprobe" path="/etc/modprobe.d" dev="dm-1" ino=16781358 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir

Comment 6 Miroslav Grepl 2013-11-26 14:40:14 UTC

It looks tuned is coming to be unconfined domain.

type=AVC msg=audit(1385473047.894:112): avc:  denied  { write } for  pid=31040 comm="sed" path="/etc/sedJ52FJ7" dev="dm-1" ino=100714542 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:syslog_conf_t:s0 tclass=file

what's going on here?

Comment 7 Jaroslav Škarvada 2013-11-26 15:25:57 UTC

(In reply to Miroslav Grepl from comment #6)
> It looks tuned is coming to be unconfined domain.
> 
> type=AVC msg=audit(1385473047.894:112): avc:  denied  { write } for 
> pid=31040 comm="sed" path="/etc/sedJ52FJ7" dev="dm-1" ino=100714542
> scontext=system_u:system_r:tuned_t:s0
> tcontext=system_u:object_r:syslog_conf_t:s0 tclass=file
> 
> what's going on here?

I guess it is inplace sed, we can change the code.

Comment 8 Jaroslav Škarvada 2013-11-26 15:28:18 UTC

Unfortunately it seems there is no switch for sed to command it to make its temp file under the temp directory. We can emulate this functionality.

Comment 9 Jaroslav Škarvada 2013-11-26 15:29:21 UTC

But this code was untouched since relase of RHEL-6.

Comment 10 Branislav Blaškovič 2013-11-27 12:27:33 UTC

This run is made with tuned-2.3.0-4.el7.noarch (fixed that 'find' AVC) and in permissive mode:
https://beaker.engineering.redhat.com/recipes/1148199
AVC log directly: http://beaker-archive.app.eng.bos.redhat.com/beaker-logs/2013/11/5521/552121/1148199/17567468/88159043/test_log-Test-avc.log

Comment 11 Miroslav Grepl 2013-12-09 20:49:03 UTC

Well I see

type=AVC msg=audit(1385473059.206:121): avc:  denied  { relabelto } for  pid=31206 comm="mv" name="rsyslog.conf" dev="dm-1" ino=100714542 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:tuned_var_run_t:s0 tclass=file
type=AVC msg=audit(1385473059.206:121): avc:  denied  { relabelfrom } for  pid=31206 comm="mv" name="rsyslog.conf" dev="dm-1" ino=100714542 scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:tuned_var_run_t:s0 tclass=file


comm="mv" name="rsyslog.conf

Comment 12 Milos Malik 2013-12-17 14:09:54 UTC

Our automated TC is able to reproduce the AVCs you mentioned and one more:
----
time->Tue Dec 17 14:46:19 2013
type=SYSCALL msg=audit(1387287979.004:82417): arch=c000003e syscall=41 success=no exit=-13 a0=1f a1=3 a2=1 a3=d items=0 ppid=28743 pid=28756 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hciconfig" exe="/usr/sbin/hciconfig" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1387287979.004:82417): avc:  denied  { create } for  pid=28756 comm="hciconfig" scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:system_r:tuned_t:s0 tclass=socket
----

Comment 13 Miroslav Grepl 2014-01-07 14:03:44 UTC

(In reply to Jaroslav Škarvada from comment #8)
> Unfortunately it seems there is no switch for sed to command it to make its
> temp file under the temp directory. We can emulate this functionality.

So the temp  directory is /var/run/tuned in this case, right?

Comment 14 Jaroslav Škarvada 2014-01-07 14:13:53 UTC

(In reply to Miroslav Grepl from comment #13)
> (In reply to Jaroslav Škarvada from comment #8)
> > Unfortunately it seems there is no switch for sed to command it to make its
> > temp file under the temp directory. We can emulate this functionality.
> 
> So the temp  directory is /var/run/tuned in this case, right?

Not for sed:

# echo hi > /etc/temp1
# strace sed -i 's/hi/hihi/' /etc/temp1
...
open("/etc/sedYXhO5e", O_RDWR|O_CREAT|O_EXCL, 0600) = 4
...
rename("/etc/sedYXhO5e", "/etc/temp1")  = 0
close(1)                                = 0
close(2)                                = 0
exit_group(0)                           = ?
+++ exited with 0 +++

Comment 15 Jaroslav Škarvada 2014-01-07 14:22:37 UTC

I can:
a) write it as combination of mktemp, sed, mv,
b) reimplement the functionality in the tuned deamon (python),
c) drop the functionality completely (today, with ssds and also together with the systemd journal, this feature is not very usable).

Comment 16 Miroslav Grepl 2014-01-13 07:32:22 UTC

Any chance to re-test it with the latest RHEL7 builds.

Comment 20 Branislav Blaškovič 2014-01-14 08:49:26 UTC

Milos, thank you for logs.

-needinfo (as it is not needed anymore)

Comment 22 Miroslav Grepl 2014-01-29 09:14:08 UTC

How does it look with current policy builds?

Comment 24 Miroslav Grepl 2014-02-11 10:16:49 UTC

Well we are really not able to fix

type=CWD msg=audit(1391002936.287:14879):  cwd="/"
type=SYSCALL msg=audit(1391002936.287:14879): arch=c000003e syscall=2 success=no exit=-13 a0=244c940 a1=c2 a2=180 a3=1 items=2 ppid=32030 pid=32056 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sed" exe="/usr/bin/sed" subj=system_u:system_r:tuned_t:s0 key=(null)
type=AVC msg=audit(1391002936.287:14879): avc:  denied  { create } for  pid=32056 comm="sed" name="sed89Cisd" scontext=system_u:system_r:tuned_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file

This is a random name.

Anyway I am going to make tuned_t as unconfined domain for RHEL7.0.

Comment 25 Miroslav Grepl 2014-02-11 10:25:29 UTC

commit 3e136678a67a623a75880d862faa9d13d05958f3
Author: Miroslav Grepl <mgrepl>
Date:   Tue Feb 11 11:20:34 2014 +0100

    Make tuned_t as unconfined domain for RHEL7.0

Comment 28 Ludek Smid 2014-06-13 09:56:32 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.