1041308 – openlmi: setting up power state causes selinux denial, cannot change power state of machine

Bug 1041308 - openlmi: setting up power state causes selinux denial, cannot change power state of machine

Summary: openlmi: setting up power state causes selinux denial, cannot change power st...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.0
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	922084
TreeView+	depends on / blocked

Reported:	2013-12-12 14:32 UTC by Petr Sklenar
Modified:	2014-12-10 09:30 UTC (History)
CC List:	2 users (show)
Fixed In Version:	selinux-policy-3.12.1-116.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-06-13 12:07:27 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Petr Sklenar 2013-12-12 14:32:40 UTC

Description of problem:
openlmi: setting up power state causes selinux denial, cannot change power state of machine

Version-Release number of selected component (if applicable):
rpm -q selinux-policy openlmi
selinux-policy-3.12.1-108.el7.noarch
openlmi-0.4.1-12.el7.noarch
openlmi-powermanagement-0.4.1-12.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. http://www.openlmi.org/sites/default/files/doc/admin/openlmi-providers/0.4.1/power/usage.html#setting-the-power-state


Actual results:
time->Thu Dec 12 09:20:52 2013
type=SYSCALL msg=audit(1386858052.985:1951): arch=c000003e syscall=4 success=no exit=-13 a0=98aa50 a1=7fff87f3b090 a2=7fff87f3b090 a3=11 items=0 ppid=1 pid=13350 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:pegasus_openlmi_system_t:s0 key=(null)
type=AVC msg=audit(1386858052.985:1951): avc:  denied  { getattr } for  pid=13350 comm="sh" path="/usr/bin/systemctl" dev="dm-1" ino=134544178 scontext=system_u:system_r:pegasus_openlmi_system_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file



Expected results:
no denial, I can change power state of machine

Additional info:
find / -mount -inum 134544178
/usr/bin/systemctl

Comment 2 Miroslav Grepl 2014-01-06 12:09:49 UTC

commit d4b2e51a675d3991118763c64683ab01a67d18ae
Author: Miroslav Grepl <mgrepl>
Date:   Mon Jan 6 13:09:34 2014 +0100

    Allow cmpiLMI_PowerManagement-cimprovagt to  change power state of machine

Comment 3 Petr Sklenar 2014-01-07 10:17:05 UTC

hi,
there are all denials when running in the permissive:
1, have a connection to tog-pegasus

type=USER_AVC msg=audit(1389089612.481:924): pid=879 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=GetAll dest=:1.0 spid=1113 tpid=878 scontext=system_u:system_r:pegasus_openlmi_system_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1389089612.482:925): pid=879 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.71 spid=878 tpid=1113 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:pegasus_openlmi_system_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'


2, perform reboot:
type=AVC msg=audit(1389089704.837:1003): avc:  denied  { create } for  pid=1231 comm="plymouthd" scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:system_r:plymouthd_t:s0 tclass=netlink_kobject_uevent_socket
type=AVC msg=audit(1389089704.837:1004): avc:  denied  { setopt } for  pid=1231 comm="plymouthd" scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:system_r:plymouthd_t:s0 tclass=netlink_kobject_uevent_socket
type=AVC msg=audit(1389089704.837:1005): avc:  denied  { bind } for  pid=1231 comm="plymouthd" scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:system_r:plymouthd_t:s0 tclass=netlink_kobject_uevent_socket
type=AVC msg=audit(1389089704.837:1006): avc:  denied  { getattr } for  pid=1231 comm="plymouthd" scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:system_r:plymouthd_t:s0 tclass=netlink_kobject_uevent_socket
type=AVC msg=audit(1389089704.837:1007): avc:  denied  { read } for  pid=1231 comm="plymouthd" name="queue.bin" dev="tmpfs" ino=79075 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file
type=AVC msg=audit(1389089704.837:1007): avc:  denied  { open } for  pid=1231 comm="plymouthd" path="/run/udev/queue.bin" dev="tmpfs" ino=79075 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file
type=AVC msg=audit(1389089704.837:1008): avc:  denied  { getattr } for  pid=1231 comm="plymouthd" path="/run/udev/queue.bin" dev="tmpfs" ino=79075 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file

Comment 4 Milos Malik 2014-01-07 10:21:48 UTC

AVCs mentioned in the second section of comment#3 are already part of bz#1045382.

Comment 7 Ludek Smid 2014-06-13 12:07:27 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.