Bug 1122106 - conman initscripts AVC denials on rhel 6
Summary: conman initscripts AVC denials on rhel 6
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.6
Hardware: All
OS: Linux
Target Milestone: rc
: 6.6
Assignee: Lukas Vrabec
QA Contact: Milos Malik
Depends On:
Blocks: 1005265
TreeView+ depends on / blocked
Reported: 2014-07-22 14:39 UTC by Miroslav Hradílek
Modified: 2014-10-14 08:03 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.7.19-247.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1122467 (view as bug list)
Last Closed: 2014-10-14 08:03:39 UTC

Attachments (Terms of Use)
ausearch output (5.59 KB, text/plain)
2014-07-22 14:39 UTC, Miroslav Hradílek
no flags Details

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:1568 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2014-10-14 01:27:37 UTC

Description Miroslav Hradílek 2014-07-22 14:39:09 UTC
Created attachment 919941 [details]
ausearch output

Description of problem:
There are avc denials when running conmand binary (from package conman) using initscripts like "service conman start"

$ cat avcs_recent.txt | audit2allow
#============= conman_t ==============
#!!!! The source type 'conman_t' can write to a 'dir' of the following types:
# mnt_t, var_log_t, conman_log_t, cluster_var_lib_t, cluster_var_run_t, root_t, cluster_conf_t

allow conman_t var_run_t:dir { write remove_name add_name };
#!!!! The source type 'conman_t' can write to a 'file' of the following types:
# mnt_t, conman_log_t, cluster_var_lib_t, cluster_var_run_t, root_t, cluster_conf_t

allow conman_t var_run_t:file { write create unlink open getattr };

#============= prelink_t ==============
allow prelink_t initrc_t:fifo_file setattr;

Additional info:
The pidfile and lockfile are being handled by conmand directly not by ini scripts. I think it should be allowed to write those.

Comment 3 Milos Malik 2014-07-22 15:03:53 UTC
ERROR:     Unable to open pidfile "/var/run/conmand.pid": Permission denied

Here are results from enforcing mode:
time->Tue Jul 22 16:59:49 2014
type=PATH msg=audit(1406041189.176:1456): item=1 name="/var/run/conmand.pid" nametype=CREATE
type=PATH msg=audit(1406041189.176:1456): item=0 name="/var/run/" inode=1042 dev=fc:03 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=PARENT
type=CWD msg=audit(1406041189.176:1456):  cwd="/"
type=SYSCALL msg=audit(1406041189.176:1456): arch=c000003e syscall=2 success=no exit=-13 a0=257ab40 a1=241 a2=1b6 a3=0 items=2 ppid=1 pid=13350 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="conmand" exe="/usr/sbin/conmand" subj=unconfined_u:system_r:conman_t:s0 key=(null)
type=AVC msg=audit(1406041189.176:1456): avc:  denied  { write } for  pid=13350 comm="conmand" name="run" dev=vda3 ino=1042 scontext=unconfined_u:system_r:conman_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir

The label for conmand PID file is not defined:
# matchpathcon /var/run/conmand.pid
/var/run/conmand.pid	<<none>>
# seinfo -t | grep conman
# sesearch -s conman_t -t var_run_t -T


Comment 4 Lukas Vrabec 2014-07-24 08:33:09 UTC
patch sent.

Comment 6 errata-xmlrpc 2014-10-14 08:03:39 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.