Bug 1128918 - SELinux is preventing omiagent (initrc_t) "write" to ./status (unconfined_t)
Summary: SELinux is preventing omiagent (initrc_t) "write" to ./status (unconfined_t)
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.8
Hardware: x86_64
OS: Linux
unspecified
urgent
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-08-11 20:40 UTC by Karan Bhalla
Modified: 2016-04-28 02:25 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-09-03 14:39:27 UTC


Attachments (Terms of Use)

Description Karan Bhalla 2014-08-11 20:40:50 UTC
Description of problem: Hundreds of messages in the logs saying "SELinux is preventing omiagent (initrc_t) "write" to ./status (unconfined_t)"

omiagent is a daemon installed by SCOM 2012 R2 to monitor Linux server health and performance.

I am unable to find the "./status" file to run 'restorecon'.

Version-Release number of selected component (if applicable):


How reproducible: Constant


Steps to Reproduce:n/a
1.
2.
3.

Actual results:


Expected results:


Additional info:



Aug 11 12:37:54 <hostname> setroubleshoot: SELinux is preventing omiagent (initrc_t) "write" to ./status (udev_t). For complete SELinux messages. run sealert -l 867d72ac-1ea2-42ff-97ab-821938b68e54
Aug 11 12:37:55 <hostname> setroubleshoot: SELinux is preventing omiagent (initrc_t) "write" to ./status (unconfined_t). For complete SELinux messages. run sealert -l 5d2aa218-1a57-4f13-b447-3ea3ab828582
Aug 11 12:37:56 <hostname> setroubleshoot: SELinux is preventing omiagent (initrc_t) "write" to ./status (crond_t). For complete SELinux messages. run sealert -l 46fd5761-3132-419a-848c-86f3de9db8f4
Aug 11 12:38:54 <hostname> setroubleshoot: SELinux is preventing omiagent (initrc_t) "write" to ./status (setrans_t). For complete SELinux messages. run sealert -l 46ae74f8-894e-4adf-b7ff-e1e7b01eef60


As the messages suggest, I ran "sealert -l 867d72ac-1ea2-42ff-97ab-821938b68e54"

Output:
# sealert -l 867d72ac-1ea2-42ff-97ab-821938b68e54

Summary:

SELinux is preventing omiagent (initrc_t) "write" to ./status (udev_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by omiagent. It is not expected that this access
is required by omiagent and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./status,

restorecon -v './status'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                user_u:system_r:initrc_t
Target Context                system_u:system_r:udev_t:SystemLow-SystemHigh
Target Objects                ./status [ file ]
Source                        omiagent
Source Path                   /opt/microsoft/scx/bin/omiagent
Port                          <Unknown>
Host                          <hostname>
Source RPM Packages           scx-1.5.0-128.el5
Target RPM Packages
Policy RPM                    selinux-policy-2.4.6-327.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall_file
Host Name                     <hostname>
Platform                      Linux <hostname>
                              2.6.18-308.11.1.el5 #1 SMP Fri Jun 15 15:41:53 EDT
                              2012 x86_64 x86_64
Alert Count                   760
First Seen                    Thu Aug  7 17:00:53 2014
Last Seen                     Mon Aug 11 13:11:53 2014
Local ID                      867d72ac-1ea2-42ff-97ab-821938b68e54
Line Numbers

Raw Audit Messages

host=<hostname> type=AVC msg=audit(1407787913.463:86463): avc:  denied  { write } for  pid=10697 comm="omiagent" name="status" dev=proc ino=45285380 scontext=user_u:system_r:initrc_t:s0 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=file

host=<hostname> type=SYSCALL msg=audit(1407787913.463:86463): arch=c000003e syscall=2 success=yes exit=8 a0=2aaaac036b88 a1=2 a2=1b6 a3=2 items=0 ppid=10564 pid=10697 auid=46101 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=10341 comm="omiagent" exe="/opt/microsoft/scx/bin/omiagent" subj=user_u:system_r:initrc_t:s0 key=(null)

Comment 1 Miroslav Grepl 2014-09-03 14:39:27 UTC
You will need to add a local policy to address this issue in RHEL5.


Note You need to log in before you can comment on or make changes to this bug.