Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1170775

Summary: starting qpidd causes 5 different SELinux AVCs
Product: Red Hat Enterprise MRG Reporter: Frantisek Reznicek <freznice>
Component: qpid-cppAssignee: Irina Boverman <iboverma>
Status: CLOSED ERRATA QA Contact: Zdenek Kraus <zkraus>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.0CC: esammons, freznice, iboverma, jross, mtoth, opiske, pematous, tross, zkraus
Target Milestone: 3.2Keywords: Tracking
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-10-08 13:10:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1171275, 1218323    
Bug Blocks:    

Description Frantisek Reznicek 2014-12-04 20:19:40 UTC 
Description of problem:

Starting qpidd on RHEL 6.6 causes 5 different SELinux AVCs:

service qpidd stop
  -> no AVC

service qpidd start
  -> 5 new AVCs

Qpidd functionality doesn't seem to be affected.

type=AVC msg=audit(1417723790.708:134): avc:  denied  { read } for  pid=1407 comm="qpidd" path="/etc/rc.d/init.d/qpidd" dev=vda1 ino=392580 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:qpidd_initrc_exec_t:s0 tclass=file
type=AVC msg=audit(1417723790.752:135): avc:  denied  { read } for  pid=1407 comm="qpidd" name="psched" dev=proc ino=4026531986 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=AVC msg=audit(1417723790.918:138): avc:  denied  { read } for  pid=1415 comm="restorecon" path="/etc/rc.d/init.d/qpidd" dev=vda1 ino=392580 scontext=unconfined_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:qpidd_initrc_exec_t:s0 tclass=file
type=AVC msg=audit(1417723791.116:141): avc:  denied  { read } for  pid=1428 comm="qpidd" path="/etc/rc.d/init.d/qpidd" dev=vda1 ino=392580 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:qpidd_initrc_exec_t:s0 tclass=file
type=AVC msg=audit(1417723791.169:142): avc:  denied  { read } for  pid=1428 comm="qpidd" name="psched" dev=proc ino=4026531986 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file

Version-Release number of selected component (if applicable):
perl-qpid-0.22-13.el6.x86_64
perl-qpid-debuginfo-0.22-13.el6.x86_64
python-qpid-0.22-18.el6.noarch
python-qpid-proton-doc-0.6-2.el6.noarch
python-qpid-qmf-0.22-39.el6.x86_64
qpid-cpp-client-0.22-49.el6.x86_64
qpid-cpp-client-devel-0.22-49.el6.x86_64
qpid-cpp-client-devel-docs-0.22-49.el6.noarch
qpid-cpp-client-rdma-0.22-49.el6.x86_64
qpid-cpp-debuginfo-0.22-49.el6.x86_64
qpid-cpp-server-0.22-49.el6.x86_64
qpid-cpp-server-devel-0.22-49.el6.x86_64
qpid-cpp-server-ha-0.22-49.el6.x86_64
qpid-cpp-server-linearstore-0.22-49.el6.x86_64
qpid-cpp-server-rdma-0.22-49.el6.x86_64
qpid-cpp-server-xml-0.22-49.el6.x86_64
qpid-java-client-0.22-6.el6.noarch
qpid-java-common-0.22-6.el6.noarch
qpid-java-example-0.22-6.el6.noarch
qpid-jca-0.22-2.el6.noarch
qpid-jca-xarecovery-0.22-2.el6.noarch
qpid-jca-zip-0.22-2.el6.noarch
qpid-proton-c-0.7-4.el6.x86_64
qpid-proton-c-devel-0.7-4.el6.x86_64
qpid-proton-c-devel-doc-0.6-2.el6.noarch
qpid-proton-debuginfo-0.7-4.el6.x86_64
qpid-qmf-0.22-39.el6.x86_64
qpid-qmf-debuginfo-0.22-39.el6.x86_64
qpid-qmf-devel-0.22-39.el6.x86_64
qpid-snmpd-1.0.0-16.el6.x86_64
qpid-snmpd-debuginfo-1.0.0-16.el6.x86_64
qpid-tests-0.22-16.el6.noarch
qpid-tools-0.22-16.el6.noarch
ruby-qpid-0.7.946106-2.el6.x86_64
ruby-qpid-qmf-0.22-39.el6.x86_64

selinux-policy-3.7.19-260.el6.noarch
selinux-policy-targeted-3.7.19-260.el6.noarch
libselinux-2.0.94-5.8.el6.x86_64
libselinux-utils-2.0.94-5.8.el6.x86_64

# rpm -V qpid-cpp-server
# 

How reproducible:
100%

Steps to Reproduce:
1. tailf /var/log/audit/audit.log | grep AVC (terminal A)
2. service qpidd restart (terminal B)
3. terminal detects above listed AVCs

Actual results:
  Qpidd when starting triggers AVCs.

Expected results:
  Qpidd when starting/stopping should not trigger any AVCs.

Additional info:
Comment 1 Frantisek Reznicek 2014-12-04 20:21:53 UTC 
It's detected that at least following two releases are affected:
  qpid-cpp-client-0.22-49.el6.*
  qpid-cpp-client-0.22-50.el6.*
Comment 2 Justin Ross 2014-12-04 20:27:57 UTC 
Darryl, please assess.
Comment 4 Darryl L. Pierce 2014-12-05 14:38:17 UTC 
(In reply to Justin Ross from comment #2)
> Darryl, please assess.

I installed and ran the r49 qpid-cpp-server and verified that the AVC errors are happening. I discussed this with some people in the #selinux channel on Freenode, who said it's possibly due to a leaked file descriptor and pointed me to an article [1] by Dan Walsh as a possible cause.

[1] https://danwalsh.livejournal.com/53603.html
Comment 6 Zdenek Kraus 2015-03-26 09:50:24 UTC 
These AVC errors are also present on RHEL 7, and with qpid-cpp-0.30.
Also the AVC errors occurs when upgrading/downgrading qpid.
Comment 9 Irina Boverman 2015-05-04 15:35:11 UTC 
RHEL 7 bz: 1218323
Comment 10 Otavio Piske 2015-07-17 07:18:57 UTC 
These AVC errors are also present on RHEL 6 and 7 with qpid-cpp-0.32.
Comment 14 Zdenek Kraus 2015-08-04 14:38:37 UTC 
on RHEL 6
qpid-cpp-server-0.34-1.el6.x86_64
(also with qpid-cpp-server-0.30-8.el6.x86_64)
selinux-policy-3.7.19-279.el6.noarch (this should be currently available via regular channels)

or RHEL 7
qpid-cpp-server-0.34-1.el6.x86_64
selinux-policy-3.13.1-30.el7.noarch
selinux-policy-3.13.1-37.el7.noarch

Restarting broker does not cause above mentioned and/or new AVC errors.
Comment 16 Zdenek Kraus 2015-09-14 08:47:51 UTC 
MRG 3.1 and MRG 3.2:
qpid-cpp-server-0.30-8
qpid-cpp-server-0.34-3

current:
selinux-policy-3.7.19-279.el6_7.5.noarch
.. PASS

selinux-policy-3.13.1-23.el7_1.17.noarch
.. FAIL
type=AVC msg=audit(1441900864.281:388): avc:  denied  { read } for  pid=2775 comm="qpidd" name="psched" dev="proc" ino=4026531980 scontext=system_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=AVC msg=audit(1441900865.374:391): avc:  denied  { read } for  pid=2798 comm="qpidd" name="psched" dev="proc" ino=4026531980 scontext=system_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file


new packages:
selinux-policy-3.7.19-279.el6_7.6.noarch
.. PASS

selinux-policy-3.13.1-23.el7_1.18.noarch
.. PASS
Comment 18 Zdenek Kraus 2015-09-30 12:53:38 UTC 
Since all blocking bugs are resolved, marking as VERIFIED
Comment 20 errata-xmlrpc 2015-10-08 13:10:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2015-1879.html