Description of problem: Creating this bug to track all the AVCs which are seen during new feature testing of console. Version-Release number of selected component (if applicable): selinux-policy-3.7.19-271.el6.noarch How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
All the audit logs from all the systems are included here. http://rhsqe-repo.lab.eng.blr.redhat.com/sosreports/rhsc/1228888/
I've gone through the AVC's in the attached logs and could see the following AVC's: ############## #============= nagios_t ============== #!!!! This avc can be allowed using the boolean 'nagios_run_sudo' allow nagios_t nagios_log_t:file execute; #!!!! This avc can be allowed using the boolean 'nagios_run_sudo' allow nagios_t sudo_exec_t:file getattr; I'm gone through the logs and could see the following AVC's: #============= glusterd_t ============== allow glusterd_t fixed_disk_device_t:blk_file { read write getattr open ioctl }; allow glusterd_t fsadm_exec_t:file { execute execute_no_trans }; allow glusterd_t glusterd_var_lib_t:file { execute execute_no_trans }; #!!!! This avc is allowed in the current policy allow glusterd_t hostname_exec_t:file { execute execute_no_trans }; allow glusterd_t kernel_t:system ipc_info; #!!!! The source type 'glusterd_t' can write to a 'chr_file' of the following types: # initrc_devpts_t, null_device_t, zero_device_t, fuse_device_t, devtty_t, ptynode, ttynode, tty_device_t, devpts_t allow glusterd_t lvm_control_t:chr_file { read write getattr open }; allow glusterd_t lvm_exec_t:file { execute execute_no_trans }; #!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work. #Contraint rule: allow glusterd_t lvm_lock_t:file create; #!!!! The source type 'glusterd_t' can write to a 'fifo_file' of the following type: # glusterd_brick_t allow glusterd_t lvm_var_run_t:fifo_file { write read getattr open lock }; allow glusterd_t node_t:rawip_socket node_bind; allow glusterd_t self:capability { sys_nice ipc_lock net_raw }; allow glusterd_t self:process setsched; allow glusterd_t self:rawip_socket { bind create }; allow glusterd_t self:sem { unix_read write unix_write associate read destroy create }; allow glusterd_t ssh_keygen_exec_t:file { execute execute_no_trans }; allow glusterd_t var_run_t:sock_file { write unlink }; #============= logrotate_t ============== allow logrotate_t tty_device_t:chr_file getattr; #!!!! This avc is allowed in the current policy allow logrotate_t virt_cache_t:dir read; ############## ############## allow glusterd_t fixed_disk_device_t:blk_file { read write getattr open ioctl }; allow glusterd_t fsadm_exec_t:file { execute execute_no_trans }; allow glusterd_t glusterd_var_lib_t:file { execute execute_no_trans }; allow glusterd_t hostname_exec_t:file { execute execute_no_trans }; allow glusterd_t kernel_t:system ipc_info; allow glusterd_t lvm_control_t:chr_file { read write getattr open }; allow glusterd_t lvm_exec_t:file { execute execute_no_trans }; allow glusterd_t lvm_lock_t:file create; allow glusterd_t lvm_var_run_t:fifo_file { write read getattr open lock }; allow glusterd_t node_t:rawip_socket node_bind; allow glusterd_t self:capability { sys_nice ipc_lock net_raw }; allow glusterd_t self:process setsched; allow glusterd_t self:rawip_socket { bind create }; allow glusterd_t self:sem { unix_read write unix_write associate read destroy create }; allow glusterd_t ssh_keygen_exec_t:file { execute execute_no_trans }; allow glusterd_t var_run_t:sock_file { write unlink }; allow logrotate_t tty_device_t:chr_file getattr; allow logrotate_t virt_cache_t:dir read; ############## # rpm -qa |grep selinux libselinux-python-2.0.94-5.8.el6.x86_64 selinux-policy-3.7.19-271.el6.noarch selinux-policy-targeted-3.7.19-271.el6.noarch libselinux-utils-2.0.94-5.8.el6.x86_64 libselinux-2.0.94-5.8.el6.x86_64 Looks like most of the above issues are already addressed in the most recent versions of selinux-policy. So I would request you to update the policy to the latest [1] and re-run your tests and then update the BZ with the new logs. This will help us to quicky address the issues that are yet to be fixed. [1] https://brewweb.devel.redhat.com/buildinfo?buildID=439684
Kasturi, any update on this?
Hi sahina, I will run the regression tests on this when we have the build on 22nd and mark this bug verified if i do not see any avcs. Thanks kasturi.
I ran regression with the new build and following are the avcs seen. #============= nrpe_t ============== #!!!! This avc can be allowed using the boolean 'domain_kernel_load_modules' allow nrpe_t kernel_t:system module_request; allow nrpe_t self:capability kill; #============= postfix_master_t ============== #!!!! This avc can be allowed using the boolean 'domain_kernel_load_modules' allow postfix_master_t kernel_t:system module_request; #============= postfix_pickup_t ============== #!!!! This avc can be allowed using the boolean 'domain_kernel_load_modules' allow postfix_pickup_t kernel_t:system module_request; #============= postfix_qmgr_t ============== #!!!! This avc can be allowed using the boolean 'domain_kernel_load_modules' allow postfix_qmgr_t kernel_t:system module_request; #============= sendmail_t ============== #!!!! This avc can be allowed using the boolean 'domain_kernel_load_modules' allow sendmail_t kernel_t:system module_request; #============= syslogd_t ============== allow syslogd_t nagios_unconfined_plugin_exec_t:file execute; Version of selinux: rpm -qa | grep selinux libselinux-utils-2.0.94-5.8.el6.x86_64 selinux-policy-3.7.19-278.el6.noarch libselinux-2.0.94-5.8.el6.x86_64 selinux-policy-targeted-3.7.19-278.el6.noarch libselinux-python-2.0.94-5.8.el6.x86_64
stanislav, can you please cross check comment 8 and let me know if any avc needs to be logged?
(In reply to RamaKasturi from comment #9) > stanislav, can you please cross check comment 8 and let me know if any avc > needs to be logged? These AVC's should go away if you test it with the latest 'redhat-storage-server-3.1.0.1-1.el6rhs' build which has the fix for disabling ipv6 in the right way. See https://bugzilla.redhat.com/show_bug.cgi?id=1234285
(In reply to RamaKasturi from comment #8) > I ran regression with the new build and following are the avcs seen. > > #============= nrpe_t ============== > > #!!!! This avc can be allowed using the boolean 'domain_kernel_load_modules' > allow nrpe_t kernel_t:system module_request; Bug 1230206 > allow nrpe_t self:capability kill; Bug 1235405 (not fixed yet) > > #============= postfix_master_t ============== > > #!!!! This avc can be allowed using the boolean 'domain_kernel_load_modules' > allow postfix_master_t kernel_t:system module_request; Bug 1230206 > > #============= postfix_pickup_t ============== > > #!!!! This avc can be allowed using the boolean 'domain_kernel_load_modules' > allow postfix_pickup_t kernel_t:system module_request; Bug 1230206 > > #============= postfix_qmgr_t ============== > > #!!!! This avc can be allowed using the boolean 'domain_kernel_load_modules' > allow postfix_qmgr_t kernel_t:system module_request; Bug 1230206 > > #============= sendmail_t ============== > > #!!!! This avc can be allowed using the boolean 'domain_kernel_load_modules' > allow sendmail_t kernel_t:system module_request; Bug 1230206 > > #============= syslogd_t ============== > allow syslogd_t nagios_unconfined_plugin_exec_t:file execute; Bug 1233547 (fixed in -279.el6 policy) > > Version of selinux: > > rpm -qa | grep selinux > libselinux-utils-2.0.94-5.8.el6.x86_64 > selinux-policy-3.7.19-278.el6.noarch > libselinux-2.0.94-5.8.el6.x86_64 > selinux-policy-targeted-3.7.19-278.el6.noarch > libselinux-python-2.0.94-5.8.el6.x86_64 --> VERIFIED
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2015-1494.html