1230300 – SELinux AVC denials while restarting Admin Server from Console

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1230300 - SELinux AVC denials while restarting Admin Server from Console

Summary: SELinux AVC denials while restarting Admin Server from Console

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.1
Hardware:	All
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Patrik Kis
Docs Contact:	Tomas Capek
URL:
Whiteboard:
Depends On:
Blocks:	1232171
TreeView+	depends on / blocked

Reported:	2015-06-10 15:05 UTC by Viktor Ashirov
Modified:	2015-11-19 10:36 UTC (History)
CC List:	10 users (show)
Fixed In Version:	selinux-policy-3.13.1-52.el7
Doc Type:	Known Issue
Doc Text:	Due to a bug in the SELinux policy, Admin server fails to restart remotely from console in Enforcing mode. To work around this problem, you can restart the server in Permissive mode or define a custom SELinux policy to allow access for the Admin server. Instructions on how to create the custom policy are included in details of AVC denial messages in the sealert utility.
Clone Of:
Clones:	1232171 (view as bug list)
Environment:
Last Closed:	2015-11-19 10:36:20 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:2300	0	normal	SHIPPED_LIVE	selinux-policy bug fix update	2015-11-19 09:55:26 UTC

Description Viktor Ashirov 2015-06-10 15:05:25 UTC

SELinux is preventing /usr/bin/bash from read access on the file /etc/passwd.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that bash should be allowed read access on the passwd file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep sh /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:dirsrvadmin_script_t:s0
Target Context                system_u:object_r:passwd_file_t:s0
Target Objects                /etc/passwd [ file ]
Source                        sh
Source Path                   /usr/bin/bash
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           bash-4.2.46-12.el7.x86_64
Target RPM Packages           setup-2.8.71-5.el7.noarch
Policy RPM                    selinux-policy-3.13.1-23.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     dhcp-10-40-5-83.brq.redhat.com
Platform                      Linux dhcp-10-40-5-83.brq.redhat.com
                              3.10.0-229.el7.x86_64 #1 SMP Thu Jan 29 18:37:38
                              EST 2015 x86_64 x86_64
Alert Count                   2
First Seen                    2015-06-10 16:40:35 CEST
Last Seen                     2015-06-10 16:40:59 CEST
Local ID                      b5cb0cb2-2ad6-43c6-91fe-720fc7699d00

Raw Audit Messages
type=AVC msg=audit(1433947259.889:553): avc:  denied  { read } for  pid=12175 comm="sh" name="passwd" dev="dm-1" ino=20366749 scontext=system_u:system_r:dirsrvadmin_script_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file


type=SYSCALL msg=audit(1433947259.889:553): arch=x86_64 syscall=open success=no exit=EACCES a0=7f92e77aed8a a1=80000 a2=1b6 a3=0 items=0 ppid=12174 pid=12175 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sh exe=/usr/bin/bash subj=system_u:system_r:dirsrvadmin_script_t:s0 key=(null)

Hash: sh,dirsrvadmin_script_t,passwd_file_t,file,read




SELinux is preventing /usr/bin/systemctl from search access on the directory 1.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemctl should be allowed search access on the 1 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep systemctl /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:dirsrvadmin_script_t:s0
Target Context                system_u:system_r:init_t:s0
Target Objects                1 [ dir ]
Source                        systemctl
Source Path                   /usr/bin/systemctl
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           systemd-208-20.el7.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-23.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     dhcp-10-40-5-83.brq.redhat.com
Platform                      Linux dhcp-10-40-5-83.brq.redhat.com
                              3.10.0-229.el7.x86_64 #1 SMP Thu Jan 29 18:37:38
                              EST 2015 x86_64 x86_64
Alert Count                   3
First Seen                    2015-06-10 16:40:35 CEST
Last Seen                     2015-06-10 16:40:59 CEST
Local ID                      f9268623-8d7c-49ce-a78c-1033fd97297f

Raw Audit Messages
type=AVC msg=audit(1433947259.902:557): avc:  denied  { search } for  pid=12175 comm="systemctl" name="1" dev="proc" ino=6410 scontext=system_u:system_r:dirsrvadmin_script_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir


type=SYSCALL msg=audit(1433947259.902:557): arch=x86_64 syscall=stat success=no exit=EACCES a0=7fa0409e7018 a1=7fff487350c0 a2=7fff487350c0 a3=7fa03f510050 items=0 ppid=12174 pid=12175 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemctl exe=/usr/bin/systemctl subj=system_u:system_r:dirsrvadmin_script_t:s0 key=(null)

Hash: systemctl,dirsrvadmin_script_t,init_t,dir,search





SELinux is preventing /usr/bin/systemctl from getattr access on the directory /run/systemd/system.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemctl should be allowed getattr access on the system directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep systemctl /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:dirsrvadmin_script_t:s0
Target Context                system_u:object_r:systemd_unit_file_t:s0
Target Objects                /run/systemd/system [ dir ]
Source                        systemctl
Source Path                   /usr/bin/systemctl
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           systemd-208-20.el7.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-23.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     dhcp-10-40-5-83.brq.redhat.com
Platform                      Linux dhcp-10-40-5-83.brq.redhat.com
                              3.10.0-229.el7.x86_64 #1 SMP Thu Jan 29 18:37:38
                              EST 2015 x86_64 x86_64
Alert Count                   2
First Seen                    2015-06-10 16:40:35 CEST
Last Seen                     2015-06-10 16:40:59 CEST
Local ID                      a389048e-d053-4f1c-94f4-d84f00144a2c

Raw Audit Messages
type=AVC msg=audit(1433947259.902:556): avc:  denied  { getattr } for  pid=12175 comm="systemctl" path="/run/systemd/system" dev="tmpfs" ino=6434 scontext=system_u:system_r:dirsrvadmin_script_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=dir


type=SYSCALL msg=audit(1433947259.902:556): arch=x86_64 syscall=lstat success=no exit=EACCES a0=7fa04057dc21 a1=7fff48735150 a2=7fff48735150 a3=0 items=0 ppid=12174 pid=12175 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemctl exe=/usr/bin/systemctl subj=system_u:system_r:dirsrvadmin_script_t:s0 key=(null)

Hash: systemctl,dirsrvadmin_script_t,systemd_unit_file_t,dir,getattr




SELinux is preventing /usr/lib64/dirsrv/cgi-bin/statusping from getattr access on the file /etc/passwd.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that statusping should be allowed getattr access on the passwd file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep statusping /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:dirsrvadmin_script_t:s0
Target Context                system_u:object_r:passwd_file_t:s0
Target Objects                /etc/passwd [ file ]
Source                        statusping
Source Path                   /usr/lib64/dirsrv/cgi-bin/statusping
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           389-admin-1.1.42-1.el7dsrv.x86_64
Target RPM Packages           setup-2.8.71-5.el7.noarch
Policy RPM                    selinux-policy-3.13.1-23.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     dhcp-10-40-5-83.brq.redhat.com
Platform                      Linux dhcp-10-40-5-83.brq.redhat.com
                              3.10.0-229.el7.x86_64 #1 SMP Thu Jan 29 18:37:38
                              EST 2015 x86_64 x86_64
Alert Count                   338
First Seen                    2015-06-10 16:40:33 CEST
Last Seen                     2015-06-10 16:55:44 CEST
Local ID                      4e82e428-5166-445c-be20-33b8199f7e39

Raw Audit Messages
type=AVC msg=audit(1433948144.491:898): avc:  denied  { getattr } for  pid=16253 comm="statusping" path="/etc/passwd" dev="dm-1" ino=20366749 scontext=system_u:system_r:dirsrvadmin_script_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file


type=SYSCALL msg=audit(1433948144.491:898): arch=x86_64 syscall=stat success=no exit=EACCES a0=7ffa07b9e9f8 a1=7fffc18413c0 a2=7fffc18413c0 a3=0 items=0 ppid=11709 pid=16253 auid=4294967295 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=4294967295 comm=statusping exe=/usr/lib64/dirsrv/cgi-bin/statusping subj=system_u:system_r:dirsrvadmin_script_t:s0 key=(null)

Hash: statusping,dirsrvadmin_script_t,passwd_file_t,file,getattr

Comment 1 Viktor Ashirov 2015-06-10 15:08:20 UTC

Steps to reproduce:
1. Install redhat-ds
2. Setup Admin Server using setup-ds-admin.pl
3. Run redhat-idm-console
4. Open Administration Server, press Restart button

Actual results:
Restart is not successful, since SELinux denies access to some files. 

Expected results:
Restart should be successfull

Comment 10 Patrik Kis 2015-09-18 12:46:44 UTC

AVC denials in Permissive mode:

----
type=SYSCALL msg=audit(09/18/2015 08:36:08.249:161) : arch=x86_64 syscall=stat success=yes exit=0 a0=0x7ff455930a78 a1=0x7fff17c6d250 a2=0x7fff17c6d250 a3=0x55fc0538 items=0 ppid=31567 pid=31643 auid=unset uid=nobody gid=nobody euid=nobody suid=nobody fsuid=nobody egid=nobody sgid=nobody fsgid=nobody tty=(none) ses=unset comm=statusping exe=/usr/lib64/dirsrv/cgi-bin/statusping subj=system_u:system_r:dirsrvadmin_script_t:s0 key=(null) 
type=AVC msg=audit(09/18/2015 08:36:08.249:161) : avc:  denied  { getattr } for  pid=31643 comm=statusping path=/etc/passwd dev="dm-0" ino=136115034 scontext=system_u:system_r:dirsrvadmin_script_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file 
----
type=SYSCALL msg=audit(09/18/2015 08:36:08.249:162) : arch=x86_64 syscall=open success=yes exit=3 a0=0x7ff455930a78 a1=O_RDONLY a2=0x1b6 a3=0x24 items=0 ppid=31567 pid=31643 auid=unset uid=nobody gid=nobody euid=nobody suid=nobody fsuid=nobody egid=nobody sgid=nobody fsgid=nobody tty=(none) ses=unset comm=statusping exe=/usr/lib64/dirsrv/cgi-bin/statusping subj=system_u:system_r:dirsrvadmin_script_t:s0 key=(null) 
type=AVC msg=audit(09/18/2015 08:36:08.249:162) : avc:  denied  { open } for  pid=31643 comm=statusping path=/etc/passwd dev="dm-0" ino=136115034 scontext=system_u:system_r:dirsrvadmin_script_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file 
type=AVC msg=audit(09/18/2015 08:36:08.249:162) : avc:  denied  { read } for  pid=31643 comm=statusping name=passwd dev="dm-0" ino=136115034 scontext=system_u:system_r:dirsrvadmin_script_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file 
----
type=USER_AVC msg=audit(09/18/2015 08:36:12.637:171) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=0)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(09/18/2015 08:36:12.637:172) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=root uid=root gid=root path=/usr/lib/systemd/system/dirsrv-admin.service cmdline="/bin/systemctl restart dirsrv-admin.service" scontext=system_u:system_r:dirsrvadmin_script_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(09/18/2015 08:36:12.641:173) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=root uid=root gid=root path=/usr/lib/systemd/system/dirsrv-admin.service cmdline="/bin/systemctl restart dirsrv-admin.service" scontext=system_u:system_r:dirsrvadmin_script_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=SYSCALL msg=audit(09/18/2015 08:36:12.619:164) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x4 a1=0x7ffdaa17de20 a2=0x7ffdaa17de20 a3=0x0 items=0 ppid=31566 pid=31645 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=restartsrv exe=/usr/lib64/dirsrv/cgi-bin/restartsrv subj=system_u:system_r:dirsrvadmin_script_t:s0 key=(null) 
type=AVC msg=audit(09/18/2015 08:36:12.619:164) : avc:  denied  { getattr } for  pid=31645 comm=restartsrv path=/run/dirsrv/admin-serv.pid dev="tmpfs" ino=85762 scontext=system_u:system_r:dirsrvadmin_script_t:s0 tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=file 
----
type=SYSCALL msg=audit(09/18/2015 08:36:12.631:165) : arch=x86_64 syscall=open success=yes exit=4 a0=0x7ffc9f81d010 a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x24 items=0 ppid=31647 pid=31648 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/usr/bin/systemctl subj=system_u:system_r:dirsrvadmin_script_t:s0 key=(null) 
type=AVC msg=audit(09/18/2015 08:36:12.631:165) : avc:  denied  { open } for  pid=31648 comm=systemctl path=/proc/1/environ dev="proc" ino=9418 scontext=system_u:system_r:dirsrvadmin_script_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file 
type=AVC msg=audit(09/18/2015 08:36:12.631:165) : avc:  denied  { read } for  pid=31648 comm=systemctl name=environ dev="proc" ino=9418 scontext=system_u:system_r:dirsrvadmin_script_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file 
type=AVC msg=audit(09/18/2015 08:36:12.631:165) : avc:  denied  { search } for  pid=31648 comm=systemctl name=1 dev="proc" ino=9217 scontext=system_u:system_r:dirsrvadmin_script_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir 
----
type=SYSCALL msg=audit(09/18/2015 08:36:12.619:163) : arch=x86_64 syscall=open success=yes exit=4 a0=0x7ffdaa17dfb0 a1=O_RDONLY a2=0x1b6 a3=0x24 items=0 ppid=31566 pid=31645 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=restartsrv exe=/usr/lib64/dirsrv/cgi-bin/restartsrv subj=system_u:system_r:dirsrvadmin_script_t:s0 key=(null) 
type=AVC msg=audit(09/18/2015 08:36:12.619:163) : avc:  denied  { open } for  pid=31645 comm=restartsrv path=/run/dirsrv/admin-serv.pid dev="tmpfs" ino=85762 scontext=system_u:system_r:dirsrvadmin_script_t:s0 tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=file 
type=AVC msg=audit(09/18/2015 08:36:12.619:163) : avc:  denied  { read } for  pid=31645 comm=restartsrv name=admin-serv.pid dev="tmpfs" ino=85762 scontext=system_u:system_r:dirsrvadmin_script_t:s0 tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=file 
----
type=SYSCALL msg=audit(09/18/2015 08:36:12.632:166) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x4 a1=0x7ffc9f81cf00 a2=0x7ffc9f81cf00 a3=0x0 items=0 ppid=31647 pid=31648 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/usr/bin/systemctl subj=system_u:system_r:dirsrvadmin_script_t:s0 key=(null) 
type=AVC msg=audit(09/18/2015 08:36:12.632:166) : avc:  denied  { getattr } for  pid=31648 comm=systemctl path=/proc/1/environ dev="proc" ino=9418 scontext=system_u:system_r:dirsrvadmin_script_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file 
----
type=SYSCALL msg=audit(09/18/2015 08:36:12.632:167) : arch=x86_64 syscall=stat success=yes exit=0 a0=0x7f512873ac74 a1=0x7ffc9f81d740 a2=0x7ffc9f81d740 a3=0x0 items=0 ppid=31647 pid=31648 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/usr/bin/systemctl subj=system_u:system_r:dirsrvadmin_script_t:s0 key=(null) 
type=AVC msg=audit(09/18/2015 08:36:12.632:167) : avc:  denied  { read } for  pid=31648 comm=systemctl name=root dev="proc" ino=9243 scontext=system_u:system_r:dirsrvadmin_script_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=lnk_file 
----
type=SYSCALL msg=audit(09/18/2015 08:36:12.632:168) : arch=x86_64 syscall=lstat success=yes exit=0 a0=0x7f51287381cf a1=0x7ffc9f81d7d0 a2=0x7ffc9f81d7d0 a3=0x0 items=0 ppid=31647 pid=31648 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/usr/bin/systemctl subj=system_u:system_r:dirsrvadmin_script_t:s0 key=(null) 
type=AVC msg=audit(09/18/2015 08:36:12.632:168) : avc:  denied  { getattr } for  pid=31648 comm=systemctl path=/run/systemd/system dev="tmpfs" ino=9240 scontext=system_u:system_r:dirsrvadmin_script_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=dir 
----
type=SYSCALL msg=audit(09/18/2015 08:36:12.632:169) : arch=x86_64 syscall=setsockopt success=yes exit=0 a0=0x4 a1=SOL_SOCKET a2=SO_RCVBUFFORCE a3=0x7ffc9f81d5a0 items=0 ppid=31647 pid=31648 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/usr/bin/systemctl subj=system_u:system_r:dirsrvadmin_script_t:s0 key=(null) 
type=AVC msg=audit(09/18/2015 08:36:12.632:169) : avc:  denied  { net_admin } for  pid=31648 comm=systemctl capability=net_admin  scontext=system_u:system_r:dirsrvadmin_script_t:s0 tcontext=system_u:system_r:dirsrvadmin_script_t:s0 tclass=capability 
----
type=SYSCALL msg=audit(09/18/2015 08:36:12.632:170) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x4 a1=0x7f5129806148 a2=0x16 a3=0x7ffc9f81d560 items=0 ppid=31647 pid=31648 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/usr/bin/systemctl subj=system_u:system_r:dirsrvadmin_script_t:s0 key=(null) 
type=AVC msg=audit(09/18/2015 08:36:12.632:170) : avc:  denied  { connectto } for  pid=31648 comm=systemctl path=/run/systemd/private scontext=system_u:system_r:dirsrvadmin_script_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket 
type=AVC msg=audit(09/18/2015 08:36:12.632:170) : avc:  denied  { write } for  pid=31648 comm=systemctl name=private dev="tmpfs" ino=53310 scontext=system_u:system_r:dirsrvadmin_script_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=sock_file

Comment 11 Lukas Vrabec 2015-09-18 15:09:27 UTC

type=SYSCALL msg=audit(09/18/2015 08:36:12.619:163) : arch=x86_64 syscall=open success=yes exit=4 a0=0x7ffdaa17dfb0 a1=O_RDONLY a2=0x1b6 a3=0x24 items=0 ppid=31566 pid=31645 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=restartsrv exe=/usr/lib64/dirsrv/cgi-bin/restartsrv subj=system_u:system_r:dirsrvadmin_script_t:s0 key=(null) 
type=AVC msg=audit(09/18/2015 08:36:12.619:163) : avc:  denied  { open } for  pid=31645 comm=restartsrv path=/run/dirsrv/admin-serv.pid dev="tmpfs" ino=85762 scontext=system_u:system_r:dirsrvadmin_script_t:s0 tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=file 
type=AVC msg=audit(09/18/2015 08:36:12.619:163) : avc:  denied  { read } for  pid=31645 comm=restartsrv name=admin-serv.pid dev="tmpfs" ino=85762 scontext=system_u:system_r:dirsrvadmin_script_t:s0 tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=file 

Which daemon is creating "/run/dirsrv/admin-serv.pid" file? I would say this should be labeled as dirsrvadmin_var_run_t and httpd_t should read/manage this file. I don't want allow dirsrvadmin_script_t can read httpd_var_run_t. 

Thank you!

Comment 12 Viktor Ashirov 2015-09-18 15:16:53 UTC

I believe this is done by systemd: https://git.fedorahosted.org/cgit/389/admin.git/tree/wrappers/systemd.service.in#n12

Comment 13 Viktor Ashirov 2015-09-18 15:23:24 UTC

See also: https://bugzilla.redhat.com/show_bug.cgi?id=1230240

Comment 14 Miroslav Grepl 2015-09-18 18:08:18 UTC

Lukas,
we have

/var/log/dirsrv/admin-serv(/.*)?    gen_context(system_u:object_r:httpd_log_t,s0)
/var/run/dirsrv/admin-serv.*    gen_context(system_u:object_r:httpd_var_run_t,s0)

in the policy. Do you think it is wrong? It makes sense for me because of

Service]
Type=forking
PIDFile=@localstatedir@/run/@PACKAGE_BASE_NAME@/admin-serv.pid
# to set the kerberos keytab
# Environment=KRB5_KTNAME=@instconfigdir@/myname.keytab
EnvironmentFile=@initconfigdir@/@package_name@
ExecStart=@HTTPD@ -k start -f @configdir@/httpd.conf


We might want to think about filename transition rules but I believe we want to allow it for RHEL-7.2.

Comment 18 errata-xmlrpc 2015-11-19 10:36:20 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2300.html

Note You need to log in before you can comment on or make changes to this bug.