Bug 1259519 - SELinux alerts for audispd
SELinux alerts for audispd
Status: CLOSED WORKSFORME
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.8
Unspecified Linux
unspecified Severity low
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-02 16:59 EDT by agilley
Modified: 2017-11-20 07:54 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-11 11:16:19 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
audispd AVD denial (18.25 MB, text/plain)
2015-09-02 17:07 EDT, agilley
no flags Details
end of var/log/messages file that contains more information (15.00 MB, text/plain)
2015-09-02 17:08 EDT, agilley
no flags Details
ps output (15.00 KB, text/plain)
2015-09-14 14:25 EDT, agilley
no flags Details

  None (edit)
Description agilley 2015-09-02 16:59:08 EDT
Description of problem:

RHEL 6.5 systems getting SELinux alerts for audispd.


Version-Release number of selected component (if applicable):

RHEL 6.5


How reproducible:

Reproducible on several systems. 

Steps to Reproduce:
See attached files from customer. 

Actual results:
AVC Denial 


Expected results:
No modification needed to SELinux policy

Additional info:
See attached.
Comment 1 agilley 2015-09-02 17:07:19 EDT
Created attachment 1069596 [details]
audispd AVD denial
Comment 2 agilley 2015-09-02 17:08:38 EDT
Created attachment 1069597 [details]
end of var/log/messages file that contains more information

end of var/log/messages file that contains more information
Comment 4 Milos Malik 2015-09-03 01:14:48 EDT
audispd tries to communicate with a process running as initrc_t. Is auditd running as initrc_t ?

# ps -efZ | grep initrc_t
Comment 5 agilley 2015-09-14 14:24:16 EDT
auditd does not appear to be running as initrc_t.
Comment 6 agilley 2015-09-14 14:25:22 EDT
Created attachment 1073393 [details]
ps output
Comment 7 Milos Malik 2015-09-15 03:07:36 EDT
Based on the latest attachment, there are 2 syslog daemons running (syslog-ng and rsyslogd). syslog daemons usually listen on /dev/log socket. I suspect that one of them is not running in correct SELinux domain. Could you paste here the output of following commands?

# fuser /dev/log

# ps -efZ | grep syslog
Comment 8 agilley 2015-09-22 15:49:44 EDT
The customer has created a SELinux policy module to fix this. I have the full sosreport but I am not sure if having him run those commands to get that information will be helpful at this point. 

If it will still be beneficial I will get that information.
Comment 9 Miroslav Grepl 2015-10-05 02:30:18 EDT
(In reply to agilley from comment #8)
> The customer has created a SELinux policy module to fix this. I have the
> full sosreport but I am not sure if having him run those commands to get
> that information will be helpful at this point. 
> 
> If it will still be beneficial I will get that information.

Without that we are not able to identify which service is running with initrc_t SELinux domain.
Comment 10 Miroslav Grepl 2015-11-11 11:16:19 EST
We will reopen it if we get requested info. Thank you.

Note You need to log in before you can comment on or make changes to this bug.