1349058 – avc: denied {open | read | write) comm="ipmievd" path="/dev/ipmi0" dev="devtmpfs" generated after staring ipmievd service

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1349058 - avc: denied {open | read | write) comm="ipmievd" path="/dev/ipmi0" dev="devtmpfs" generated after staring ipmievd service

Summary: avc: denied {open | read | write) comm="ipmievd" path="/dev/ipmi0" dev="devtm...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.3
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-06-22 15:42 UTC by Rachel Sibley
Modified:	2016-11-04 02:32 UTC (History)
CC List:	8 users (show)
Fixed In Version:	selinux-policy-3.13.1-93.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-11-04 02:32:23 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:2283	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2016-11-03 13:36:25 UTC

Description Rachel Sibley 2016-06-22 15:42:22 UTC

Description of problem:
Seeing avc denied errors are generated when starting the ipmievd service

Version-Release number of selected component (if applicable):
# rpm -q ipmitool
ipmitool-1.8.15-7.el7.x86_64
# rpm -q OpenIPMI
OpenIPMI-2.0.19-15.el7.x86_64
# uname -r
3.10.0-442.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. yum install ipmitool OpenIPMI
2. systemctl start ipmievd
3. tail /var/log/audit/audit.log


Actual results:

type=AVC msg=audit(1466608886.490:287): avc:  denied  { read write } for  pid=19878 comm="ipmievd" name="ipmi0" dev="devtmpfs" ino=79280 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1466608886.490:287): avc:  denied  { open } for  pid=19878 comm="ipmievd" path="/dev/ipmi0" dev="devtmpfs" ino=79280 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1466608886.490:287): arch=c000003e syscall=2 success=yes exit=3 a0=7ffd0e0a5460 a1=2 a2=0 a3=0 items=0 ppid=1 pid=19878 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ipmievd" exe="/usr/sbin/ipmievd" subj=system_u:system_r:ipmievd_t:s0 key=(null)
type=AVC msg=audit(1466608886.490:288): avc:  denied  { ioctl } for  pid=19878 comm="ipmievd" path="/dev/ipmi0" dev="devtmpfs" ino=79280 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file

Expected results:
no avc denied errors

Additional info:

Comment 2 Miroslav Grepl 2016-06-29 08:15:28 UTC

What is a label for /dev/ipmi0?

# ls -Z /dev/ipmi0

Comment 3 Rachel Sibley 2016-06-29 14:30:04 UTC

Hi Miroslav, information is provided below:

~]# uname -r
3.10.0-442.el7.x86_64

~]#  ls -Z /dev/ipmi0
crw-------. root root system_u:object_r:ipmi_device_t:s0 /dev/ipmi0

Comment 4 Lukas Vrabec 2016-07-11 11:35:46 UTC


*** This bug has been marked as a duplicate of bug 1083031 ***

Comment 5 Rachel Sibley 2016-07-15 14:56:55 UTC

I'm not sure if this is the same issue as bug 1083031 ? I'm still seeing avc denied failures when starting ipmievd with selinux-policy-3.13.1-85.el7:

# rpm -q selinux-policy
selinux-policy-3.13.1-85.el7.noarch

# systemctl start ipmievd

# grep denied audit.log 
type=AVC msg=audit(1468593240.028:107): avc:  denied  { read write } for  pid=16201 comm="ipmievd" name="ipmi0" dev="devtmpfs" ino=76197 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1468593240.028:107): avc:  denied  { open } for  pid=16201 comm="ipmievd" path="/dev/ipmi0" dev="devtmpfs" ino=76197 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1468593240.028:108): avc:  denied  { ioctl } for  pid=16201 comm="ipmievd" path="/dev/ipmi0" dev="devtmpfs" ino=76197 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file

# ps -efZ | grep ipmievd
system_u:system_r:ipmievd_t:s0  root     16202     1  0 10:33 ?        00:00:00 /usr/sbin/ipmievd sel daemon pidfile=/var/run/ipmievd.pid
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 16209 16122  0 10:46 pts/0 00:00:00 grep --color=auto ipmievd

Comment 6 Lukas Vrabec 2016-07-18 08:29:39 UTC

Hi Rachel, 

Problem here is that you have mislabeled /dev/ipmi0 on your system. 
This is output of my system:

[root@rhel7-virt ~]# matchpathcon /dev/ipmi0
/dev/ipmi0	system_u:object_r:ipmi_device_t:s0

[root@rhel7-virt ~]# rpm -q selinux-policy
selinux-policy-3.13.1-88.el7.noarch

Please, could you run restorecon to fix labels on your system and try to reproduce the issue? 

# restorecon -Rv /dev

Comment 7 Lukas Vrabec 2016-07-18 10:24:18 UTC


*** This bug has been marked as a duplicate of bug 1083031 ***

Comment 9 Rachel Sibley 2016-08-04 19:04:28 UTC

Reopening as this is still causing my tests to fail, I have even removed the audit log and rebooted, yet still seeing the failures with the latest selinux-policy.

[root@dell-pet610-01 audit]# rpm -q selinux-policy
selinux-policy-3.13.1-92.el7.noarch
[root@dell-pet610-01 audit]# grep -r denied audit.log 
[root@dell-pet610-01 audit]# 
[root@dell-pet610-01 audit]# systemctl start ipmi
[root@dell-pet610-01 audit]# systemctl start ipmievd
[root@dell-pet610-01 audit]# grep -r denied audit.log 
type=AVC msg=audit(1470337273.996:81): avc:  denied  { read write } for  pid=2657 comm="ipmievd" name="ipmi0" dev="devtmpfs" ino=13859 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1470337273.996:81): avc:  denied  { open } for  pid=2657 comm="ipmievd" path="/dev/ipmi0" dev="devtmpfs" ino=13859 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1470337273.996:82): avc:  denied  { ioctl } for  pid=2657 comm="ipmievd" path="/dev/ipmi0" dev="devtmpfs" ino=13859 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file

Comment 15 Rachel Sibley 2016-08-16 14:52:35 UTC

Hi Milos, unfortunately I'm seeing even more failures than before

# rpm -q selinux-policy
selinux-policy-3.13.1-93.el7.noarch

# grep -r denied audit.log 
#

# systemctl start ipmi

# systemctl start ipmievd

# grep -r denied audit.log 
type=AVC msg=audit(1471358658.638:84): avc:  denied  { read } for  pid=11529 comm="openipmi-helper" name="meminfo" dev="proc" ino=4026532028 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=AVC msg=audit(1471358658.638:84): avc:  denied  { open } for  pid=11529 comm="openipmi-helper" path="/proc/meminfo" dev="proc" ino=4026532028 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=AVC msg=audit(1471358658.638:85): avc:  denied  { getattr } for  pid=11529 comm="openipmi-helper" path="/proc/meminfo" dev="proc" ino=4026532028 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=AVC msg=audit(1471358658.638:86): avc:  denied  { read } for  pid=11529 comm="openipmi-helper" name="passwd" dev="dm-0" ino=67175617 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=AVC msg=audit(1471358658.638:86): avc:  denied  { open } for  pid=11529 comm="openipmi-helper" path="/etc/passwd" dev="dm-0" ino=67175617 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=AVC msg=audit(1471358658.638:87): avc:  denied  { getattr } for  pid=11529 comm="openipmi-helper" path="/etc/passwd" dev="dm-0" ino=67175617 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=AVC msg=audit(1471358658.641:88): avc:  denied  { execute } for  pid=11531 comm="openipmi-helper" name="uname" dev="dm-0" ino=67253286 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=AVC msg=audit(1471358658.641:89): avc:  denied  { execute } for  pid=11532 comm="openipmi-helper" name="cut" dev="dm-0" ino=67253209 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=AVC msg=audit(1471358658.641:90): avc:  denied  { execute_no_trans } for  pid=11531 comm="openipmi-helper" path="/usr/bin/uname" dev="dm-0" ino=67253286 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=AVC msg=audit(1471358658.643:91): avc:  denied  { getattr } for  pid=11529 comm="openipmi-helper" path="/usr/bin/kmod" dev="dm-0" ino=67420176 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=AVC msg=audit(1471358658.643:92): avc:  denied  { execute } for  pid=11529 comm="openipmi-helper" name="kmod" dev="dm-0" ino=67420176 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=AVC msg=audit(1471358658.643:93): avc:  denied  { read } for  pid=11529 comm="openipmi-helper" name="kmod" dev="dm-0" ino=67420176 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=AVC msg=audit(1471358658.645:94): avc:  denied  { open } for  pid=11533 comm="openipmi-helper" path="/usr/bin/kmod" dev="dm-0" ino=67420176 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=AVC msg=audit(1471358658.645:94): avc:  denied  { execute_no_trans } for  pid=11533 comm="openipmi-helper" path="/usr/bin/kmod" dev="dm-0" ino=67420176 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=AVC msg=audit(1471358658.645:95): avc:  denied  { getattr } for  pid=11533 comm="modprobe" path="/etc/modprobe.d" dev="dm-0" ino=67420175 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir
type=AVC msg=audit(1471358658.645:96): avc:  denied  { read } for  pid=11533 comm="modprobe" name="modprobe.d" dev="dm-0" ino=67420175 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir
type=AVC msg=audit(1471358658.645:96): avc:  denied  { open } for  pid=11533 comm="modprobe" path="/etc/modprobe.d" dev="dm-0" ino=67420175 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir
type=AVC msg=audit(1471358658.645:97): avc:  denied  { getattr } for  pid=11533 comm="modprobe" path="/etc/modprobe.d/lockd.conf" dev="dm-0" ino=67526296 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file
type=AVC msg=audit(1471358658.645:98): avc:  denied  { read } for  pid=11533 comm="modprobe" name="lockd.conf" dev="dm-0" ino=67526296 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file
type=AVC msg=audit(1471358658.645:98): avc:  denied  { open } for  pid=11533 comm="modprobe" path="/etc/modprobe.d/lockd.conf" dev="dm-0" ino=67526296 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file
type=AVC msg=audit(1471358658.645:99): avc:  denied  { search } for  pid=11533 comm="modprobe" name="modules" dev="dm-0" ino=101279051 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=dir
type=AVC msg=audit(1471358658.645:99): avc:  denied  { read } for  pid=11533 comm="modprobe" name="modules.softdep" dev="dm-0" ino=944863 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file
type=AVC msg=audit(1471358658.645:99): avc:  denied  { open } for  pid=11533 comm="modprobe" path="/usr/lib/modules/3.10.0-492.el7.x86_64/modules.softdep" dev="dm-0" ino=944863 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file
type=AVC msg=audit(1471358658.645:100): avc:  denied  { getattr } for  pid=11533 comm="modprobe" path="/usr/lib/modules/3.10.0-492.el7.x86_64/modules.softdep" dev="dm-0" ino=944863 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file
type=AVC msg=audit(1471358658.645:101): avc:  denied  { read } for  pid=11533 comm="modprobe" name="initstate" dev="sysfs" ino=21105 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1471358658.645:101): avc:  denied  { open } for  pid=11533 comm="modprobe" path="/sys/module/ipmi_msghandler/initstate" dev="sysfs" ino=21105 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1471358658.647:102): avc:  denied  { read } for  pid=11534 comm="lsmod" name="intel_powerclamp" dev="sysfs" ino=22565 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
type=AVC msg=audit(1471358658.665:103): avc:  denied  { read } for  pid=11547 comm="touch" name="lock" dev="dm-0" ino=205 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=lnk_file
type=AVC msg=audit(1471358658.665:103): avc:  denied  { write } for  pid=11547 comm="touch" name="subsys" dev="tmpfs" ino=14083 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir
type=AVC msg=audit(1471358658.665:103): avc:  denied  { add_name } for  pid=11547 comm="touch" name="ipmi" scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir
type=AVC msg=audit(1471358658.665:103): avc:  denied  { create } for  pid=11547 comm="touch" name="ipmi" scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file
type=AVC msg=audit(1471358658.665:103): avc:  denied  { write open } for  pid=11547 comm="touch" path="/run/lock/subsys/ipmi" dev="tmpfs" ino=36008 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file

Comment 16 Lukas Vrabec 2016-08-17 11:54:55 UTC

Fixed all AVC from comment#15

Comment 20 Rachel Sibley 2016-08-23 14:22:02 UTC

No longer seeing the errors with selinux-policy-3.13.1-94.el7 build:

[root@dell-pem910-02 audit]# rpm -q selinux-policy
selinux-policy-3.13.1-94.el7.noarch
[root@dell-pem910-02 audit]#  grep -r denied audit.log 
[root@dell-pem910-02 audit]# systemctl start ipmi
[root@dell-pem910-02 audit]# systemctl start ipmievd
[root@dell-pem910-02 audit]#  grep -r denied audit.log 
[root@dell-pem910-02 audit]# 
[root@dell-pem910-02 audit]# uname -r
3.10.0-493.el7.x86_64

Comment 23 errata-xmlrpc 2016-11-04 02:32:23 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html

Note You need to log in before you can comment on or make changes to this bug.