Bug 1349058 - avc: denied {open | read | write) comm="ipmievd" path="/dev/ipmi0" dev="devtmpfs" generated after staring ipmievd service
Summary: avc: denied {open | read | write) comm="ipmievd" path="/dev/ipmi0" dev="devtm...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.3
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-06-22 15:42 UTC by Rachel Sibley
Modified: 2016-11-04 02:32 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-3.13.1-93.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-04 02:32:23 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2283 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2016-11-03 13:36:25 UTC

Description Rachel Sibley 2016-06-22 15:42:22 UTC
Description of problem:
Seeing avc denied errors are generated when starting the ipmievd service

Version-Release number of selected component (if applicable):
# rpm -q ipmitool
ipmitool-1.8.15-7.el7.x86_64
# rpm -q OpenIPMI
OpenIPMI-2.0.19-15.el7.x86_64
# uname -r
3.10.0-442.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. yum install ipmitool OpenIPMI
2. systemctl start ipmievd
3. tail /var/log/audit/audit.log


Actual results:

type=AVC msg=audit(1466608886.490:287): avc:  denied  { read write } for  pid=19878 comm="ipmievd" name="ipmi0" dev="devtmpfs" ino=79280 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1466608886.490:287): avc:  denied  { open } for  pid=19878 comm="ipmievd" path="/dev/ipmi0" dev="devtmpfs" ino=79280 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1466608886.490:287): arch=c000003e syscall=2 success=yes exit=3 a0=7ffd0e0a5460 a1=2 a2=0 a3=0 items=0 ppid=1 pid=19878 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ipmievd" exe="/usr/sbin/ipmievd" subj=system_u:system_r:ipmievd_t:s0 key=(null)
type=AVC msg=audit(1466608886.490:288): avc:  denied  { ioctl } for  pid=19878 comm="ipmievd" path="/dev/ipmi0" dev="devtmpfs" ino=79280 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file

Expected results:
no avc denied errors

Additional info:

Comment 2 Miroslav Grepl 2016-06-29 08:15:28 UTC
What is a label for /dev/ipmi0?

# ls -Z /dev/ipmi0

Comment 3 Rachel Sibley 2016-06-29 14:30:04 UTC
Hi Miroslav, information is provided below:

~]# uname -r
3.10.0-442.el7.x86_64

~]#  ls -Z /dev/ipmi0
crw-------. root root system_u:object_r:ipmi_device_t:s0 /dev/ipmi0

Comment 4 Lukas Vrabec 2016-07-11 11:35:46 UTC

*** This bug has been marked as a duplicate of bug 1083031 ***

Comment 5 Rachel Sibley 2016-07-15 14:56:55 UTC
I'm not sure if this is the same issue as bug 1083031 ? I'm still seeing avc denied failures when starting ipmievd with selinux-policy-3.13.1-85.el7:

# rpm -q selinux-policy
selinux-policy-3.13.1-85.el7.noarch

# systemctl start ipmievd

# grep denied audit.log 
type=AVC msg=audit(1468593240.028:107): avc:  denied  { read write } for  pid=16201 comm="ipmievd" name="ipmi0" dev="devtmpfs" ino=76197 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1468593240.028:107): avc:  denied  { open } for  pid=16201 comm="ipmievd" path="/dev/ipmi0" dev="devtmpfs" ino=76197 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1468593240.028:108): avc:  denied  { ioctl } for  pid=16201 comm="ipmievd" path="/dev/ipmi0" dev="devtmpfs" ino=76197 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file

# ps -efZ | grep ipmievd
system_u:system_r:ipmievd_t:s0  root     16202     1  0 10:33 ?        00:00:00 /usr/sbin/ipmievd sel daemon pidfile=/var/run/ipmievd.pid
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 16209 16122  0 10:46 pts/0 00:00:00 grep --color=auto ipmievd

Comment 6 Lukas Vrabec 2016-07-18 08:29:39 UTC
Hi Rachel, 

Problem here is that you have mislabeled /dev/ipmi0 on your system. 
This is output of my system:

[root@rhel7-virt ~]# matchpathcon /dev/ipmi0
/dev/ipmi0	system_u:object_r:ipmi_device_t:s0

[root@rhel7-virt ~]# rpm -q selinux-policy
selinux-policy-3.13.1-88.el7.noarch

Please, could you run restorecon to fix labels on your system and try to reproduce the issue? 

# restorecon -Rv /dev

Comment 7 Lukas Vrabec 2016-07-18 10:24:18 UTC

*** This bug has been marked as a duplicate of bug 1083031 ***

Comment 9 Rachel Sibley 2016-08-04 19:04:28 UTC
Reopening as this is still causing my tests to fail, I have even removed the audit log and rebooted, yet still seeing the failures with the latest selinux-policy.

[root@dell-pet610-01 audit]# rpm -q selinux-policy
selinux-policy-3.13.1-92.el7.noarch
[root@dell-pet610-01 audit]# grep -r denied audit.log 
[root@dell-pet610-01 audit]# 
[root@dell-pet610-01 audit]# systemctl start ipmi
[root@dell-pet610-01 audit]# systemctl start ipmievd
[root@dell-pet610-01 audit]# grep -r denied audit.log 
type=AVC msg=audit(1470337273.996:81): avc:  denied  { read write } for  pid=2657 comm="ipmievd" name="ipmi0" dev="devtmpfs" ino=13859 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1470337273.996:81): avc:  denied  { open } for  pid=2657 comm="ipmievd" path="/dev/ipmi0" dev="devtmpfs" ino=13859 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1470337273.996:82): avc:  denied  { ioctl } for  pid=2657 comm="ipmievd" path="/dev/ipmi0" dev="devtmpfs" ino=13859 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file

Comment 15 Rachel Sibley 2016-08-16 14:52:35 UTC
Hi Milos, unfortunately I'm seeing even more failures than before

# rpm -q selinux-policy
selinux-policy-3.13.1-93.el7.noarch

# grep -r denied audit.log 
#

# systemctl start ipmi

# systemctl start ipmievd

# grep -r denied audit.log 
type=AVC msg=audit(1471358658.638:84): avc:  denied  { read } for  pid=11529 comm="openipmi-helper" name="meminfo" dev="proc" ino=4026532028 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=AVC msg=audit(1471358658.638:84): avc:  denied  { open } for  pid=11529 comm="openipmi-helper" path="/proc/meminfo" dev="proc" ino=4026532028 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=AVC msg=audit(1471358658.638:85): avc:  denied  { getattr } for  pid=11529 comm="openipmi-helper" path="/proc/meminfo" dev="proc" ino=4026532028 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=AVC msg=audit(1471358658.638:86): avc:  denied  { read } for  pid=11529 comm="openipmi-helper" name="passwd" dev="dm-0" ino=67175617 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=AVC msg=audit(1471358658.638:86): avc:  denied  { open } for  pid=11529 comm="openipmi-helper" path="/etc/passwd" dev="dm-0" ino=67175617 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=AVC msg=audit(1471358658.638:87): avc:  denied  { getattr } for  pid=11529 comm="openipmi-helper" path="/etc/passwd" dev="dm-0" ino=67175617 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=AVC msg=audit(1471358658.641:88): avc:  denied  { execute } for  pid=11531 comm="openipmi-helper" name="uname" dev="dm-0" ino=67253286 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=AVC msg=audit(1471358658.641:89): avc:  denied  { execute } for  pid=11532 comm="openipmi-helper" name="cut" dev="dm-0" ino=67253209 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=AVC msg=audit(1471358658.641:90): avc:  denied  { execute_no_trans } for  pid=11531 comm="openipmi-helper" path="/usr/bin/uname" dev="dm-0" ino=67253286 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=AVC msg=audit(1471358658.643:91): avc:  denied  { getattr } for  pid=11529 comm="openipmi-helper" path="/usr/bin/kmod" dev="dm-0" ino=67420176 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=AVC msg=audit(1471358658.643:92): avc:  denied  { execute } for  pid=11529 comm="openipmi-helper" name="kmod" dev="dm-0" ino=67420176 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=AVC msg=audit(1471358658.643:93): avc:  denied  { read } for  pid=11529 comm="openipmi-helper" name="kmod" dev="dm-0" ino=67420176 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=AVC msg=audit(1471358658.645:94): avc:  denied  { open } for  pid=11533 comm="openipmi-helper" path="/usr/bin/kmod" dev="dm-0" ino=67420176 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=AVC msg=audit(1471358658.645:94): avc:  denied  { execute_no_trans } for  pid=11533 comm="openipmi-helper" path="/usr/bin/kmod" dev="dm-0" ino=67420176 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:insmod_exec_t:s0 tclass=file
type=AVC msg=audit(1471358658.645:95): avc:  denied  { getattr } for  pid=11533 comm="modprobe" path="/etc/modprobe.d" dev="dm-0" ino=67420175 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir
type=AVC msg=audit(1471358658.645:96): avc:  denied  { read } for  pid=11533 comm="modprobe" name="modprobe.d" dev="dm-0" ino=67420175 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir
type=AVC msg=audit(1471358658.645:96): avc:  denied  { open } for  pid=11533 comm="modprobe" path="/etc/modprobe.d" dev="dm-0" ino=67420175 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir
type=AVC msg=audit(1471358658.645:97): avc:  denied  { getattr } for  pid=11533 comm="modprobe" path="/etc/modprobe.d/lockd.conf" dev="dm-0" ino=67526296 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file
type=AVC msg=audit(1471358658.645:98): avc:  denied  { read } for  pid=11533 comm="modprobe" name="lockd.conf" dev="dm-0" ino=67526296 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file
type=AVC msg=audit(1471358658.645:98): avc:  denied  { open } for  pid=11533 comm="modprobe" path="/etc/modprobe.d/lockd.conf" dev="dm-0" ino=67526296 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file
type=AVC msg=audit(1471358658.645:99): avc:  denied  { search } for  pid=11533 comm="modprobe" name="modules" dev="dm-0" ino=101279051 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=dir
type=AVC msg=audit(1471358658.645:99): avc:  denied  { read } for  pid=11533 comm="modprobe" name="modules.softdep" dev="dm-0" ino=944863 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file
type=AVC msg=audit(1471358658.645:99): avc:  denied  { open } for  pid=11533 comm="modprobe" path="/usr/lib/modules/3.10.0-492.el7.x86_64/modules.softdep" dev="dm-0" ino=944863 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file
type=AVC msg=audit(1471358658.645:100): avc:  denied  { getattr } for  pid=11533 comm="modprobe" path="/usr/lib/modules/3.10.0-492.el7.x86_64/modules.softdep" dev="dm-0" ino=944863 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file
type=AVC msg=audit(1471358658.645:101): avc:  denied  { read } for  pid=11533 comm="modprobe" name="initstate" dev="sysfs" ino=21105 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1471358658.645:101): avc:  denied  { open } for  pid=11533 comm="modprobe" path="/sys/module/ipmi_msghandler/initstate" dev="sysfs" ino=21105 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1471358658.647:102): avc:  denied  { read } for  pid=11534 comm="lsmod" name="intel_powerclamp" dev="sysfs" ino=22565 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
type=AVC msg=audit(1471358658.665:103): avc:  denied  { read } for  pid=11547 comm="touch" name="lock" dev="dm-0" ino=205 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=lnk_file
type=AVC msg=audit(1471358658.665:103): avc:  denied  { write } for  pid=11547 comm="touch" name="subsys" dev="tmpfs" ino=14083 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir
type=AVC msg=audit(1471358658.665:103): avc:  denied  { add_name } for  pid=11547 comm="touch" name="ipmi" scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir
type=AVC msg=audit(1471358658.665:103): avc:  denied  { create } for  pid=11547 comm="touch" name="ipmi" scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file
type=AVC msg=audit(1471358658.665:103): avc:  denied  { write open } for  pid=11547 comm="touch" path="/run/lock/subsys/ipmi" dev="tmpfs" ino=36008 scontext=system_u:system_r:ipmievd_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file

Comment 16 Lukas Vrabec 2016-08-17 11:54:55 UTC
Fixed all AVC from comment#15

Comment 20 Rachel Sibley 2016-08-23 14:22:02 UTC
No longer seeing the errors with selinux-policy-3.13.1-94.el7 build:

[root@dell-pem910-02 audit]# rpm -q selinux-policy
selinux-policy-3.13.1-94.el7.noarch
[root@dell-pem910-02 audit]#  grep -r denied audit.log 
[root@dell-pem910-02 audit]# systemctl start ipmi
[root@dell-pem910-02 audit]# systemctl start ipmievd
[root@dell-pem910-02 audit]#  grep -r denied audit.log 
[root@dell-pem910-02 audit]# 
[root@dell-pem910-02 audit]# uname -r
3.10.0-493.el7.x86_64

Comment 23 errata-xmlrpc 2016-11-04 02:32:23 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html


Note You need to log in before you can comment on or make changes to this bug.