Bug 1420900 - SELinux prevents lircd from execmod on /usr/lib64/libjack.so.0.1.0
Summary: SELinux prevents lircd from execmod on /usr/lib64/libjack.so.0.1.0
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.3
Hardware: ppc64
OS: Linux
low
low
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-02-09 19:52 UTC by Milos Malik
Modified: 2017-08-30 13:29 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-30 13:29:45 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Milos Malik 2017-02-09 19:52:11 UTC
Description of problem:
* does the program behave differently on ppc64?
* is the library is compiled correctly?

Version-Release number of selected component (if applicable):
    selinux-policy-3.13.1-117.el7.noarch
    selinux-policy-targeted-3.13.1-117.el7.noarch

How reproducible:
* never on x86_64
* always on ppc64

Steps to Reproduce:
1. get a RHEL-7.3 machine (targeted policy is active)
2. run following automated TC:
 * /CoreOS/selinux-policy/Regression/lircd-and-similar
3. look for SELinux denials

Actual results (enforcing mode):
----
time->Fri Feb  3 07:18:08 2017
type=SYSCALL msg=audit(1486124288.664:936): arch=80000015 syscall=125 success=no exit=-13 a0=3fffa2c60000 a1=90000 a2=5 a3=3fffa3428c00 items=0 ppid=1 pid=32578 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lircd" exe="/usr/sbin/lircd" subj=system_u:system_r:lircd_t:s0 key=(null)
type=AVC msg=audit(1486124288.664:936): avc:  denied  { execmod } for  pid=32578 comm="lircd" path="/usr/lib64/libjack.so.0.1.0" dev="dm-0" ino=69211565 scontext=system_u:system_r:lircd_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
----

Expected results:
* no AVCs


Note You need to log in before you can comment on or make changes to this bug.