Bug 1600572 - SELinux interferes with the netlabel service
Summary: SELinux interferes with the netlabel service
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.6
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks: 1256920
TreeView+ depends on / blocked
 
Reported: 2018-07-12 14:07 UTC by Milos Malik
Modified: 2018-10-30 10:07 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1483655
Environment:
Last Closed: 2018-10-30 10:06:46 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:3111 None None None 2018-10-30 10:07:19 UTC

Description Milos Malik 2018-07-12 14:07:20 UTC
+++ This bug was initially created as a clone of Bug #1483655 +++

Description of problem:

Version-Release number of selected component (if applicable):
netlabel_tools-0.20-5.el7.x86_64
selinux-policy-3.13.1-207.el7.noarch
selinux-policy-devel-3.13.1-207.el7.noarch
selinux-policy-doc-3.13.1-207.el7.noarch
selinux-policy-minimum-3.13.1-207.el7.noarch
selinux-policy-mls-3.13.1-207.el7.noarch
selinux-policy-sandbox-3.13.1-207.el7.noarch
selinux-policy-targeted-3.13.1-207.el7.noarch

How reproducible:
* always

Steps to Reproduce:
# service netlabel restart
# service netlabel status

Actual results (enforcing mode):
----
time->Mon Aug 21 17:51:59 2017
type=AVC msg=audit(1503330719.362:322): avc:  denied  { execute_no_trans } for  pid=1869 comm="netlabel-config" path="/usr/sbin/netlabelctl" dev="vda2" ino=342217 scontext=system_u:system_r:netlabel_mgmt_t:s0 tcontext=system_u:object_r:netlabel_mgmt_exec_t:s0 tclass=file permissive=0
----

Actual results (permissive mode):
----
time->Mon Aug 21 17:54:03 2017
type=AVC msg=audit(1503330843.516:353): avc:  denied  { read } for  pid=2086 comm="netlabel-config" name="passwd" dev="vda2" ino=394140 scontext=system_u:system_r:netlabel_mgmt_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
----
time->Mon Aug 21 17:54:03 2017
type=AVC msg=audit(1503330843.516:354): avc:  denied  { open } for  pid=2086 comm="netlabel-config" path="/var/lib/sss/mc/passwd" dev="vda2" ino=394140 scontext=system_u:system_r:netlabel_mgmt_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
----
time->Mon Aug 21 17:54:03 2017
type=AVC msg=audit(1503330843.516:355): avc:  denied  { getattr } for  pid=2086 comm="netlabel-config" path="/var/lib/sss/mc/passwd" dev="vda2" ino=394140 scontext=system_u:system_r:netlabel_mgmt_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
----
time->Mon Aug 21 17:54:03 2017
type=AVC msg=audit(1503330843.516:356): avc:  denied  { map } for  pid=2086 comm="netlabel-config" path="/var/lib/sss/mc/passwd" dev="vda2" ino=394140 scontext=system_u:system_r:netlabel_mgmt_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
----
time->Mon Aug 21 17:54:03 2017
type=AVC msg=audit(1503330843.516:357): avc:  denied  { write } for  pid=2086 comm="netlabel-config" name="nss" dev="vda2" ino=394044 scontext=system_u:system_r:netlabel_mgmt_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1
----
time->Mon Aug 21 17:54:03 2017
type=AVC msg=audit(1503330843.517:358): avc:  denied  { connectto } for  pid=2086 comm="netlabel-config" path="/var/lib/sss/pipes/nss" scontext=system_u:system_r:netlabel_mgmt_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1
----
time->Mon Aug 21 17:54:03 2017
type=AVC msg=audit(1503330843.523:359): avc:  denied  { execute_no_trans } for  pid=2089 comm="netlabel-config" path="/usr/sbin/netlabelctl" dev="vda2" ino=342217 scontext=system_u:system_r:netlabel_mgmt_t:s0 tcontext=system_u:object_r:netlabel_mgmt_exec_t:s0 tclass=file permissive=1
----

Expected results:
* no SELinux denials

Comment 7 Lukas Vrabec 2018-08-06 13:40:39 UTC
*** Bug 1612346 has been marked as a duplicate of this bug. ***

Comment 9 errata-xmlrpc 2018-10-30 10:06:46 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111


Note You need to log in before you can comment on or make changes to this bug.