Bug 189584 - Not able to create new namespaces with selinux set to enforced on RHEL 4 U2
Not able to create new namespaces with selinux set to enforced on RHEL 4 U2
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
i386 Linux
medium Severity high
: ---
: ---
Assigned To: Daniel Walsh
Depends On:
Blocks: 181409
  Show dependency treegraph
Reported: 2006-04-21 08:31 EDT by Ramesh Hegde
Modified: 2007-11-30 17:07 EST (History)
3 users (show)

See Also:
Fixed In Version: RHBA-2006-0373
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-08-10 17:21:16 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Ramesh Hegde 2006-04-21 08:31:56 EDT
Description of problem:
cimmof command fails to create new namespace when run with selinux set to 
enforced on RHEL 4 U2. However problem can also be resolved by starting 
cimserver using comannd "cimserver" instead of staring it 
using "/etc/init.d/tog-pegasus start". 

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.Make sure selinux is in the enforced mode ( cat /etc/selinux/config and check 
that SELINUX=enforcing is set). If not set , set it and reboot the system 

2.Start the cimserver using the command "/etc/init.d/tog-pegasus restart" 

3.Compile any sample MOF file with a new namespace . Ex: cimmof -
nroot/testnamespace Sample.mof

Actual results:
The above compilation will fail with the following error 
 Error: CIM_ERR_FAILED: A general error occurred that is not covered by a more 
specific error code: "cannot create 
directory: /var/lib/Pegasus/repository/root#testnamespace"
Failed to set DefaultNamespacePath.

Expected results:

Should compile without any errors and should 
create /var/lib/Pegasus/repository/root#testnamespace directory.

Additional info:
Note that the problem occurs only if the selinux is in the enforced mode.
Comment 2 James Antill 2006-04-27 09:52:23 EDT
Fixed in errata: 1.17.30-2.133
Comment 3 Jason Vas Dias 2006-05-02 18:27:00 EDT
Unfortunately, this bug is not quite fixed yet. 
Now that the upstream OpenPegasus have fixed their upstream bug 4968 ,
allowing CMPI Providers to run with 'forceProviderProcesses=true', the
HP testing of the proposed RHEL-4 tog-pegasus release has turned up some 
more AVCs, when running with 'forceProviderProcesses=true' and accessing 
CMPI providers:

1. cimserver and cimprovagt need to be able to do 'chown' .
   allow pegasus_t self:capability chown;
   When pegasus LocalAuthentication is being used for clients connecting over
   the /var/run/tog-pegasus/cimxml.socket UNIX socket, cimserver will create
   a /var/lib/Pegasus/cache/localauth/user-${cookie} file, and "chown" that file
   to the uid of the requesting user, making it have mode 0400 ; then the 
   requesting user process must read the contents of that file, and report 
   them back to the cimserver to gain access.

2. cimserver cannot talk to cimprovagt CMPI Providers, which can attempt to
   connect back to the server using the /var/run/tog-pegasus/cimxml.socket
   UNIX socket:
   allow pegasus_t self:unix_stream_socket connectto; 
   avc:  denied  { connectto } for pid=xxxx comm="cimprovagt"
name="cimxml.socket" context=root:system_r:pegasus_t
tcontext=root:system_r:pegasus_t tclass=unix_stream_socket

   cimprovagt must be able to connectto, read, and write the 
   /var/run/tog-pegasus/cimxml.socket .

3. When running cimprovagt for the sblim-cmpi-base providers, cimprovagt
   may need to talk to other processes on FIFO pipes:
   allow pegasus_t unconfined_t:fifo_file read;

Please can we try to get this extra policy into RHEL-4-U4, as HP's pegasus
testing depends on it - thanks, Jason.
Comment 4 Jason Vas Dias 2006-05-02 18:32:24 EDT
Another issue HP raised is that when cimserver is not run from the initscript,
it runs in 'root:system_r:unconfined_t' context;  only when run from the 
initscript does it run in context root:system_r:pegasus_t .
This can lead to inconsitent behavior and user confusion, as many pegasus
users are used to starting the cimserver manually with the 'cimserver' command.
Please can we make cimserver transition into pegasus_t when run from the command
line - thanks, Jason.

Comment 5 Daniel Walsh 2006-05-03 15:57:30 EDT
Problem with running the scripts in userspace is you end up needing to output to
the terminal which is not allowed in the default policy (I believe),

Also if you do something like cimserver > ~/pegasus.out

It will fail because pegasus is not allow to write to users homedirs.  This
confusion is why we don't transition from unconfined to pegasus_t only from
initrc_t.  Httpd, bind, ntpd ... all work the same.

Comment 13 Red Hat Bugzilla 2006-08-10 17:21:24 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.