191867 – Policy prevents xfs from spawning more servers

Bug 191867 - Policy prevents xfs from spawning more servers

Summary: Policy prevents xfs from spawning more servers

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	5
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-05-16 07:51 UTC by Pierre Ossman
Modified:	2007-11-30 22:11 UTC (History)
CC List:	0 users
Fixed In Version:	Current
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2007-03-28 20:04:34 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Pierre Ossman 2006-05-16 07:51:32 UTC

When I run with SELinux enabled, I cannot run more X servers than one xfs server
can support (10 by default). When I reach this limit, and xfs is supposed to
spawn another server, I see this in the log:

May 16 09:11:36 dhcp-254-166 kernel: audit(1147763496.512:758): avc:  denied  {
search } for  pid=1736 comm="xfs" name="sbin" dev=dm-0 ino=65281
scontext=system_u:system_r:xfs_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=dir
May 16 09:11:36 dhcp-254-166 kernel: audit(1147763496.516:759): avc:  denied  {
search } for  pid=1736 comm="xfs" name="sbin" dev=dm-0 ino=1436162
scontext=system_u:system_r:xfs_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=dir
May 16 09:11:36 dhcp-254-166 kernel: audit(1147763496.520:760): avc:  denied  {
search } for  pid=1736 comm="xfs" name="bin" dev=dm-0 ino=1207681
scontext=system_u:system_r:xfs_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=dir
May 16 09:11:36 dhcp-254-166 kernel: audit(1147763496.520:761): avc:  denied  {
search } for  pid=1736 comm="xfs" name="bin" dev=dm-0 ino=1436170
scontext=system_u:system_r:xfs_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=dir

I guess it's searching its path for the xfs binary.

Comment 1 Daniel Walsh 2006-05-16 12:30:46 UTC

Can you do this with setenforce 0 to generate all of the avc messages and then
attach them.  Thanks.

Comment 2 Pierre Ossman 2006-05-16 12:45:59 UTC

These are generated when the server is restarted:

May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.685:811): avc:  denied  {
read } for  pid=13217 comm="xfs" name="resolv.conf" dev=dm-0 ino=1601186
scontext=root:system_r:xfs_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.685:812): avc:  denied  {
getattr } for  pid=13217 comm="xfs" name="resolv.conf" dev=dm-0 ino=1601186
scontext=root:system_r:xfs_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.689:813): avc:  denied  {
create } for  pid=13217 comm="xfs" scontext=root:system_r:xfs_t:s0
tcontext=root:system_r:xfs_t:s0 tclass=udp_socket
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.689:814): avc:  denied  {
connect } for  pid=13217 comm="xfs" scontext=root:system_r:xfs_t:s0
tcontext=root:system_r:xfs_t:s0 tclass=udp_socket
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.689:815): avc:  denied  {
write } for  pid=13217 comm="xfs" laddr=10.47.254.166 lport=32837
faddr=10.47.255.22 fport=53 scontext=root:system_r:xfs_t:s0
tcontext=root:system_r:xfs_t:s0 tclass=udp_socket
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.689:816): avc:  denied  {
udp_send } for  pid=13217 comm="xfs" saddr=10.47.254.166 src=32837
daddr=10.47.255.22 dest=53 netif=eth0 scontext=root:system_r:xfs_t:s0
tcontext=system_u:object_r:netif_t:s0 tclass=netif
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.689:817): avc:  denied  {
udp_send } for  pid=13217 comm="xfs" saddr=10.47.254.166 src=32837
daddr=10.47.255.22 dest=53 netif=eth0 scontext=root:system_r:xfs_t:s0
tcontext=system_u:object_r:node_t:s0 tclass=node
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.689:818): avc:  denied  {
send_msg } for  pid=13217 comm="xfs" saddr=10.47.254.166 src=32837
daddr=10.47.255.22 dest=53 netif=eth0 scontext=root:system_r:xfs_t:s0
tcontext=system_u:object_r:dns_port_t:s0 tclass=udp_socket
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.693:819): avc:  denied  {
sendto } for  pid=13217 comm="xfs" scontext=root:system_r:xfs_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=association
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.693:820): avc:  denied  {
udp_recv } for  pid=1341 comm="klogd" saddr=10.47.255.22 src=53
daddr=10.47.254.166 dest=32837 netif=eth0 scontext=root:system_r:xfs_t:s0
tcontext=system_u:object_r:netif_t:s0 tclass=netif
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.693:821): avc:  denied  {
udp_recv } for  pid=1341 comm="klogd" saddr=10.47.255.22 src=53
daddr=10.47.254.166 dest=32837 netif=eth0 scontext=root:system_r:xfs_t:s0
tcontext=system_u:object_r:node_t:s0 tclass=node
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.693:822): avc:  denied  {
recv_msg } for  pid=1341 comm="klogd" saddr=10.47.255.22 src=53
daddr=10.47.254.166 dest=32837 netif=eth0 scontext=root:system_r:xfs_t:s0
tcontext=system_u:object_r:dns_port_t:s0 tclass=udp_socket
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.693:823): avc:  denied  {
recvfrom } for  pid=1341 comm="klogd" scontext=root:system_r:xfs_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=association
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.693:824): avc:  denied  {
getattr } for  pid=13217 comm="xfs" name="[361337]" dev=sockfs ino=361337
scontext=root:system_r:xfs_t:s0 tcontext=root:system_r:xfs_t:s0 tclass=udp_socket
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.693:825): avc:  denied  {
read } for  pid=13217 comm="xfs" laddr=10.47.254.166 lport=32837
faddr=10.47.255.22 fport=53 scontext=root:system_r:xfs_t:s0
tcontext=root:system_r:xfs_t:s0 tclass=udp_socket
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.717:826): avc:  denied  {
create } for  pid=13217 comm="xfs" scontext=root:system_r:xfs_t:s0
tcontext=root:system_r:xfs_t:s0 tclass=netlink_route_socket
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.717:827): avc:  denied  {
bind } for  pid=13217 comm="xfs" scontext=root:system_r:xfs_t:s0
tcontext=root:system_r:xfs_t:s0 tclass=netlink_route_socket
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.717:828): avc:  denied  {
getattr } for  pid=13217 comm="xfs" scontext=root:system_r:xfs_t:s0
tcontext=root:system_r:xfs_t:s0 tclass=netlink_route_socket
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.717:829): avc:  denied  {
write } for  pid=13217 comm="xfs" scontext=root:system_r:xfs_t:s0
tcontext=root:system_r:xfs_t:s0 tclass=netlink_route_socket
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.721:830): avc:  denied  {
nlmsg_read } for  pid=13217 comm="xfs" scontext=root:system_r:xfs_t:s0
tcontext=root:system_r:xfs_t:s0 tclass=netlink_route_socket
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.721:831): avc:  denied  {
read } for  pid=13217 comm="xfs" scontext=root:system_r:xfs_t:s0
tcontext=root:system_r:xfs_t:s0 tclass=netlink_route_socket
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.725:832): avc:  denied  {
create } for  pid=13217 comm="xfs" scontext=root:system_r:xfs_t:s0
tcontext=root:system_r:xfs_t:s0 tclass=tcp_socket
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.725:833): avc:  denied  {
setopt } for  pid=13217 comm="xfs" scontext=root:system_r:xfs_t:s0
tcontext=root:system_r:xfs_t:s0 tclass=tcp_socket
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.729:834): avc:  denied  {
connect } for  pid=13217 comm="xfs" scontext=root:system_r:xfs_t:s0
tcontext=root:system_r:xfs_t:s0 tclass=tcp_socket
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.729:835): avc:  denied  {
name_connect } for  pid=13217 comm="xfs" dest=389
scontext=root:system_r:xfs_t:s0 tcontext=system_u:object_r:ldap_port_t:s0
tclass=tcp_socket
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.729:836): avc:  denied  {
tcp_send } for  pid=13217 comm="xfs" saddr=10.47.254.166 src=35676
daddr=10.47.3.174 dest=389 netif=eth0 scontext=root:system_r:xfs_t:s0
tcontext=system_u:object_r:netif_t:s0 tclass=netif
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.733:837): avc:  denied  {
tcp_send } for  pid=13217 comm="xfs" saddr=10.47.254.166 src=35676
daddr=10.47.3.174 dest=389 netif=eth0 scontext=root:system_r:xfs_t:s0
tcontext=system_u:object_r:node_t:s0 tclass=node
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.733:838): avc:  denied  {
send_msg } for  pid=13217 comm="xfs" saddr=10.47.254.166 src=35676
daddr=10.47.3.174 dest=389 netif=eth0 scontext=root:system_r:xfs_t:s0
tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.737:839): avc:  denied  {
tcp_recv } for  pid=13217 comm="xfs" saddr=10.47.3.174 src=389
daddr=10.47.254.166 dest=35676 netif=eth0 scontext=root:system_r:xfs_t:s0
tcontext=system_u:object_r:netif_t:s0 tclass=netif
May 16 14:06:30 dhcp-254-166 kernel: audit(1147781189.737:840): avc:  denied  {
tcp_recv } for  pid=13217 comm="xfs" saddr=10.47.3.174 src=389
daddr=10.47.254.166 dest=35676 netif=eth0 scontext=root:system_r:xfs_t:s0
tcontext=system_u:object_r:node_t:s0 tclass=node
May 16 14:06:30 dhcp-254-166 kernel: audit(1147781189.737:841): avc:  denied  {
recv_msg } for  pid=13217 comm="xfs" saddr=10.47.3.174 src=389
daddr=10.47.254.166 dest=35676 netif=eth0 scontext=root:system_r:xfs_t:s0
tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket
May 16 14:06:30 dhcp-254-166 kernel: audit(1147781189.737:842): avc:  denied  {
getattr } for  pid=13217 comm="xfs" laddr=10.47.254.166 lport=35676
faddr=10.47.3.174 fport=389 scontext=root:system_r:xfs_t:s0
tcontext=root:system_r:xfs_t:s0 tclass=tcp_socket
May 16 14:06:30 dhcp-254-166 kernel: audit(1147781189.737:843): avc:  denied  {
write } for  pid=13217 comm="xfs" name="[361345]" dev=sockfs ino=361345
scontext=root:system_r:xfs_t:s0 tcontext=root:system_r:xfs_t:s0 tclass=tcp_socket
May 16 14:06:30 dhcp-254-166 kernel: audit(1147781189.741:844): avc:  denied  {
read } for  pid=13217 comm="xfs" name="[361345]" dev=sockfs ino=361345
scontext=root:system_r:xfs_t:s0 tcontext=root:system_r:xfs_t:s0 tclass=tcp_socket

And these when the new server is spawned:

May 16 14:09:03 dhcp-254-166 kernel: audit(1147781343.779:845): avc:  denied  {
search } for  pid=13217 comm="xfs" name="sbin" dev=dm-0 ino=65281
scontext=root:system_r:xfs_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=dir
May 16 14:09:03 dhcp-254-166 kernel: audit(1147781343.779:846): avc:  denied  {
search } for  pid=13217 comm="xfs" name="bin" dev=dm-0 ino=1207681
scontext=root:system_r:xfs_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=dir
May 16 14:09:03 dhcp-254-166 kernel: audit(1147781343.779:847): avc:  denied  {
execute_no_trans } for  pid=13217 comm="xfs" name="xfs" dev=dm-0 ino=1442279
scontext=root:system_r:xfs_t:s0 tcontext=system_u:object_r:xfs_exec_t:s0 tclass=file

Comment 3 Daniel Walsh 2006-05-16 13:35:33 UTC

Why is xfs communicating with ldap/dns?

I am adding to policy xfs can execute it self.  But the start up stuff is confusing.

Comment 4 Pierre Ossman 2006-05-16 13:45:17 UTC

nss perhaps? The machine has its user db in ldap. As to why it's doing lookups,
I have no idea.

Comment 5 Daniel Walsh 2006-05-23 20:40:19 UTC

Fixed in selinux-policy-2.2.42-2.fc5

Comment 6 Pierre Ossman 2007-01-04 08:35:59 UTC

In case you're waiting for a reply from me, I can confirm that the update solved
the bug.

Comment 7 Daniel Walsh 2007-03-28 20:04:34 UTC

Closing bugs

Note You need to log in before you can comment on or make changes to this bug.