Bug 191867 - Policy prevents xfs from spawning more servers
Policy prevents xfs from spawning more servers
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
5
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-05-16 03:51 EDT by Pierre Ossman
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-03-28 16:04:34 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Pierre Ossman 2006-05-16 03:51:32 EDT
When I run with SELinux enabled, I cannot run more X servers than one xfs server
can support (10 by default). When I reach this limit, and xfs is supposed to
spawn another server, I see this in the log:

May 16 09:11:36 dhcp-254-166 kernel: audit(1147763496.512:758): avc:  denied  {
search } for  pid=1736 comm="xfs" name="sbin" dev=dm-0 ino=65281
scontext=system_u:system_r:xfs_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=dir
May 16 09:11:36 dhcp-254-166 kernel: audit(1147763496.516:759): avc:  denied  {
search } for  pid=1736 comm="xfs" name="sbin" dev=dm-0 ino=1436162
scontext=system_u:system_r:xfs_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=dir
May 16 09:11:36 dhcp-254-166 kernel: audit(1147763496.520:760): avc:  denied  {
search } for  pid=1736 comm="xfs" name="bin" dev=dm-0 ino=1207681
scontext=system_u:system_r:xfs_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=dir
May 16 09:11:36 dhcp-254-166 kernel: audit(1147763496.520:761): avc:  denied  {
search } for  pid=1736 comm="xfs" name="bin" dev=dm-0 ino=1436170
scontext=system_u:system_r:xfs_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=dir

I guess it's searching its path for the xfs binary.
Comment 1 Daniel Walsh 2006-05-16 08:30:46 EDT
Can you do this with setenforce 0 to generate all of the avc messages and then
attach them.  Thanks.

Comment 2 Pierre Ossman 2006-05-16 08:45:59 EDT
These are generated when the server is restarted:

May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.685:811): avc:  denied  {
read } for  pid=13217 comm="xfs" name="resolv.conf" dev=dm-0 ino=1601186
scontext=root:system_r:xfs_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.685:812): avc:  denied  {
getattr } for  pid=13217 comm="xfs" name="resolv.conf" dev=dm-0 ino=1601186
scontext=root:system_r:xfs_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.689:813): avc:  denied  {
create } for  pid=13217 comm="xfs" scontext=root:system_r:xfs_t:s0
tcontext=root:system_r:xfs_t:s0 tclass=udp_socket
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.689:814): avc:  denied  {
connect } for  pid=13217 comm="xfs" scontext=root:system_r:xfs_t:s0
tcontext=root:system_r:xfs_t:s0 tclass=udp_socket
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.689:815): avc:  denied  {
write } for  pid=13217 comm="xfs" laddr=10.47.254.166 lport=32837
faddr=10.47.255.22 fport=53 scontext=root:system_r:xfs_t:s0
tcontext=root:system_r:xfs_t:s0 tclass=udp_socket
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.689:816): avc:  denied  {
udp_send } for  pid=13217 comm="xfs" saddr=10.47.254.166 src=32837
daddr=10.47.255.22 dest=53 netif=eth0 scontext=root:system_r:xfs_t:s0
tcontext=system_u:object_r:netif_t:s0 tclass=netif
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.689:817): avc:  denied  {
udp_send } for  pid=13217 comm="xfs" saddr=10.47.254.166 src=32837
daddr=10.47.255.22 dest=53 netif=eth0 scontext=root:system_r:xfs_t:s0
tcontext=system_u:object_r:node_t:s0 tclass=node
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.689:818): avc:  denied  {
send_msg } for  pid=13217 comm="xfs" saddr=10.47.254.166 src=32837
daddr=10.47.255.22 dest=53 netif=eth0 scontext=root:system_r:xfs_t:s0
tcontext=system_u:object_r:dns_port_t:s0 tclass=udp_socket
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.693:819): avc:  denied  {
sendto } for  pid=13217 comm="xfs" scontext=root:system_r:xfs_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=association
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.693:820): avc:  denied  {
udp_recv } for  pid=1341 comm="klogd" saddr=10.47.255.22 src=53
daddr=10.47.254.166 dest=32837 netif=eth0 scontext=root:system_r:xfs_t:s0
tcontext=system_u:object_r:netif_t:s0 tclass=netif
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.693:821): avc:  denied  {
udp_recv } for  pid=1341 comm="klogd" saddr=10.47.255.22 src=53
daddr=10.47.254.166 dest=32837 netif=eth0 scontext=root:system_r:xfs_t:s0
tcontext=system_u:object_r:node_t:s0 tclass=node
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.693:822): avc:  denied  {
recv_msg } for  pid=1341 comm="klogd" saddr=10.47.255.22 src=53
daddr=10.47.254.166 dest=32837 netif=eth0 scontext=root:system_r:xfs_t:s0
tcontext=system_u:object_r:dns_port_t:s0 tclass=udp_socket
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.693:823): avc:  denied  {
recvfrom } for  pid=1341 comm="klogd" scontext=root:system_r:xfs_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=association
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.693:824): avc:  denied  {
getattr } for  pid=13217 comm="xfs" name="[361337]" dev=sockfs ino=361337
scontext=root:system_r:xfs_t:s0 tcontext=root:system_r:xfs_t:s0 tclass=udp_socket
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.693:825): avc:  denied  {
read } for  pid=13217 comm="xfs" laddr=10.47.254.166 lport=32837
faddr=10.47.255.22 fport=53 scontext=root:system_r:xfs_t:s0
tcontext=root:system_r:xfs_t:s0 tclass=udp_socket
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.717:826): avc:  denied  {
create } for  pid=13217 comm="xfs" scontext=root:system_r:xfs_t:s0
tcontext=root:system_r:xfs_t:s0 tclass=netlink_route_socket
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.717:827): avc:  denied  {
bind } for  pid=13217 comm="xfs" scontext=root:system_r:xfs_t:s0
tcontext=root:system_r:xfs_t:s0 tclass=netlink_route_socket
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.717:828): avc:  denied  {
getattr } for  pid=13217 comm="xfs" scontext=root:system_r:xfs_t:s0
tcontext=root:system_r:xfs_t:s0 tclass=netlink_route_socket
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.717:829): avc:  denied  {
write } for  pid=13217 comm="xfs" scontext=root:system_r:xfs_t:s0
tcontext=root:system_r:xfs_t:s0 tclass=netlink_route_socket
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.721:830): avc:  denied  {
nlmsg_read } for  pid=13217 comm="xfs" scontext=root:system_r:xfs_t:s0
tcontext=root:system_r:xfs_t:s0 tclass=netlink_route_socket
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.721:831): avc:  denied  {
read } for  pid=13217 comm="xfs" scontext=root:system_r:xfs_t:s0
tcontext=root:system_r:xfs_t:s0 tclass=netlink_route_socket
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.725:832): avc:  denied  {
create } for  pid=13217 comm="xfs" scontext=root:system_r:xfs_t:s0
tcontext=root:system_r:xfs_t:s0 tclass=tcp_socket
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.725:833): avc:  denied  {
setopt } for  pid=13217 comm="xfs" scontext=root:system_r:xfs_t:s0
tcontext=root:system_r:xfs_t:s0 tclass=tcp_socket
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.729:834): avc:  denied  {
connect } for  pid=13217 comm="xfs" scontext=root:system_r:xfs_t:s0
tcontext=root:system_r:xfs_t:s0 tclass=tcp_socket
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.729:835): avc:  denied  {
name_connect } for  pid=13217 comm="xfs" dest=389
scontext=root:system_r:xfs_t:s0 tcontext=system_u:object_r:ldap_port_t:s0
tclass=tcp_socket
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.729:836): avc:  denied  {
tcp_send } for  pid=13217 comm="xfs" saddr=10.47.254.166 src=35676
daddr=10.47.3.174 dest=389 netif=eth0 scontext=root:system_r:xfs_t:s0
tcontext=system_u:object_r:netif_t:s0 tclass=netif
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.733:837): avc:  denied  {
tcp_send } for  pid=13217 comm="xfs" saddr=10.47.254.166 src=35676
daddr=10.47.3.174 dest=389 netif=eth0 scontext=root:system_r:xfs_t:s0
tcontext=system_u:object_r:node_t:s0 tclass=node
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.733:838): avc:  denied  {
send_msg } for  pid=13217 comm="xfs" saddr=10.47.254.166 src=35676
daddr=10.47.3.174 dest=389 netif=eth0 scontext=root:system_r:xfs_t:s0
tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket
May 16 14:06:29 dhcp-254-166 kernel: audit(1147781189.737:839): avc:  denied  {
tcp_recv } for  pid=13217 comm="xfs" saddr=10.47.3.174 src=389
daddr=10.47.254.166 dest=35676 netif=eth0 scontext=root:system_r:xfs_t:s0
tcontext=system_u:object_r:netif_t:s0 tclass=netif
May 16 14:06:30 dhcp-254-166 kernel: audit(1147781189.737:840): avc:  denied  {
tcp_recv } for  pid=13217 comm="xfs" saddr=10.47.3.174 src=389
daddr=10.47.254.166 dest=35676 netif=eth0 scontext=root:system_r:xfs_t:s0
tcontext=system_u:object_r:node_t:s0 tclass=node
May 16 14:06:30 dhcp-254-166 kernel: audit(1147781189.737:841): avc:  denied  {
recv_msg } for  pid=13217 comm="xfs" saddr=10.47.3.174 src=389
daddr=10.47.254.166 dest=35676 netif=eth0 scontext=root:system_r:xfs_t:s0
tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket
May 16 14:06:30 dhcp-254-166 kernel: audit(1147781189.737:842): avc:  denied  {
getattr } for  pid=13217 comm="xfs" laddr=10.47.254.166 lport=35676
faddr=10.47.3.174 fport=389 scontext=root:system_r:xfs_t:s0
tcontext=root:system_r:xfs_t:s0 tclass=tcp_socket
May 16 14:06:30 dhcp-254-166 kernel: audit(1147781189.737:843): avc:  denied  {
write } for  pid=13217 comm="xfs" name="[361345]" dev=sockfs ino=361345
scontext=root:system_r:xfs_t:s0 tcontext=root:system_r:xfs_t:s0 tclass=tcp_socket
May 16 14:06:30 dhcp-254-166 kernel: audit(1147781189.741:844): avc:  denied  {
read } for  pid=13217 comm="xfs" name="[361345]" dev=sockfs ino=361345
scontext=root:system_r:xfs_t:s0 tcontext=root:system_r:xfs_t:s0 tclass=tcp_socket

And these when the new server is spawned:

May 16 14:09:03 dhcp-254-166 kernel: audit(1147781343.779:845): avc:  denied  {
search } for  pid=13217 comm="xfs" name="sbin" dev=dm-0 ino=65281
scontext=root:system_r:xfs_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=dir
May 16 14:09:03 dhcp-254-166 kernel: audit(1147781343.779:846): avc:  denied  {
search } for  pid=13217 comm="xfs" name="bin" dev=dm-0 ino=1207681
scontext=root:system_r:xfs_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=dir
May 16 14:09:03 dhcp-254-166 kernel: audit(1147781343.779:847): avc:  denied  {
execute_no_trans } for  pid=13217 comm="xfs" name="xfs" dev=dm-0 ino=1442279
scontext=root:system_r:xfs_t:s0 tcontext=system_u:object_r:xfs_exec_t:s0 tclass=file
Comment 3 Daniel Walsh 2006-05-16 09:35:33 EDT
Why is xfs communicating with ldap/dns?

I am adding to policy xfs can execute it self.  But the start up stuff is confusing.
Comment 4 Pierre Ossman 2006-05-16 09:45:17 EDT
nss perhaps? The machine has its user db in ldap. As to why it's doing lookups,
I have no idea.
Comment 5 Daniel Walsh 2006-05-23 16:40:19 EDT
Fixed in selinux-policy-2.2.42-2.fc5
Comment 6 Pierre Ossman 2007-01-04 03:35:59 EST
In case you're waiting for a reply from me, I can confirm that the update solved
the bug.
Comment 7 Daniel Walsh 2007-03-28 16:04:34 EDT
Closing bugs

Note You need to log in before you can comment on or make changes to this bug.