Bug 210138 - Not able to write to shared Memory belonging to other non-domain process
Not able to write to shared Memory belonging to other non-domain process
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
4.4
All Linux
medium Severity high
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-10-10 08:30 EDT by Ramesh Hegde
Modified: 2007-11-16 20:14 EST (History)
1 user (show)

See Also:
Fixed In Version: RHBA-2007-0171
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-05-01 18:47:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ramesh Hegde 2006-10-10 08:30:56 EDT
Description of problem:
Since all the provides will become the part of cimserver process by default, 
the provider library fails to write to any other non domain(Not belonging to 
any domain) created shared memory and the each failure is logged 
in /var/log/messages. 

The default behavious should be to allow cimserver process which is part of 
pegasus_t domain to write to the undefined domains to keep the backward 
compatibility till each package with come up with domains and policies.
 

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-2.140



How reproducible:
Create a shared mem or semaphore in a daemon whose domain is undefined,
Write a provider who will try to write to this shared memory . This provider 
will be part of cimserver process. Each attempt to write to the shared memory 
from provider will log a denied message in /var/log/messages.

1) about avc and cimserver 
Sep 19 12:39:48 spyro kernel: audit(1158662388.921:90): avc:  denied  { read 
write } for  pid=31611 comm="cimserver" key=1090846740 
scontext=root:system_r:pegasus_t tcontext=root:system_r:unconfined_t 
tclass=shm 





Steps to Reproduce:
1. Run the daemon which creates shared mem or semaphore
2. start the cimserver which will load the provider and try to write it into 
shared memory created by daemon not belonging to any daemon
3.Observe the /var/log/messages
 

Actual results:
 1) about avc and cimserver 
Sep 19 12:39:48 spyro kernel: audit(1158662388.921:90): avc:  denied  { read 
write } for  pid=31611 comm="cimserver" key=1090846740 
scontext=root:system_r:pegasus_t tcontext=root:system_r:unconfined_t 
tclass=shm 



Expected results:
No denied messages should be logged and should be able to write to the shared 
mem


Additional info: The problem exists with only Selinux enabled (Happening in 
RHEL 4 U4)
Comment 1 Daniel Walsh 2007-01-29 10:36:14 EST
Fixed in selinux-policy-targeted-1.17.30-2.142
Comment 5 Josef Kubin 2007-04-02 12:24:46 EDT
Can you reproduce this with the following RPM:
http://people.redhat.com/dwalsh/SELinux/RHEL4/u5/noarch/selinux-policy-targeted-1.17.30-2.143.noarch.rpm
Comment 7 Red Hat Bugzilla 2007-05-01 18:47:55 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0171.html

Note You need to log in before you can comment on or make changes to this bug.