Bug 240228 - AVCs with netlabelctl
AVCs with netlabelctl
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
: OtherQA
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-05-15 16:33 EDT by Linda Knippers
Modified: 2009-06-19 13:06 EDT (History)
6 users (show)

See Also:
Fixed In Version: RHBA-2007-0544
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-07 11:39:40 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Linda Knippers 2007-05-15 16:33:19 EDT
Description of problem:
When I do a "run_init /etc/init.d/netlabel restart" the
command works but I end up with a bunch of AVCs.

Everything seems to work so this isn't blocking anything.

Version-Release number of selected component (if applicable):
LSPP .68 policy.

How reproducible:
Very

Steps to Reproduce:
1.install a system with the mls (and probably strict) policy
2.run_init /etc/init.d/netlabel restart
3.look at the avcs in the audit log
  
Actual results:
These AVCs (from a run in permissive mode)
type=AVC msg=audit(1179260824.780:4390): avc:  denied  { read write } for 
pid=15247 comm="netlabelctl" name="1" dev=devpts ino=3
scontext=system_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023
tcontext=system_u:object_r:initrc_devpts_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1179260824.780:4390): arch=c000003e syscall=59
success=yes exit=0 a0=10dd2630 a1=10dd26b0 a2=10de5b10 a3=2 items=0 ppid=15246
pid=15247 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts1 comm="netlabelctl" exe="/sbin/netlabelctl"
subj=system_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 key=(null)
type=MAC_MAP_DEL msg=audit(1179260824.784:4391): netlabel: auid=500
subj=system_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023
nlbl_domain=lspp_test_netlabel_t res=1
type=MAC_CIPSOV4_DEL msg=audit(1179260824.784:4391): netlabel: auid=500
subj=system_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 cipso_doi=100 res=1
type=SYSCALL msg=audit(1179260824.784:4391): arch=c000003e syscall=46
success=yes exit=28 a0=3 a1=7ffff19d7130 a2=0 a3=6c2a178 items=0 ppid=15239
pid=15248 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts1 comm="netlabelctl" exe="/sbin/netlabelctl"
subj=system_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1179260824.804:4392): avc:  denied  { read } for  pid=15265
comm="netlabelctl" name="netlabel.rules" dev=dm-0 ino=1016650
scontext=system_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023
tcontext=system_u:object_r:etc_t:s0 tclass=file
type=SYSCALL msg=audit(1179260824.804:4392): arch=c000003e syscall=59
success=yes exit=0 a0=10e02740 a1=10dd2010 a2=10de5b10 a3=65 items=0 ppid=15239
pid=15265 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts1 comm="netlabelctl" exe="/sbin/netlabelctl"
subj=system_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 key=(null)
type=AVC_PATH msg=audit(1179260824.804:4392):  path="/etc/netlabel.rules"
type=MAC_CIPSOV4_ADD msg=audit(1179260824.805:4393): netlabel: auid=500
subj=system_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 cipso_doi=100
cipso_type=pass res=1
type=SYSCALL msg=audit(1179260824.805:4393): arch=c000003e syscall=46
success=yes exit=48 a0=3 a1=7fff6e7e6e40 a2=0 a3=e8d1058 items=0 ppid=15239
pid=15265 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts1 comm="netlabelctl" exe="/sbin/netlabelctl"
subj=system_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 key=(null)
type=MAC_MAP_ADD msg=audit(1179260824.815:4394): netlabel: auid=500
subj=system_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023
nlbl_domain=lspp_test_netlabel_t nlbl_protocol=cipsov4 cipso_doi=100 res=1
type=SYSCALL msg=audit(1179260824.815:4394): arch=c000003e syscall=46
success=yes exit=64 a0=3 a1=7fff0c3f5ab0 a2=0 a3=15f2155c items=0 ppid=15239
pid=15272 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts1 comm="netlabelctl" exe="/sbin/netlabelctl"
subj=system_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 key=(null)


Expected results:
No AVCs:

Additional info:
audit2allow shows:
#============= netlabel_mgmt_t ==============
allow netlabel_mgmt_t etc_t:file read;
allow netlabel_mgmt_t initrc_devpts_t:chr_file { read write };
Comment 1 Daniel Walsh 2007-05-15 21:10:54 EDT
Fixed in selinux-policy-2.4.6-71
Comment 2 RHEL Product and Program Management 2007-06-04 16:44:12 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 5 Eduard Benes 2007-08-21 12:27:30 EDT
A fix for this issue has been included in the packages contained in the beta
(RHN channel) or most recent snapshot (partners.redhat.com) for RHEL5.1.  Please
verify that your issue is fixed.

After you (Red Hat Partner) have verified that this issue has been addressed,
please perform the following:
1) Change the *status* of this bug to VERIFIED.
2) Add *keyword* of PartnerVerified (leaving the existing keywords unmodified)

If this issue is not fixed, please add a comment describing the most recent
symptoms of the problem you are having and change the status of the bug to 
ASSIGNED.
Comment 6 John Poelstra 2007-08-24 01:13:42 EDT
A fix for this issue should have been included in the packages contained in the
most recent snapshot (partners.redhat.com) for RHEL5.1.  

Requested action: Please verify that your issue is fixed as soon as possible to
ensure that it is included in this update release.

After you (Red Hat Partner) have verified that this issue has been addressed,
please perform the following:
1) Change the *status* of this bug to VERIFIED.
2) Add *keyword* of PartnerVerified (leaving the existing keywords unmodified)

If this issue is not fixed, please add a comment describing the most recent
symptoms of the problem you are having and change the status of the bug to FAILS_QA.

More assistance: If you cannot access bugzilla, please reply with a message to
Issue Tracker and I will change the status for you.  If you need assistance
accessing ftp://partners.redhat.com, please contact your Partner Manager.
Comment 7 Paul Moore 2007-08-24 07:14:34 EDT
Yes, I understood the requirements clearly from comment #6, which was posted 
only three days ago.  This is on my short list of action items and will be 
addressed.
Comment 8 Paul Moore 2007-08-27 17:03:53 EDT
I just repeated the reproducing steps listed in the original bug report here 
on a system with RHEL5 Update 1 Snapshot 2 and did not see any of the AVC 
denial messages as originally reported.
Comment 10 errata-xmlrpc 2007-11-07 11:39:40 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0544.html

Note You need to log in before you can comment on or make changes to this bug.