Description of problem: When I do a "run_init /etc/init.d/netlabel restart" the command works but I end up with a bunch of AVCs. Everything seems to work so this isn't blocking anything. Version-Release number of selected component (if applicable): LSPP .68 policy. How reproducible: Very Steps to Reproduce: 1.install a system with the mls (and probably strict) policy 2.run_init /etc/init.d/netlabel restart 3.look at the avcs in the audit log Actual results: These AVCs (from a run in permissive mode) type=AVC msg=audit(1179260824.780:4390): avc: denied { read write } for pid=15247 comm="netlabelctl" name="1" dev=devpts ino=3 scontext=system_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 tcontext=system_u:object_r:initrc_devpts_t:s0 tclass=chr_file type=SYSCALL msg=audit(1179260824.780:4390): arch=c000003e syscall=59 success=yes exit=0 a0=10dd2630 a1=10dd26b0 a2=10de5b10 a3=2 items=0 ppid=15246 pid=15247 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="netlabelctl" exe="/sbin/netlabelctl" subj=system_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 key=(null) type=MAC_MAP_DEL msg=audit(1179260824.784:4391): netlabel: auid=500 subj=system_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 nlbl_domain=lspp_test_netlabel_t res=1 type=MAC_CIPSOV4_DEL msg=audit(1179260824.784:4391): netlabel: auid=500 subj=system_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 cipso_doi=100 res=1 type=SYSCALL msg=audit(1179260824.784:4391): arch=c000003e syscall=46 success=yes exit=28 a0=3 a1=7ffff19d7130 a2=0 a3=6c2a178 items=0 ppid=15239 pid=15248 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="netlabelctl" exe="/sbin/netlabelctl" subj=system_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1179260824.804:4392): avc: denied { read } for pid=15265 comm="netlabelctl" name="netlabel.rules" dev=dm-0 ino=1016650 scontext=system_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file type=SYSCALL msg=audit(1179260824.804:4392): arch=c000003e syscall=59 success=yes exit=0 a0=10e02740 a1=10dd2010 a2=10de5b10 a3=65 items=0 ppid=15239 pid=15265 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="netlabelctl" exe="/sbin/netlabelctl" subj=system_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 key=(null) type=AVC_PATH msg=audit(1179260824.804:4392): path="/etc/netlabel.rules" type=MAC_CIPSOV4_ADD msg=audit(1179260824.805:4393): netlabel: auid=500 subj=system_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 cipso_doi=100 cipso_type=pass res=1 type=SYSCALL msg=audit(1179260824.805:4393): arch=c000003e syscall=46 success=yes exit=48 a0=3 a1=7fff6e7e6e40 a2=0 a3=e8d1058 items=0 ppid=15239 pid=15265 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="netlabelctl" exe="/sbin/netlabelctl" subj=system_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 key=(null) type=MAC_MAP_ADD msg=audit(1179260824.815:4394): netlabel: auid=500 subj=system_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 nlbl_domain=lspp_test_netlabel_t nlbl_protocol=cipsov4 cipso_doi=100 res=1 type=SYSCALL msg=audit(1179260824.815:4394): arch=c000003e syscall=46 success=yes exit=64 a0=3 a1=7fff0c3f5ab0 a2=0 a3=15f2155c items=0 ppid=15239 pid=15272 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="netlabelctl" exe="/sbin/netlabelctl" subj=system_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 key=(null) Expected results: No AVCs: Additional info: audit2allow shows: #============= netlabel_mgmt_t ============== allow netlabel_mgmt_t etc_t:file read; allow netlabel_mgmt_t initrc_devpts_t:chr_file { read write };
Fixed in selinux-policy-2.4.6-71
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
A fix for this issue has been included in the packages contained in the beta (RHN channel) or most recent snapshot (partners.redhat.com) for RHEL5.1. Please verify that your issue is fixed. After you (Red Hat Partner) have verified that this issue has been addressed, please perform the following: 1) Change the *status* of this bug to VERIFIED. 2) Add *keyword* of PartnerVerified (leaving the existing keywords unmodified) If this issue is not fixed, please add a comment describing the most recent symptoms of the problem you are having and change the status of the bug to ASSIGNED.
A fix for this issue should have been included in the packages contained in the most recent snapshot (partners.redhat.com) for RHEL5.1. Requested action: Please verify that your issue is fixed as soon as possible to ensure that it is included in this update release. After you (Red Hat Partner) have verified that this issue has been addressed, please perform the following: 1) Change the *status* of this bug to VERIFIED. 2) Add *keyword* of PartnerVerified (leaving the existing keywords unmodified) If this issue is not fixed, please add a comment describing the most recent symptoms of the problem you are having and change the status of the bug to FAILS_QA. More assistance: If you cannot access bugzilla, please reply with a message to Issue Tracker and I will change the status for you. If you need assistance accessing ftp://partners.redhat.com, please contact your Partner Manager.
Yes, I understood the requirements clearly from comment #6, which was posted only three days ago. This is on my short list of action items and will be addressed.
I just repeated the reproducing steps listed in the original bug report here on a system with RHEL5 Update 1 Snapshot 2 and did not see any of the AVC denial messages as originally reported.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2007-0544.html