Bug 440599 - Multiple SELinux denials for snapshot #4
Multiple SELinux denials for snapshot #4
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.2
All Linux
low Severity low
: rc
: ---
Assigned To: Daniel Walsh
: Regression
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-04-04 05:51 EDT by Alexander Todorov
Modified: 2008-05-21 12:43 EDT (History)
2 users (show)

See Also:
Fixed In Version: RHBA-2008-0465
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-21 12:43:28 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Alexander Todorov 2008-04-04 05:51:59 EDT
Description of problem:
There are multiple SELinux denials after @everything install of RHEL 5.2 Server
snap#4

Version-Release number of selected component (if applicable):
RHEL5.2-Server-20080402.0
selinux-policy-2.4.6-126

How reproducible:
100%

Steps to Reproduce:
1. @everything install
2.
3.
  
Actual results:
Multiple SELinux denials after machine is rebooted.

Expected results:
No SELinux denials

Additional info:
This is a regression from previous snapshot.
Comment 6 Brock Organ 2008-04-04 15:10:37 EDT
There appear to be 5 separate kinds of error messages:

1) process "mount" error

type=AVC msg=audit(1207267279.404:30): avc:  denied  { read } for  pid=6139
comm="mount" name="sda1" dev=tmpfs ino=1000
scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:device_t:s0
tclass=blk_file

if mount is not able to function properly on scsi devices (such as sda1 here),
this should be considered a blocking issue ...

2) process "ip" trying to write to /var/run

type=AVC msg=audit(1207267280.708:31): avc:  denied  { write } for  pid=6225
comm="ip" path="/var/run/pluto/ipsec_setup.out" dev=dm-0 ino=49025826
scontext=system_u:system_r:ifconfig_t:s0
tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file

if ip is not able to write out /var/run/<system>/ipsec_setup.out, then part of
the ipsec functionality may be compromised ... so i suspect this should be a
blocking issue

3) hald probing is being denied

type=AVC msg=audit(1207267287.192:38): avc:  denied  { read } for  pid=6693
comm="hald-probe-stor" name="hda" dev=tmpfs ino=4694
scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:device_t:s0
tclass=blk_file

its not clear how this failure for hal to correctly probe would affect any
functionality, so this may not be a blocker ...

4) smartd tmpfs requests being denied

type=AVC msg=audit(1207267289.660:44): avc:  denied  { read write } for 
pid=6796 comm="smartd" name="sda" dev=tmpfs ino=1009
scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:device_t:s0
tclass=blk_file

its not clear what the impact to smartd of this denial is, so it may not be a
blocker ...

5) pam_console is referencing /dev files that have changed label contexts

audit(1207267271.324:4): avc:  denied  { getattr } for  pid=3708
comm="pam_console_app" path="/dev/hda" dev=tmpfs ino=4694
scontext=system_u:system_r:pam_console_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=blk_file

its not clear what impact to pam is for this denial, so it may not be a blocker ...
Comment 7 Daniel Walsh 2008-04-04 17:56:43 EDT
THese are caused by labeling not working for some reason or not.

Some tool is creating devices without labeling them correctly.

matchpathcon /dev/hda /dev/sda /dev/sda1
/dev/hda	system_u:object_r:fixed_disk_device_t
/dev/sda	system_u:object_r:fixed_disk_device_t
/dev/sda1	system_u:object_r:fixed_disk_device_t


type=AVC msg=audit(1207267280.708:31): avc:  denied  { write } for  pid=6225
comm="ip" path="/var/run/pluto/ipsec_setup.out" dev=dm-0 ino=49025826
scontext=system_u:system_r:ifconfig_t:s0
tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file

THis is also a labeling problem

 matchpathcon /var/run/pluto/ipsec_setup.out
/var/run/pluto/ipsec_setup.out	system_u:object_r:ipsec_var_run_t


Something create /var/run/pluto with the wrong context.  Which is causing the
file to be created with the wrong context.

Comment 8 Milan Zazrivec 2008-04-05 05:46:26 EDT
(In reply to comment #7)
> type=AVC msg=audit(1207267280.708:31): avc:  denied  { write } for  pid=6225
> comm="ip" path="/var/run/pluto/ipsec_setup.out" dev=dm-0 ino=49025826
> scontext=system_u:system_r:ifconfig_t:s0
> tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
> 
> THis is also a labeling problem
> 
>  matchpathcon /var/run/pluto/ipsec_setup.out
> /var/run/pluto/ipsec_setup.out	system_u:object_r:ipsec_var_run_t
> 
> 
> Something create /var/run/pluto with the wrong context.  Which is causing the
> file to be created with the wrong context.

Interestingly enough, this is output from RHEL5.2-Server-20080404.nightly:

# matchpathcon /var/run/pluto/ipsec_setup.out
/var/run/pluto/ipsec_setup.out  system_u:object_r:var_run_t

serefpolicy sources contain a rule
modules/system/ipsec.fc:/var/run/pluto(/.*)?
gen_context(system_u:object_r:ipsec_var_run_t,s0)

yet this rule is not present in the installed package:
# grep pluto /etc/selinux/targeted/contexts/files/file_contexts
#

Any idea what's happening here?
Comment 9 Milan Zazrivec 2008-04-05 11:46:33 EDT
(In reply to comment #7)
> THese are caused by labeling not working for some reason or not.
> 
> Some tool is creating devices without labeling them correctly.
> 
> matchpathcon /dev/hda /dev/sda /dev/sda1
> /dev/hda	system_u:object_r:fixed_disk_device_t
> /dev/sda	system_u:object_r:fixed_disk_device_t
> /dev/sda1	system_u:object_r:fixed_disk_device_t

These devices get created with a right context, but the thing that causes
them to relabel is the start of openibd service (openib package).

I have to investigate further more.
Comment 10 Milan Zazrivec 2008-04-05 12:25:05 EDT
I created a separate bugzilla for the problem mentioned in comment #9:
https://bugzilla.redhat.com/show_bug.cgi?id=441054
Comment 11 Daniel Walsh 2008-04-06 05:49:20 EDT
As far as the ipsec labeling, we do not ship the package in RHEL5.
Comment 12 Milan Zazrivec 2008-04-06 08:14:00 EDT
We did not ship ipsec in RHEL5 Gold and U1. In RHEL5.2 we have a package
named openswan, which is a free implementation of ipsec.

That avc message about denied write access to /var/run/pluto/ipsec_setup.out
is what happens when the service ipsec starts.
Comment 13 Daniel Walsh 2008-04-07 22:17:12 EDT
I will dontaudit this in 

selinux-policy-2.4.6-128.el5

Comment 16 Milan Zazrivec 2008-04-09 11:51:26 EDT
RHEL5.2-Server-20080409.nightly / selinux-policy-2.4.6-128.el5 :

I'm verifying that openswan service start no longer causes selinux denials.
Comment 18 errata-xmlrpc 2008-05-21 12:43:28 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0465.html

Note You need to log in before you can comment on or make changes to this bug.