Description of problem: There are multiple SELinux denials after @everything install of RHEL 5.2 Server snap#4 Version-Release number of selected component (if applicable): RHEL5.2-Server-20080402.0 selinux-policy-2.4.6-126 How reproducible: 100% Steps to Reproduce: 1. @everything install 2. 3. Actual results: Multiple SELinux denials after machine is rebooted. Expected results: No SELinux denials Additional info: This is a regression from previous snapshot.
There appear to be 5 separate kinds of error messages: 1) process "mount" error type=AVC msg=audit(1207267279.404:30): avc: denied { read } for pid=6139 comm="mount" name="sda1" dev=tmpfs ino=1000 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=blk_file if mount is not able to function properly on scsi devices (such as sda1 here), this should be considered a blocking issue ... 2) process "ip" trying to write to /var/run type=AVC msg=audit(1207267280.708:31): avc: denied { write } for pid=6225 comm="ip" path="/var/run/pluto/ipsec_setup.out" dev=dm-0 ino=49025826 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file if ip is not able to write out /var/run/<system>/ipsec_setup.out, then part of the ipsec functionality may be compromised ... so i suspect this should be a blocking issue 3) hald probing is being denied type=AVC msg=audit(1207267287.192:38): avc: denied { read } for pid=6693 comm="hald-probe-stor" name="hda" dev=tmpfs ino=4694 scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=blk_file its not clear how this failure for hal to correctly probe would affect any functionality, so this may not be a blocker ... 4) smartd tmpfs requests being denied type=AVC msg=audit(1207267289.660:44): avc: denied { read write } for pid=6796 comm="smartd" name="sda" dev=tmpfs ino=1009 scontext=system_u:system_r:fsdaemon_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=blk_file its not clear what the impact to smartd of this denial is, so it may not be a blocker ... 5) pam_console is referencing /dev files that have changed label contexts audit(1207267271.324:4): avc: denied { getattr } for pid=3708 comm="pam_console_app" path="/dev/hda" dev=tmpfs ino=4694 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=blk_file its not clear what impact to pam is for this denial, so it may not be a blocker ...
THese are caused by labeling not working for some reason or not. Some tool is creating devices without labeling them correctly. matchpathcon /dev/hda /dev/sda /dev/sda1 /dev/hda system_u:object_r:fixed_disk_device_t /dev/sda system_u:object_r:fixed_disk_device_t /dev/sda1 system_u:object_r:fixed_disk_device_t type=AVC msg=audit(1207267280.708:31): avc: denied { write } for pid=6225 comm="ip" path="/var/run/pluto/ipsec_setup.out" dev=dm-0 ino=49025826 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file THis is also a labeling problem matchpathcon /var/run/pluto/ipsec_setup.out /var/run/pluto/ipsec_setup.out system_u:object_r:ipsec_var_run_t Something create /var/run/pluto with the wrong context. Which is causing the file to be created with the wrong context.
(In reply to comment #7) > type=AVC msg=audit(1207267280.708:31): avc: denied { write } for pid=6225 > comm="ip" path="/var/run/pluto/ipsec_setup.out" dev=dm-0 ino=49025826 > scontext=system_u:system_r:ifconfig_t:s0 > tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file > > THis is also a labeling problem > > matchpathcon /var/run/pluto/ipsec_setup.out > /var/run/pluto/ipsec_setup.out system_u:object_r:ipsec_var_run_t > > > Something create /var/run/pluto with the wrong context. Which is causing the > file to be created with the wrong context. Interestingly enough, this is output from RHEL5.2-Server-20080404.nightly: # matchpathcon /var/run/pluto/ipsec_setup.out /var/run/pluto/ipsec_setup.out system_u:object_r:var_run_t serefpolicy sources contain a rule modules/system/ipsec.fc:/var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) yet this rule is not present in the installed package: # grep pluto /etc/selinux/targeted/contexts/files/file_contexts # Any idea what's happening here?
(In reply to comment #7) > THese are caused by labeling not working for some reason or not. > > Some tool is creating devices without labeling them correctly. > > matchpathcon /dev/hda /dev/sda /dev/sda1 > /dev/hda system_u:object_r:fixed_disk_device_t > /dev/sda system_u:object_r:fixed_disk_device_t > /dev/sda1 system_u:object_r:fixed_disk_device_t These devices get created with a right context, but the thing that causes them to relabel is the start of openibd service (openib package). I have to investigate further more.
I created a separate bugzilla for the problem mentioned in comment #9: https://bugzilla.redhat.com/show_bug.cgi?id=441054
As far as the ipsec labeling, we do not ship the package in RHEL5.
We did not ship ipsec in RHEL5 Gold and U1. In RHEL5.2 we have a package named openswan, which is a free implementation of ipsec. That avc message about denied write access to /var/run/pluto/ipsec_setup.out is what happens when the service ipsec starts.
I will dontaudit this in selinux-policy-2.4.6-128.el5
RHEL5.2-Server-20080409.nightly / selinux-policy-2.4.6-128.el5 : I'm verifying that openswan service start no longer causes selinux denials.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2008-0465.html