Bug 445043 - RHEL 5.1 MRG+MLS: RT tools produce boot AVCs
RHEL 5.1 MRG+MLS: RT tools produce boot AVCs
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: realtime-utilities (Show other bugs)
x86_64 All
low Severity high
: ---
: ---
Assigned To: Red Hat Real Time Maintenance
Depends On:
  Show dependency treegraph
Reported: 2008-05-02 18:08 EDT by IBM Bug Proxy
Modified: 2008-05-27 12:46 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-05-27 12:46:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Audit log from bootup to 1st login (2.88 KB, text/plain)
2008-05-06 16:24 EDT, IBM Bug Proxy
no flags Details
/var/log/messages from bootup to 1st login (70.56 KB, text/plain)
2008-05-06 16:24 EDT, IBM Bug Proxy
no flags Details
Audit log from 137 policy (9.28 KB, text/plain)
2008-05-06 20:00 EDT, IBM Bug Proxy
no flags Details
syslog from 137 policy (70.74 KB, text/plain)
2008-05-06 20:00 EDT, IBM Bug Proxy
no flags Details

External Trackers
Tracker ID Priority Status Summary Last Updated
IBM Linux Technology Center 44535 None None None Never

  None (edit)
Description IBM Bug Proxy 2008-05-02 18:08:20 EDT
=Comment: #0=================================================
George C. Wilson <gcwilson@us.ibm.com> - 2008-05-02 10:46 EDT
---Problem Description---
Installed RHEL 5.1 + RHN fixes (as of 5/1/08) + MRG 47 kernel + RT tools in an
LSPP-like evaluated configuration using a modified LSPP kickstart file that only
prereqs the configuration package. There are SELinux denials upon boot
apparently because the RT tools lack policy.

RT packages:
Contact Information = gcwilson@us.ibm.com, latten@us.ibm.com
---uname output---
Linux bracer2.ltc.austin.ibm.com #1 SMP PREEMPT RT Wed Apr 23
15:30:56 EDT 2008 x86_64 x86_64 x86_64 GNU/Linux
Machine Type = HS21
---Steps to Reproduce---
1. Install RHEL 5.1 using an LSPP kickstart modified to remove old package versions.
2. setenforce 0
3. Add yum repo to pickup RHN updates
4. yum update
5. Add yum repo to pickup MRG kernel and RT tools
6. yum install kernel-rt rtctl rt-setup
7. >/var/log/audit/audit.log
8. >/var/log/messages
9. touch /.autorelabel
10. shutdown -r now
11. Login
12. Examine audit log and syslog
---Security Component Data--- 
/etc/selinux/config output: # This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - SELinux is fully disabled.
# SELINUXTYPE= type of policy in use. Possible values are:
#       targeted - Only targeted network daemons are protected.
#       strict - Full SELinux protection.

# SETLOCALDEFS= Check local definition changes
"rpm -qa | grep -i selinux" output: libselinux-1.33.4-4.el5
Comment 1 Daniel Walsh 2008-05-06 16:09:12 EDT
Could you attach your audit.log

We are not seeing this here.

Comment 2 IBM Bug Proxy 2008-05-06 16:24:43 EDT
Created attachment 304683 [details]
Audit log from bootup to 1st login
Comment 3 IBM Bug Proxy 2008-05-06 16:24:44 EDT
Created attachment 304684 [details]
/var/log/messages from bootup to 1st login
Comment 4 IBM Bug Proxy 2008-05-06 19:56:44 EDT
------- Comment From gcwilson@us.ibm.com 2008-05-06 19:55 EDT-------
What I'm seeing on RHEL MRG + MLS + RHN fixes no longer appear to be denials
from RT tools. They are mostly modprobe and multipath denials. This is good news.

I updated to selinux-policy*2.4.6-137.el5 at dwalsh's behest. Attaching logs
generated with the updated policy in place. But the RT tools boot denials appear
to have been fixed by the RHN upgrades.
Comment 5 IBM Bug Proxy 2008-05-06 20:00:44 EDT
Created attachment 304703 [details]
Audit log from 137 policy
Comment 6 IBM Bug Proxy 2008-05-06 20:00:46 EDT
Created attachment 304704 [details]
syslog from 137 policy
Comment 7 Daniel Walsh 2008-05-07 06:04:15 EDT
#============= insmod_t ==============
allow insmod_t self:capability sys_nice;
This is allowed in the by the 137 policy?

#============= staff_t ==============
allow staff_t sysadm_home_t:file { read write append };
THis is because you are in permissive mode and have executed a su, you need to
transition to sysadm_t before running su or sudo.

#============= sysadm_ssh_t ==============
allow sysadm_ssh_t default_t:dir search;

This looks like you are using polyinstation with improper labeling?  You have a
directory called system_u:object_r:tmp_t:s0-s15:c0.c1023_ealuser which should be
labeled tmp_t.
Comment 8 IBM Bug Proxy 2008-05-27 12:41:05 EDT
------- Comment From gcwilson@us.ibm.com 2008-05-27 12:37 EDT-------
Dan provided hints and tips that resolved all the AVCs I was seeing with
MRG+MLS. Closing as notabug on our side.
Comment 9 Clark Williams 2008-05-27 12:46:58 EDT

Note You need to log in before you can comment on or make changes to this bug.