Red Hat Bugzilla – Bug 445043
RHEL 5.1 MRG+MLS: RT tools produce boot AVCs
Last modified: 2008-05-27 12:46:58 EDT
=Comment: #0================================================= George C. Wilson <gcwilson@us.ibm.com> - 2008-05-02 10:46 EDT ---Problem Description--- Installed RHEL 5.1 + RHN fixes (as of 5/1/08) + MRG 47 kernel + RT tools in an LSPP-like evaluated configuration using a modified LSPP kickstart file that only prereqs the configuration package. There are SELinux denials upon boot apparently because the RT tools lack policy. RT packages: kernel-rt-2.6.24.4-47.el5rt kernel-rt-devel-2.6.24.4-47.el5rt rtctl-1.3-1.el5rt rt-setup-1.0-3.el5rt Contact Information = gcwilson@us.ibm.com, latten@us.ibm.com ---uname output--- Linux bracer2.ltc.austin.ibm.com 2.6.24.4-47.el5rt #1 SMP PREEMPT RT Wed Apr 23 15:30:56 EDT 2008 x86_64 x86_64 x86_64 GNU/Linux Machine Type = HS21 ---Steps to Reproduce--- 1. Install RHEL 5.1 using an LSPP kickstart modified to remove old package versions. 2. setenforce 0 3. Add yum repo to pickup RHN updates 4. yum update 5. Add yum repo to pickup MRG kernel and RT tools 6. yum install kernel-rt rtctl rt-setup 7. >/var/log/audit/audit.log 8. >/var/log/messages 9. touch /.autorelabel 10. shutdown -r now 11. Login 12. Examine audit log and syslog ---Security Component Data--- /etc/selinux/config output: # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - SELinux is fully disabled. SELINUX=enforcing # SELINUXTYPE= type of policy in use. Possible values are: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=mls # SETLOCALDEFS= Check local definition changes SETLOCALDEFS=0 "rpm -qa | grep -i selinux" output: libselinux-1.33.4-4.el5 libselinux-devel-1.33.4-4.el5 selinux-policy-mls-2.4.6-106.el5_1.3 selinux-policy-targeted-2.4.6-106.el5_1.3 libselinux-1.33.4-4.el5 libselinux-python-1.33.4-4.el5 selinux-policy-2.4.6-106.el5_1.3 selinux-policy-devel-2.4.6-106.el5_1.3
Could you attach your audit.log We are not seeing this here.
Created attachment 304683 [details] Audit log from bootup to 1st login
Created attachment 304684 [details] /var/log/messages from bootup to 1st login
------- Comment From gcwilson@us.ibm.com 2008-05-06 19:55 EDT------- What I'm seeing on RHEL MRG + MLS + RHN fixes no longer appear to be denials from RT tools. They are mostly modprobe and multipath denials. This is good news. I updated to selinux-policy*2.4.6-137.el5 at dwalsh's behest. Attaching logs generated with the updated policy in place. But the RT tools boot denials appear to have been fixed by the RHN upgrades.
Created attachment 304703 [details] Audit log from 137 policy
Created attachment 304704 [details] syslog from 137 policy
#============= insmod_t ============== allow insmod_t self:capability sys_nice; This is allowed in the by the 137 policy? #============= staff_t ============== allow staff_t sysadm_home_t:file { read write append }; THis is because you are in permissive mode and have executed a su, you need to transition to sysadm_t before running su or sudo. #============= sysadm_ssh_t ============== allow sysadm_ssh_t default_t:dir search; This looks like you are using polyinstation with improper labeling? You have a directory called system_u:object_r:tmp_t:s0-s15:c0.c1023_ealuser which should be labeled tmp_t.
------- Comment From gcwilson@us.ibm.com 2008-05-27 12:37 EDT------- Dan provided hints and tips that resolved all the AVCs I was seeing with MRG+MLS. Closing as notabug on our side.
ditto