Bug 445043 - RHEL 5.1 MRG+MLS: RT tools produce boot AVCs
Summary: RHEL 5.1 MRG+MLS: RT tools produce boot AVCs
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: realtime-utilities
Version: beta
Hardware: x86_64
OS: All
low
high
Target Milestone: ---
: ---
Assignee: Red Hat Real Time Maintenance
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-05-02 22:08 UTC by IBM Bug Proxy
Modified: 2008-05-27 16:46 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-05-27 16:46:58 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
Audit log from bootup to 1st login (2.88 KB, text/plain)
2008-05-06 20:24 UTC, IBM Bug Proxy
no flags Details
/var/log/messages from bootup to 1st login (70.56 KB, text/plain)
2008-05-06 20:24 UTC, IBM Bug Proxy
no flags Details
Audit log from 137 policy (9.28 KB, text/plain)
2008-05-07 00:00 UTC, IBM Bug Proxy
no flags Details
syslog from 137 policy (70.74 KB, text/plain)
2008-05-07 00:00 UTC, IBM Bug Proxy
no flags Details


Links
System ID Private Priority Status Summary Last Updated
IBM Linux Technology Center 44535 0 None None None Never

Description IBM Bug Proxy 2008-05-02 22:08:20 UTC
=Comment: #0=================================================
George C. Wilson <gcwilson.com> - 2008-05-02 10:46 EDT
---Problem Description---
Installed RHEL 5.1 + RHN fixes (as of 5/1/08) + MRG 47 kernel + RT tools in an
LSPP-like evaluated configuration using a modified LSPP kickstart file that only
prereqs the configuration package. There are SELinux denials upon boot
apparently because the RT tools lack policy.

RT packages:
kernel-rt-2.6.24.4-47.el5rt
kernel-rt-devel-2.6.24.4-47.el5rt
rtctl-1.3-1.el5rt
rt-setup-1.0-3.el5rt
 
Contact Information = gcwilson.com, latten.com
 
---uname output---
Linux bracer2.ltc.austin.ibm.com 2.6.24.4-47.el5rt #1 SMP PREEMPT RT Wed Apr 23
15:30:56 EDT 2008 x86_64 x86_64 x86_64 GNU/Linux
 
Machine Type = HS21
 
 
---Steps to Reproduce---
1. Install RHEL 5.1 using an LSPP kickstart modified to remove old package versions.
2. setenforce 0
3. Add yum repo to pickup RHN updates
4. yum update
5. Add yum repo to pickup MRG kernel and RT tools
6. yum install kernel-rt rtctl rt-setup
7. >/var/log/audit/audit.log
8. >/var/log/messages
9. touch /.autorelabel
10. shutdown -r now
11. Login
12. Examine audit log and syslog
 
---Security Component Data--- 
/etc/selinux/config output: # This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - SELinux is fully disabled.
SELINUX=enforcing
# SELINUXTYPE= type of policy in use. Possible values are:
#       targeted - Only targeted network daemons are protected.
#       strict - Full SELinux protection.
SELINUXTYPE=mls

# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0 
 
"rpm -qa | grep -i selinux" output: libselinux-1.33.4-4.el5
libselinux-devel-1.33.4-4.el5
selinux-policy-mls-2.4.6-106.el5_1.3
selinux-policy-targeted-2.4.6-106.el5_1.3
libselinux-1.33.4-4.el5
libselinux-python-1.33.4-4.el5
selinux-policy-2.4.6-106.el5_1.3
selinux-policy-devel-2.4.6-106.el5_1.3

Comment 1 Daniel Walsh 2008-05-06 20:09:12 UTC
Could you attach your audit.log

We are not seeing this here.



Comment 2 IBM Bug Proxy 2008-05-06 20:24:43 UTC
Created attachment 304683 [details]
Audit log from bootup to 1st login

Comment 3 IBM Bug Proxy 2008-05-06 20:24:44 UTC
Created attachment 304684 [details]
/var/log/messages from bootup to 1st login

Comment 4 IBM Bug Proxy 2008-05-06 23:56:44 UTC
------- Comment From gcwilson.com 2008-05-06 19:55 EDT-------
What I'm seeing on RHEL MRG + MLS + RHN fixes no longer appear to be denials
from RT tools. They are mostly modprobe and multipath denials. This is good news.

I updated to selinux-policy*2.4.6-137.el5 at dwalsh's behest. Attaching logs
generated with the updated policy in place. But the RT tools boot denials appear
to have been fixed by the RHN upgrades.

Comment 5 IBM Bug Proxy 2008-05-07 00:00:44 UTC
Created attachment 304703 [details]
Audit log from 137 policy

Comment 6 IBM Bug Proxy 2008-05-07 00:00:46 UTC
Created attachment 304704 [details]
syslog from 137 policy

Comment 7 Daniel Walsh 2008-05-07 10:04:15 UTC
#============= insmod_t ==============
allow insmod_t self:capability sys_nice;
This is allowed in the by the 137 policy?

#============= staff_t ==============
allow staff_t sysadm_home_t:file { read write append };
THis is because you are in permissive mode and have executed a su, you need to
transition to sysadm_t before running su or sudo.

#============= sysadm_ssh_t ==============
allow sysadm_ssh_t default_t:dir search;

This looks like you are using polyinstation with improper labeling?  You have a
directory called system_u:object_r:tmp_t:s0-s15:c0.c1023_ealuser which should be
labeled tmp_t.


Comment 8 IBM Bug Proxy 2008-05-27 16:41:05 UTC
------- Comment From gcwilson.com 2008-05-27 12:37 EDT-------
Dan provided hints and tips that resolved all the AVCs I was seeing with
MRG+MLS. Closing as notabug on our side.

Comment 9 Clark Williams 2008-05-27 16:46:58 UTC
ditto


Note You need to log in before you can comment on or make changes to this bug.