Bug 446462 - avc: denied { read write } comm="groupadd" path="socket:[29130]" dev=sockfs
avc: denied { read write } comm="groupadd" path="socket:[29130]" dev=sockfs
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: pirut (Show other bugs)
5.2
All Linux
low Severity low
: rc
: ---
Assigned To: James Antill
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-05-14 13:47 EDT by Ben Levenson
Modified: 2013-03-12 16:09 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-03-12 16:09:04 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Ben Levenson 2008-05-14 13:47:56 EDT
Description of problem:
SELinux is preventing groupadd (groupadd_t) "read write" to socket (rpm_t).

Detailed Description:

SELinux denied access requested by groupadd. It is not expected that this access
is required by groupadd and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:groupadd_t
Target Context                system_u:system_r:rpm_t
Target Objects                socket [ tcp_socket ]
Source                        groupadd
Source Path                   /usr/sbin/groupadd
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           shadow-utils-4.0.17-13.el5
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-137.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.18-92.el5 #1 SMP
                              Tue Apr 29 13:16:15 EDT 2008 x86_64 x86_64
Alert Count                   3
First Seen                    Wed 14 May 2008 01:06:20 PM EDT
Last Seen                     Wed 14 May 2008 01:09:26 PM EDT
Local ID                      0a012c6a-57a5-4ec2-be22-ab312a850753
Line Numbers                  

Raw Audit Messages            

host=localhost.localdomain type=AVC msg=audit(1210784966.139:57): avc:  denied 
{ read write } for  pid=4792 comm="groupadd" path="socket:[28948]" dev=sockfs
ino=28948 scontext=system_u:system_r:groupadd_t:s0
tcontext=system_u:system_r:rpm_t:s0 tclass=tcp_socket

host=localhost.localdomain type=AVC msg=audit(1210784966.139:57): avc:  denied 
{ read write } for  pid=4792 comm="groupadd" path="socket:[28953]" dev=sockfs
ino=28953 scontext=system_u:system_r:groupadd_t:s0
tcontext=system_u:system_r:rpm_t:s0 tclass=tcp_socket

host=localhost.localdomain type=AVC msg=audit(1210784966.139:57): avc:  denied 
{ read write } for  pid=4792 comm="groupadd" path="socket:[28958]" dev=sockfs
ino=28958 scontext=system_u:system_r:groupadd_t:s0
tcontext=system_u:system_r:rpm_t:s0 tclass=tcp_socket

host=localhost.localdomain type=AVC msg=audit(1210784966.139:57): avc:  denied 
{ read write } for  pid=4792 comm="groupadd" path="socket:[29004]" dev=sockfs
ino=29004 scontext=system_u:system_r:groupadd_t:s0
tcontext=system_u:system_r:rpm_t:s0 tclass=tcp_socket

host=localhost.localdomain type=AVC msg=audit(1210784966.139:57): avc:  denied 
{ read write } for  pid=4792 comm="groupadd" path="socket:[28966]" dev=sockfs
ino=28966 scontext=system_u:system_r:groupadd_t:s0
tcontext=system_u:system_r:rpm_t:s0 tclass=tcp_socket

host=localhost.localdomain type=AVC msg=audit(1210784966.139:57): avc:  denied 
{ read write } for  pid=4792 comm="groupadd" path="socket:[29009]" dev=sockfs
ino=29009 scontext=system_u:system_r:groupadd_t:s0
tcontext=system_u:system_r:rpm_t:s0 tclass=tcp_socket

host=localhost.localdomain type=AVC msg=audit(1210784966.139:57): avc:  denied 
{ read write } for  pid=4792 comm="groupadd" path="socket:[28974]" dev=sockfs
ino=28974 scontext=system_u:system_r:groupadd_t:s0
tcontext=system_u:system_r:rpm_t:s0 tclass=tcp_socket

host=localhost.localdomain type=AVC msg=audit(1210784966.139:57): avc:  denied 
{ read write } for  pid=4792 comm="groupadd" path="socket:[29050]" dev=sockfs
ino=29050 scontext=system_u:system_r:groupadd_t:s0
tcontext=system_u:system_r:rpm_t:s0 tclass=tcp_socket

host=localhost.localdomain type=AVC msg=audit(1210784966.139:57): avc:  denied 
{ read write } for  pid=4792 comm="groupadd" path="socket:[28982]" dev=sockfs
ino=28982 scontext=system_u:system_r:groupadd_t:s0
tcontext=system_u:system_r:rpm_t:s0 tclass=tcp_socket

host=localhost.localdomain type=AVC msg=audit(1210784966.139:57): avc:  denied 
{ read write } for  pid=4792 comm="groupadd" path="socket:[28987]" dev=sockfs
ino=28987 scontext=system_u:system_r:groupadd_t:s0
tcontext=system_u:system_r:rpm_t:s0 tclass=tcp_socket

host=localhost.localdomain type=AVC msg=audit(1210784966.139:57): avc:  denied 
{ read write } for  pid=4792 comm="groupadd" path="socket:[29017]" dev=sockfs
ino=29017 scontext=system_u:system_r:groupadd_t:s0
tcontext=system_u:system_r:rpm_t:s0 tclass=tcp_socket

host=localhost.localdomain type=AVC msg=audit(1210784966.139:57): avc:  denied 
{ read write } for  pid=4792 comm="groupadd" path="socket:[29022]" dev=sockfs
ino=29022 scontext=system_u:system_r:groupadd_t:s0
tcontext=system_u:system_r:rpm_t:s0 tclass=tcp_socket

host=localhost.localdomain type=AVC msg=audit(1210784966.139:57): avc:  denied 
{ read write } for  pid=4792 comm="groupadd" path="socket:[29028]" dev=sockfs
ino=29028 scontext=system_u:system_r:groupadd_t:s0
tcontext=system_u:system_r:rpm_t:s0 tclass=tcp_socket

host=localhost.localdomain type=AVC msg=audit(1210784966.139:57): avc:  denied 
{ read write } for  pid=4792 comm="groupadd" path="socket:[29033]" dev=sockfs
ino=29033 scontext=system_u:system_r:groupadd_t:s0
tcontext=system_u:system_r:rpm_t:s0 tclass=tcp_socket

host=localhost.localdomain type=AVC msg=audit(1210784966.139:57): avc:  denied 
{ read write } for  pid=4792 comm="groupadd" path="socket:[29055]" dev=sockfs
ino=29055 scontext=system_u:system_r:groupadd_t:s0
tcontext=system_u:system_r:rpm_t:s0 tclass=tcp_socket

host=localhost.localdomain type=AVC msg=audit(1210784966.139:57): avc:  denied 
{ read write } for  pid=4792 comm="groupadd" path="socket:[29180]" dev=sockfs
ino=29180 scontext=system_u:system_r:groupadd_t:s0
tcontext=system_u:system_r:rpm_t:s0 tclass=tcp_socket

host=localhost.localdomain type=AVC msg=audit(1210784966.139:57): avc:  denied 
{ read write } for  pid=4792 comm="groupadd" path="socket:[29045]" dev=sockfs
ino=29045 scontext=system_u:system_r:groupadd_t:s0
tcontext=system_u:system_r:rpm_t:s0 tclass=tcp_socket

host=localhost.localdomain type=AVC msg=audit(1210784966.139:57): avc:  denied 
{ read write } for  pid=4792 comm="groupadd" path="socket:[29064]" dev=sockfs
ino=29064 scontext=system_u:system_r:groupadd_t:s0
tcontext=system_u:system_r:rpm_t:s0 tclass=tcp_socket

host=localhost.localdomain type=AVC msg=audit(1210784966.139:57): avc:  denied 
{ read write } for  pid=4792 comm="groupadd" path="socket:[29069]" dev=sockfs
ino=29069 scontext=system_u:system_r:groupadd_t:s0
tcontext=system_u:system_r:rpm_t:s0 tclass=tcp_socket

host=localhost.localdomain type=AVC msg=audit(1210784966.139:57): avc:  denied 
{ read write } for  pid=4792 comm="groupadd" path="socket:[29074]" dev=sockfs
ino=29074 scontext=system_u:system_r:groupadd_t:s0
tcontext=system_u:system_r:rpm_t:s0 tclass=tcp_socket

host=localhost.localdomain type=AVC msg=audit(1210784966.139:57): avc:  denied 
{ read write } for  pid=4792 comm="groupadd" path="socket:[29079]" dev=sockfs
ino=29079 scontext=system_u:system_r:groupadd_t:s0
tcontext=system_u:system_r:rpm_t:s0 tclass=tcp_socket

host=localhost.localdomain type=AVC msg=audit(1210784966.139:57): avc:  denied 
{ read write } for  pid=4792 comm="groupadd" path="socket:[29084]" dev=sockfs
ino=29084 scontext=system_u:system_r:groupadd_t:s0
tcontext=system_u:system_r:rpm_t:s0 tclass=tcp_socket

host=localhost.localdomain type=AVC msg=audit(1210784966.139:57): avc:  denied 
{ read write } for  pid=4792 comm="groupadd" path="socket:[29089]" dev=sockfs
ino=29089 scontext=system_u:system_r:groupadd_t:s0
tcontext=system_u:system_r:rpm_t:s0 tclass=tcp_socket

host=localhost.localdomain type=AVC msg=audit(1210784966.139:57): avc:  denied 
{ read write } for  pid=4792 comm="groupadd" path="socket:[29112]" dev=sockfs
ino=29112 scontext=system_u:system_r:groupadd_t:s0
tcontext=system_u:system_r:rpm_t:s0 tclass=tcp_socket

host=localhost.localdomain type=AVC msg=audit(1210784966.139:57): avc:  denied 
{ read write } for  pid=4792 comm="groupadd" path="socket:[29186]" dev=sockfs
ino=29186 scontext=system_u:system_r:groupadd_t:s0
tcontext=system_u:system_r:rpm_t:s0 tclass=tcp_socket

host=localhost.localdomain type=AVC msg=audit(1210784966.139:57): avc:  denied 
{ read write } for  pid=4792 comm="groupadd" path="socket:[29188]" dev=sockfs
ino=29188 scontext=system_u:system_r:groupadd_t:s0
tcontext=system_u:system_r:rpm_t:s0 tclass=tcp_socket

host=localhost.localdomain type=AVC msg=audit(1210784966.139:57): avc:  denied 
{ read write } for  pid=4792 comm="groupadd" path="socket:[29120]" dev=sockfs
ino=29120 scontext=system_u:system_r:groupadd_t:s0
tcontext=system_u:system_r:rpm_t:s0 tclass=tcp_socket

host=localhost.localdomain type=AVC msg=audit(1210784966.139:57): avc:  denied 
{ read write } for  pid=4792 comm="groupadd" path="socket:[29125]" dev=sockfs
ino=29125 scontext=system_u:system_r:groupadd_t:s0
tcontext=system_u:system_r:rpm_t:s0 tclass=tcp_socket

host=localhost.localdomain type=AVC msg=audit(1210784966.139:57): avc:  denied 
{ read write } for  pid=4792 comm="groupadd" path="socket:[29130]" dev=sockfs
ino=29130 scontext=system_u:system_r:groupadd_t:s0
tcontext=system_u:system_r:rpm_t:s0 tclass=tcp_socket

host=localhost.localdomain type=AVC msg=audit(1210784966.139:57): avc:  denied 
{ read write } for  pid=4792 comm="groupadd" path="socket:[29135]" dev=sockfs
ino=29135 scontext=system_u:system_r:groupadd_t:s0
tcontext=system_u:system_r:rpm_t:s0 tclass=tcp_socket

host=localhost.localdomain type=AVC msg=audit(1210784966.139:57): avc:  denied 
{ read write } for  pid=4792 comm="groupadd" path="socket:[29192]" dev=sockfs
ino=29192 scontext=system_u:system_r:groupadd_t:s0
tcontext=system_u:system_r:rpm_t:s0 tclass=tcp_socket

host=localhost.localdomain type=AVC msg=audit(1210784966.139:57): avc:  denied 
{ read write } for  pid=4792 comm="groupadd" path="socket:[29143]" dev=sockfs
ino=29143 scontext=system_u:system_r:groupadd_t:s0
tcontext=system_u:system_r:rpm_t:s0 tclass=tcp_socket

host=localhost.localdomain type=AVC msg=audit(1210784966.139:57): avc:  denied 
{ write } for  pid=4792 comm="groupadd"
path="/var/lib/yum/transaction-done.2008-05-14.13:04.22" dev=hda6 ino=1470245
scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:object_r:var_lib_t:s0
tclass=file

host=localhost.localdomain type=AVC msg=audit(1210784966.139:57): avc:  denied 
{ read } for  pid=4792 comm="groupadd"
path="/var/cache/yum/rhel-client-C/packages/systemtap-runtime-0.6.2-1.el5.x86_64.rpm"
dev=hda6 ino=1339663 scontext=system_u:system_r:groupadd_t:s0
tcontext=system_u:object_r:var_t:s0 tclass=file

host=localhost.localdomain type=AVC msg=audit(1210784966.139:57): avc:  denied 
{ read write } for  pid=4792 comm="groupadd" path="/var/lib/rpm/__db.000"
dev=hda6 ino=1307767 scontext=system_u:system_r:groupadd_t:s0
tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file

host=localhost.localdomain type=SYSCALL msg=audit(1210784966.139:57):
arch=c000003e syscall=59 success=yes exit=0 a0=1e3a57a0 a1=1e3a5730 a2=1e3a3690
a3=8 items=0 ppid=4785 pid=4792 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts2 ses=2 comm="groupadd" exe="/usr/sbin/groupadd"
subj=system_u:system_r:groupadd_t:s0 key=(null)

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.4.6-137.el5
shadow-utils-4.0.17-13.el5

How reproducible:
Only tried once.

Steps to Reproduce:
1. install RHEL5-Client
2. add the workstation repo via pirut
3. use pirut to add the development tools and development libraries package groups
  
Actual results:
packages are installed, but sealert pops up with the avc denials above.
I can have a closer look at the rpm transaction in a little bit

Expected results:


Additional info:
Comment 1 Daniel Walsh 2008-05-14 14:29:14 EDT
pirut is leaking a file descriptor to a tcp_socket

fcntl(fd, F_SETFD, FD_CLOSEXEC)
Comment 2 James Antill 2013-03-12 16:09:04 EDT
This request was evaluated by Red Hat Engineering for inclusion in a Red 
Hat Enterprise Linux maintenance release.

Red Hat does not currently plan to provide this change in a Red Hat 
Enterprise Linux update release for currently deployed products.

With the goal of minimizing risk of change for deployed systems, and in 
response to customer and partner requirements, Red Hat takes a 
conservative approach when evaluating enhancements for inclusion in 
maintenance updates for currently deployed products. The primary 
objectives of update releases are to enable new hardware platform 
support and to resolve critical defects.

Note You need to log in before you can comment on or make changes to this bug.