Red Hat Bugzilla – Bug 464079
avc: denied { search / unlink } for comm="audispd"
Last modified: 2014-03-29 14:57:15 EDT
Description of problem: During upgrade with yum from RHEL5.2-Server to RHEL5.3-Server-20080922.0 there's a SELinux denial. Version-Release number of selected component (if applicable): selinux-policy-targeted-2.4.6-158.el5 How reproducible: Always Steps to Reproduce: 1. Install RHEL5.2-Server, @everything 2. configure yum repos for latest release 3. do yum update Actual results: SELinux denial Expected results: No SElinux denial Additional info: audit(1222363412.600:80): audit_pid=0 old=6466 by auid=4294967295 subj=system_u:system_r:auditd_t:s0 audit(1222363412.718:81): avc: denied { search } for pid=6408 comm="audispd" name="sbin" dev=dm-0 ino=7929857 scontext=system_u:system_r:audisp_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=dir audit(1222363412.718:81): arch=c0000032 syscall=1210 success=no exit=-13 a0=60000fffff8927cf a1=60000fffff892690 a2=200000080036c6b8 a3=2000000800382580 items=0 ppid=6406 pid=6408 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="audispd" exe="/sbin/audispd" subj=system_u:system_r:audisp_t:s0 key=(null) audit(1222363412.720:82): audit_pid=6406 old=0 by auid=4294967295 subj=system_u:system_r:auditd_t:s0 Also seeing to the above on i386: audit(1222364140.365:122): avc: denied { unlink } for pid=9002 comm="audispd" name="audispd_events" dev=dm-0 ino=54526127 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:audisp_var_run_t:s0 tclass=sock_file audit(1222364140.365:123): audit_pid=0 old=9000 by auid=4294967295 subj=system_u:system_r:auditd_t:s0 audit(1222364140.601:124): audit_pid=25445 old=0 by auid=4294967295 subj=system_u:system_r:auditd_t:s0
what is audispd labeled? ls -lZ /sbin/audispd?
After install & before upgrade: -rwxr-x--- root root system_u:object_r:sbin_t /sbin/audispd After upgrade: -rwxr-x--- root root system_u:object_r:audisp_exec_t /sbin/audispd
Ok well the second avc should disappear after upgrade also since audispd will run in a different domain then auditd_t which is allowed to unlink the sock_file. Fixed in selinux-policy-2.4.6-161.el5
So why is audispd running as auditd_t and not as audisp_t. The following two roles should have caused auditd_t to transition to audisp_t when it execs the app. #sesearch --allow -s auditd_t -t audisp_t Found 1 av rules: allow auditd_t audisp_t : process { transition signal }; # sesearch --allow -s auditd_t -t audisp_exec_t Found 1 av rules: allow auditd_t audisp_exec_t : file { read getattr execute }; What is the label on audispd? # ls -lZ /sbin/audispd -rwxr-x--- root root system_u:object_r:audisp_exec_t:s0 /sbin/audispd
Context after install: -rwxr-x--- root root system_u:object_r:sbin_t /sbin/audispd Context after the upgrade: -rwxr-x--- root root system_u:object_r:audisp_exec_t /sbin/audispd
If you do a # service auditd restart what does # ps -eZ | grep audisp Show? If this is running as audisp_t, then you should not see this problem any more.
OK, it's running as audisp_t and indeed I didn't see the problem. I was doing manual test but for some reason the automated one failed. Moving back to VERIFIED and will try to find out if this can reproduce more consistently with our automated test case.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-0163.html