Bug 464079 - avc: denied { search / unlink } for comm="audispd"
Summary: avc: denied { search / unlink } for comm="audispd"
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted
Version: 5.3
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Daniel Walsh
QA Contact: Alexander Todorov
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-09-26 08:01 UTC by Alexander Todorov
Modified: 2014-03-29 18:57 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-01-20 21:30:58 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2009:0163 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2009-01-20 16:05:21 UTC

Description Alexander Todorov 2008-09-26 08:01:32 UTC
Description of problem:
During upgrade with yum from RHEL5.2-Server to RHEL5.3-Server-20080922.0 there's a SELinux denial.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.4.6-158.el5

How reproducible:
Always

Steps to Reproduce:
1. Install RHEL5.2-Server, @everything
2. configure yum repos for latest release
3. do yum update
  
Actual results:
SELinux denial

Expected results:
No SElinux denial

Additional info:
audit(1222363412.600:80): audit_pid=0 old=6466 by auid=4294967295 subj=system_u:system_r:auditd_t:s0
audit(1222363412.718:81): avc:  denied  { search } for  pid=6408 comm="audispd" name="sbin" dev=dm-0 ino=7929857 scontext=system_u:system_r:audisp_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=dir
audit(1222363412.718:81): arch=c0000032 syscall=1210 success=no exit=-13 a0=60000fffff8927cf a1=60000fffff892690 a2=200000080036c6b8 a3=2000000800382580 items=0 ppid=6406 pid=6408 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="audispd" exe="/sbin/audispd" subj=system_u:system_r:audisp_t:s0 key=(null)
audit(1222363412.720:82): audit_pid=6406 old=0 by auid=4294967295 subj=system_u:system_r:auditd_t:s0


Also seeing to the above on i386:
audit(1222364140.365:122): avc:  denied  { unlink } for  pid=9002 comm="audispd" name="audispd_events" dev=dm-0 ino=54526127 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:audisp_var_run_t:s0 tclass=sock_file
audit(1222364140.365:123): audit_pid=0 old=9000 by auid=4294967295 subj=system_u:system_r:auditd_t:s0
audit(1222364140.601:124): audit_pid=25445 old=0 by auid=4294967295 subj=system_u:system_r:auditd_t:s0

Comment 2 Daniel Walsh 2008-09-29 18:45:09 UTC
what is audispd labeled?

ls -lZ /sbin/audispd?

Comment 3 Alexander Todorov 2008-09-30 10:37:17 UTC
After install & before upgrade:
-rwxr-x---  root root system_u:object_r:sbin_t         /sbin/audispd

After upgrade:
-rwxr-x---  root root system_u:object_r:audisp_exec_t  /sbin/audispd

Comment 4 Daniel Walsh 2008-09-30 15:15:07 UTC
Ok well the second avc should disappear after upgrade also since audispd will run in a different domain then auditd_t which is allowed to unlink the sock_file.

Fixed in selinux-policy-2.4.6-161.el5

Comment 10 Daniel Walsh 2008-10-22 15:50:46 UTC
So why is audispd running as auditd_t and not as audisp_t.

The following two roles should have caused auditd_t to transition to audisp_t when it execs the app.

#sesearch --allow -s auditd_t -t audisp_t
Found 1 av rules:
   allow auditd_t audisp_t : process { transition signal }; 

# sesearch --allow -s auditd_t -t audisp_exec_t
Found 1 av rules:
   allow auditd_t audisp_exec_t : file { read getattr execute }; 

What is the label on audispd?

# ls -lZ /sbin/audispd
-rwxr-x---  root root system_u:object_r:audisp_exec_t:s0 /sbin/audispd

Comment 11 Alexander Todorov 2008-10-23 06:57:11 UTC
Context after install:
-rwxr-x---  root root system_u:object_r:sbin_t         /sbin/audispd

Context after the upgrade:
-rwxr-x---  root root system_u:object_r:audisp_exec_t  /sbin/audispd

Comment 12 Daniel Walsh 2008-10-23 14:50:01 UTC
If you do a 

# service auditd restart

what does

# ps -eZ | grep audisp

Show?

If this is running as audisp_t, then you should not see this problem any more.

Comment 13 Alexander Todorov 2008-10-24 11:10:08 UTC
OK, it's running as audisp_t and indeed I didn't see the problem. I was doing manual test but for some reason the automated one failed. 

Moving back to VERIFIED and will try to find out if this can reproduce more consistently with our automated test case.

Comment 15 errata-xmlrpc 2009-01-20 21:30:58 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-0163.html


Note You need to log in before you can comment on or make changes to this bug.