Bug 464079 - avc: denied { search / unlink } for comm="audispd"
avc: denied { search / unlink } for comm="audispd"
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
All Linux
medium Severity medium
: rc
: ---
Assigned To: Daniel Walsh
Alexander Todorov
Depends On:
  Show dependency treegraph
Reported: 2008-09-26 04:01 EDT by Alexander Todorov
Modified: 2014-03-29 14:57 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-01-20 16:30:58 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Alexander Todorov 2008-09-26 04:01:32 EDT
Description of problem:
During upgrade with yum from RHEL5.2-Server to RHEL5.3-Server-20080922.0 there's a SELinux denial.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Install RHEL5.2-Server, @everything
2. configure yum repos for latest release
3. do yum update
Actual results:
SELinux denial

Expected results:
No SElinux denial

Additional info:
audit(1222363412.600:80): audit_pid=0 old=6466 by auid=4294967295 subj=system_u:system_r:auditd_t:s0
audit(1222363412.718:81): avc:  denied  { search } for  pid=6408 comm="audispd" name="sbin" dev=dm-0 ino=7929857 scontext=system_u:system_r:audisp_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=dir
audit(1222363412.718:81): arch=c0000032 syscall=1210 success=no exit=-13 a0=60000fffff8927cf a1=60000fffff892690 a2=200000080036c6b8 a3=2000000800382580 items=0 ppid=6406 pid=6408 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="audispd" exe="/sbin/audispd" subj=system_u:system_r:audisp_t:s0 key=(null)
audit(1222363412.720:82): audit_pid=6406 old=0 by auid=4294967295 subj=system_u:system_r:auditd_t:s0

Also seeing to the above on i386:
audit(1222364140.365:122): avc:  denied  { unlink } for  pid=9002 comm="audispd" name="audispd_events" dev=dm-0 ino=54526127 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:audisp_var_run_t:s0 tclass=sock_file
audit(1222364140.365:123): audit_pid=0 old=9000 by auid=4294967295 subj=system_u:system_r:auditd_t:s0
audit(1222364140.601:124): audit_pid=25445 old=0 by auid=4294967295 subj=system_u:system_r:auditd_t:s0
Comment 2 Daniel Walsh 2008-09-29 14:45:09 EDT
what is audispd labeled?

ls -lZ /sbin/audispd?
Comment 3 Alexander Todorov 2008-09-30 06:37:17 EDT
After install & before upgrade:
-rwxr-x---  root root system_u:object_r:sbin_t         /sbin/audispd

After upgrade:
-rwxr-x---  root root system_u:object_r:audisp_exec_t  /sbin/audispd
Comment 4 Daniel Walsh 2008-09-30 11:15:07 EDT
Ok well the second avc should disappear after upgrade also since audispd will run in a different domain then auditd_t which is allowed to unlink the sock_file.

Fixed in selinux-policy-2.4.6-161.el5
Comment 10 Daniel Walsh 2008-10-22 11:50:46 EDT
So why is audispd running as auditd_t and not as audisp_t.

The following two roles should have caused auditd_t to transition to audisp_t when it execs the app.

#sesearch --allow -s auditd_t -t audisp_t
Found 1 av rules:
   allow auditd_t audisp_t : process { transition signal }; 

# sesearch --allow -s auditd_t -t audisp_exec_t
Found 1 av rules:
   allow auditd_t audisp_exec_t : file { read getattr execute }; 

What is the label on audispd?

# ls -lZ /sbin/audispd
-rwxr-x---  root root system_u:object_r:audisp_exec_t:s0 /sbin/audispd
Comment 11 Alexander Todorov 2008-10-23 02:57:11 EDT
Context after install:
-rwxr-x---  root root system_u:object_r:sbin_t         /sbin/audispd

Context after the upgrade:
-rwxr-x---  root root system_u:object_r:audisp_exec_t  /sbin/audispd
Comment 12 Daniel Walsh 2008-10-23 10:50:01 EDT
If you do a 

# service auditd restart

what does

# ps -eZ | grep audisp


If this is running as audisp_t, then you should not see this problem any more.
Comment 13 Alexander Todorov 2008-10-24 07:10:08 EDT
OK, it's running as audisp_t and indeed I didn't see the problem. I was doing manual test but for some reason the automated one failed. 

Moving back to VERIFIED and will try to find out if this can reproduce more consistently with our automated test case.
Comment 15 errata-xmlrpc 2009-01-20 16:30:58 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.