This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 471160 - RHTS test fails to run correctly - selinux messages only evidence
RHTS test fails to run correctly - selinux messages only evidence
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.4
All Linux
medium Severity medium
: rc
: ---
Assigned To: Daniel Walsh
BaseOS QE
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-11-11 22:45 EST by Ian Kent
Modified: 2016-06-08 06:42 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-01-20 16:31:30 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Ian Kent 2008-11-11 22:45:08 EST
Description of problem:

I have written an RHTS test to test for insufficient buffer space
when checking available interfaces to estimate their proximity in
autofs.

Running this test we see a bunch of ifconfig error messages like:
address: Unknown host
ifconfig: `--help' gives usage information.

and a bunch of what appear to be related selinux AVCs of the form:
time->Tue Nov 11 10:00:15 2008
type=SYSCALL msg=audit(1226415615.381:8): arch=c000003e syscall=42 success=no exit=-13 a0=6 a1=7fff6bea1cc0 a2=6e a3=3 items=0 ppid=3710 pid=5173 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ifconfig" exe="/sbin/ifconfig" subj=system_u:system_r:ifconfig_t:s0 key=(null)
type=AVC msg=audit(1226415615.381:8): avc:  denied  { search } for  pid=5173 comm="ifconfig" name="nscd" dev=dm-0 ino=31031363 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=dir

When these ifconfig commands are run manually on a RHEL-5 install
they work as expected. I've tried these with an selinux-policy and
selinux-policy-targeted of the same revision used in one run ofthe
RHTS test (2.4.6-137.el5) to verify the above.

Can you help with identifying what is causing this apparent contradiction?


How reproducible:
Every time the RHTS test is run.


Steps to Reproduce:
Run the autofs workflow using subtest bz458252 using:
autofs_workflow.py -a x86_64 -p autofs -f RedHatEnterpriseLinuxServer5 \
-u <your email user name>@redhat.com -S rhts.redhat.com -s bz458252
  
Actual results:
As described above.


Expected results:
RHTS test successfully able to configure logical interfaces to provide
required environment for test.
Comment 1 Daniel Walsh 2008-11-13 09:10:42 EST
I doubt the avc has any relation to hostname failure.
Comment 2 Ian Kent 2008-11-13 09:22:31 EST
(In reply to comment #1)
> I doubt the avc has any relation to hostname failure.

As far as I can tell, the syntax correct, the commands,
formatted exactly as they are run correctly on a RHEL-5
install and no selinux messages are generated.

This is nothing to do with host name resolution, it is just
the way in which the ifconfig is reporting an error it has
received. In fact no host name translation is needed since 
the interfaces are assigned ip addresses.

I will however, look again, in I'm missing something but I
doubt it.

What I'm asking you is
1) What is the source of those avc messages.
2) How can nscd be related to ifconfig, IOW, what is nscd doing
in the second avc.
3) What differences could there possibly be for the root user
when running under RHTS as opposed an interactive login.
Comment 3 Daniel Walsh 2008-11-13 17:55:48 EST
ifconfig is doing a gethostname call which is looking in nscd for a host name translation.

Fixed in selinux-policy-2.4.6-187.el5
Comment 4 Ian Kent 2008-11-13 22:52:49 EST
(In reply to comment #3)
> ifconfig is doing a gethostname call which is looking in nscd for a host name
> translation.
> 
> Fixed in selinux-policy-2.4.6-187.el5

Running the RHTS test with policy revision 188 still fails
in the same way.
Comment 5 Daniel Walsh 2008-11-14 08:55:02 EST
So are you still seeing the avcs?
Comment 6 Ian Kent 2008-11-14 09:24:50 EST
(In reply to comment #5)
> So are you still seeing the avcs?

No.
Comment 9 Daniel Walsh 2008-11-14 11:09:47 EST
So probably not an selinux bug, but a host lookup bug.
Comment 12 Ian Kent 2008-12-01 09:55:16 EST
(In reply to comment #9)
> So probably not an selinux bug, but a host lookup bug.

As it turns out ifconfig gives inconsistent results between
different RHEL releases and Fedora releases. I'm happy to
agree that the syntax I used isn't quite right even though
it worked fine in 3 out of four releases (2 RHEL and 2 Fedora)
I tested. So my bad.

However, the change here did eliminate what were unneeded
AVC messages, but that's your call Dan.
Comment 15 errata-xmlrpc 2009-01-20 16:31:30 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-0163.html

Note You need to log in before you can comment on or make changes to this bug.