Bug 519748 - /var/run/utmp & /var/run/wtmp selinux context incorrectly set by rc.sysinit
Summary: /var/run/utmp & /var/run/wtmp selinux context incorrectly set by rc.sysinit
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: initscripts
Version: 5.5
Hardware: All
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: initscripts Maintenance Team
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Depends On:
Blocks: 519749
TreeView+ depends on / blocked
 
Reported: 2009-08-27 16:44 UTC by Joey Boggs
Modified: 2011-01-13 23:05 UTC (History)
4 users (show)

Fixed In Version: initscripts-8.45.32-1.el5
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 519749 (view as bug list)
Environment:
Last Closed: 2011-01-13 23:05:28 UTC


Attachments (Terms of Use)
patch (332 bytes, patch)
2009-08-27 16:44 UTC, Joey Boggs
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0075 normal SHIPPED_LIVE initscripts bug fix update 2011-01-12 17:22:01 UTC

Description Joey Boggs 2009-08-27 16:44:08 UTC
Created attachment 358915 [details]
patch

Description of problem:
RHEL 5 machine boots /var/run/* is deleted and in particular /var/run/utmp is removed and recreated/chmoded and chgrped. Hoever the security context is not set until the restorecond service starts. During that time the network service starts and networks that provide the nisdomain dhcp option will get the following avc denied messages.

kernel: type=1400 audit(1249788594.546:7): avc: denied  { read } for  pid=3427 comm="runlevel" name="utmp" dev=tmpfs ino=16569
scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file

kernel: type=1400 audit(1249788594.546:8): avc: denied  { read } for  pid=3427 comm="runlevel" name="utmp" dev=tmpfs ino=16569
scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file

The fix is to get the context type set to initrc_var_run_t  rather than init_var_run_t which is what rc.sysint creates the file as.


Version-Release number of selected component (if applicable):
initscripts-8.45.30-2

How reproducible:


Steps to Reproduce:
1. install RHEL 5 with dhcp networking and selinux enforcing/permissive
2. setup dhcp to serve the nisdomain option (for dnsmasq it's  "dhcp-option=40,$nisdomain"
3. boot system
4. check /var/log/messages or /var/log/audit/audit.log for avc denied errors like above
  
Actual results:
AVC errors in above problem description

Expected results:
/var/run/* contexts set correctly and no further avc denied errors.

Additional info:
This doesn't seem to break anything but since it produces unwanted avc errors it should be corrected.

Comment 1 Bill Nottingham 2009-08-27 17:28:46 UTC
Not quite correct, but close. Fixed upstream at:

http://git.fedorahosted.org/git/?p=initscripts.git;a=commitdiff;h=9c489daad152a05c2d330f5cb92f49fadf45a084

Should be relatively easy to apply to a RHEL 5 code base.

Comment 2 RHEL Product and Program Management 2009-11-06 19:06:14 UTC
This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release. If you would like
this request to be reviewed for the next minor release, ask your
support representative to set the next rhel-x.y flag to "?".

Comment 3 Fedora Update System 2009-12-05 15:22:29 UTC
initscripts-8.95.1-1 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/initscripts-8.95.1-1

Comment 4 Fedora Update System 2009-12-22 04:49:38 UTC
initscripts-8.95.1-1 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 RHEL Product and Program Management 2010-06-04 15:59:03 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 9 errata-xmlrpc 2011-01-13 23:05:28 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0075.html


Note You need to log in before you can comment on or make changes to this bug.