Bug 521105 - AVC denials for system daemons crond, ntpd, sedispatch, rsyslogd
Summary: AVC denials for system daemons crond, ntpd, sedispatch, rsyslogd
Keywords:
Status: CLOSED CANTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 11
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-09-03 16:57 UTC by Roland Roberts
Modified: 2009-09-14 15:59 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-09-12 03:18:57 UTC


Attachments (Terms of Use)
Output of sealert -l for all of the alerts. (55.37 KB, text/plain)
2009-09-03 16:57 UTC, Roland Roberts
no flags Details
sealert -l output for issues after policy 81 reinstall (38.56 KB, text/plain)
2009-09-10 16:05 UTC, Roland Roberts
no flags Details
Latest sealert -l output post fixfiles restore (55.50 KB, text/plain)
2009-09-12 02:16 UTC, Roland Roberts
no flags Details

Description Roland Roberts 2009-09-03 16:57:19 UTC
Created attachment 359703 [details]
Output of sealert -l for all of the alerts.

Description of problem:

On an newly upgraded laptop from Fedora 10 -> Fedora 11 followed by installing all updates, I am getting a lot of access denials from selinux.  selinux is running in permissive mode and I have already tried both relabeling on boot and running restorecon recursively on the entire filesystem (except for /home).

Examples include 

SELinux is preventing rsyslogd (syslogd_t) "syslog_mod" kernel_t. 
SELinux is preventing crond (crond_t) "create" system_crond_t.
SELinux is preventing sedispatch (auditd_t) "search" to / (security_t). 
SELinux is preventing sedispatch (auditd_t) "read" security_t. 
SELinux is preventing crond (crond_t) "search" unconfined_t. 
SELinux is preventing crond (crond_t) "read" inotifyfs_t. 
SELinux is preventing ntpd (ntpd_t) "search" root_t. 


Version-Release number of selected component (if applicable):

selinux-policy-3.6.12-80.fc11.noarch


How reproducible:


Steps to Reproduce:
1. up-to-date fedora 10, only extra repo is rpm-fusion
2. upgrade (via DVD, not live via yum) to Fedora 11
3. yum clean all
4. yum -y update (and wait a long time)
5. reboot and log in
  
Actual results:


Expected results:

I expect no avc denials from core utilities like sedispatch(!), crond, ntpd, and rsyslog.

Additional info:

Comment 1 Miroslav Grepl 2009-09-04 08:42:34 UTC
Could you try execute

# yum reinstall selinux-policy-targeted

and make sure there aren't issues during re-install

Comment 2 Roland Roberts 2009-09-04 13:18:05 UTC
I've got an error during reinstall:


284 roland> sudo yum reinstall selinux-policy-targeted
[sudo] password for roland: 
/usr/lib/yum-plugins/fedorakmod.py:25: DeprecationWarning: the sets module is deprecated
  from sets import Set
Loaded plugins: allowdowngrade, dellsysidplugin2, downloadonly, fastestmirror, fedorakmod, kernel-module, kmdl, list-data, priorities, protect-packages, protectbase, refresh-packagekit, verify
Setting up Reinstall Process
Loading mirror speeds from cached hostfile
 * fedora: mirrors.ptd.net
 * rpmfusion-free: lordmorgul.net
 * rpmfusion-free-updates: lordmorgul.net
 * rpmfusion-nonfree: lordmorgul.net
 * rpmfusion-nonfree-updates: lordmorgul.net
 * updates: mirrors.ptd.net
0 packages excluded due to repository protections
Resolving Dependencies
--> Running transaction check
---> Package selinux-policy-targeted.noarch 0:3.6.12-80.fc11 set to be erased
---> Package selinux-policy-targeted.noarch 0:3.6.12-80.fc11 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

============================================================================================================================================================================================================================================
 Package                                                            Arch                                              Version                                                    Repository                                            Size
============================================================================================================================================================================================================================================
Installing:
 selinux-policy-targeted                                            noarch                                            3.6.12-80.fc11                                             updates                                              2.2 M
Removing:
 selinux-policy-targeted                                            noarch                                            3.6.12-80.fc11                                             installed                                            2.3 M

Transaction Summary
============================================================================================================================================================================================================================================
Install      1 Package(s)         
Update       0 Package(s)         
Remove       1 Package(s)         

Total download size: 2.2 M
Is this ok [y/N]: y
Downloading Packages:
selinux-policy-targeted-3.6.12-80.fc11.noarch.rpm                                                                                                                                                                    | 2.2 MB     00:06     
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Erasing        : selinux-policy-targeted-3.6.12-80.fc11.noarch                                                                                                                                                                        1/2 
  Installing     : selinux-policy-targeted-3.6.12-80.fc11.noarch                                                                                                                                                                        1/2 
libsepol.scope_copy_callback: unconfined: Duplicate declaration in module: type/attribute unconfined_devpts_t
libsemanage.semanage_link_sandbox: Link packages failed
semodule:  Failed!

Removed:
  selinux-policy-targeted.noarch 0:3.6.12-80.fc11                                                                                                                                                                                           

Installed:
  selinux-policy-targeted.noarch 0:3.6.12-80.fc11                                                                                                                                                                                           

Complete!

Comment 3 Daniel Walsh 2009-09-08 10:51:36 UTC
Try to install policy 81, it will add back the unconfineduser which should solve your problem.

Comment 4 Roland Roberts 2009-09-10 16:04:37 UTC
Okay, I reinstalled policy 81, then reinstalled selinux-policy-targeted, this time without any errors.  I then ran restorecon -v -R on the directories that were giving me trouble (e.g., /var, /sbin, /bin, /etc).  I have since rebooted and am still getting numerous warnings in the past couple of hours (but far fewer than before!).

[root@aristarchus ~]# grep -E 'Sep 10 (09|10|11):.*setroubleshoot:' /var/log/messages | cut -b29- | sort -u
setroubleshoot: [program.ERROR] audit event#012node=aristarchus.rlent.pnet type=AVC msg=audit(1252587752.983:56): avc:  granted  { sys_chroot } for  pid=2677 comm="avahi-daemon" capability=18 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=capability#012#012node=aristarchus.rlent.pnet type=SYSCALL msg=audit(1252587752.983:56): arch=40000003 syscall=61 success=yes exit=0 a0=805b222 a1=4ea380 a2=1 a3=856e5f0 items=1 ppid=1 pid=2677 auid=4294967295 uid=70 gid=70 euid=70 suid=70 fsuid=70 egid=70 sgid=70 fsgid=70 tty=(none) ses=4294967295 comm="avahi-daemon" exe="/usr/sbin/avahi-daemon" subj=system_u:system_r:init_t:s0 key=(null)#012#012node=aristarchus.rlent.pnet type=CWD msg=audit(1252587752.983:56): cwd="/"#012#012node=aristarchus.rlent.pnet type=PATH msg=audit(1252587752.983:56): item=0 name="/etc/avahi" inode=6783196 dev=08:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0
setroubleshoot: [program.ERROR] setroubleshoot generated AVC, exiting to avoid recursion, context=system_u:system_r:init_t:s0, AVC scontext=system_u:system_r:init_t:s0
setroubleshoot: SELinux is preventing crond (crond_t) "search" dir_root_t. For complete SELinux messages. run sealert -l 5a8acedc-325d-4064-9d0f-3486d126dc76
setroubleshoot: SELinux is preventing crond (crond_t) "search" dir_var_www_t. For complete SELinux messages. run sealert -l 71057106-5253-4a3d-ab08-07c610455290
setroubleshoot: SELinux is preventing crond (crond_t) "search" system_crond_t. For complete SELinux messages. run sealert -l c8bd6aef-33ea-48dd-91f0-7ddf9f2301c5
setroubleshoot: SELinux is preventing crond (crond_t) "setkeycreate" crond_t. For complete SELinux messages. run sealert -l 9ad5a617-601e-4295-ab1c-d7f0fcdf59a6
setroubleshoot: SELinux is preventing dhclient (dhclient_t) "read" to /var/run/nm-dhclient-eth0.conf (dir_var_run_t). For complete SELinux messages. run sealert -l 1380f222-d08c-430f-8163-fa28c676c3d8
setroubleshoot: SELinux is preventing nm-dhcp-client. (dhclient_t) "write" to (null) (var_run_t). For complete SELinux messages. run sealert -l 06fac788-8857-429c-b580-b4476790080c
setroubleshoot: SELinux is preventing rsyslogd (syslogd_t) "read" proc_kmsg_t. For complete SELinux messages. run sealert -l 951fb7e8-f666-481f-992b-7c2608e296ea
setroubleshoot: SELinux is preventing rsyslogd (syslogd_t) "sys_admin" syslogd_t. For complete SELinux messages. run sealert -l d5384fb8-d439-423d-90cc-4367a7c883df
setroubleshoot: SELinux is preventing rsyslogd (syslogd_t) "syslog_mod" kernel_t. For complete SELinux messages. run sealert -l e59b4a5c-e94b-4993-a12d-450fd2af8fe1
setroubleshoot: SELinux is preventing sedispatch (auditd_t) "write" to (null) (var_run_t). For complete SELinux messages. run sealert -l c125c2ef-533b-4155-bbfe-f279f7309e0e
setroubleshoot: SELinux is preventing the nm-dhcp-client. (dhclient_t) from executing /usr/libexec/nm-dhcp-client.action. For complete SELinux messages. run sealert -l 7e065ee7-e146-421b-bb40-180bd121de44
setroubleshoot: SELinux is preventing unix_chkpwd (crond_t) "execute" sbin_t. For complete SELinux messages. run sealert -l 8245e4bc-b310-45c0-b61f-5c51218d8d01

I'm also attaching the output of sealert -l for all of the above

Comment 5 Roland Roberts 2009-09-10 16:05:32 UTC
Created attachment 360530 [details]
sealert -l output for issues after policy 81 reinstall

Comment 6 Daniel Walsh 2009-09-10 16:09:10 UTC
Still seem to have some labeling issue.

Run fixfiles restore and let it relabel the entire machine.

Comment 7 Roland Roberts 2009-09-12 02:16:00 UTC
Created attachment 360749 [details]
Latest sealert -l output post fixfiles restore

Okay, fixfiles ran, rebooted, got more errors like the above.  In fact, indistinguishable from the above.  Syslog stuff below, sealert -l attached.

I'm really puzzled.  Is there a sequence to the reinstalls I should be following?  Or something I should not be reinstalling?  Note that last time I reinstalled policy 81 and then reinstall selinux-policy-targeted.  Should I have not done the latter?

Sep 11 21:57:29 aristarchus setroubleshoot: SELinux is preventing auditd (auditd_t) "nlmsg_read" auditd_t. For complete SELinux messages. run sealert -l 2e6bb133-91cc-43f2-ac3f-0a79c5d140c9
Sep 11 21:57:30 aristarchus setroubleshoot: SELinux is preventing audispd (auditd_t) "execute" usr_sbin_t. For complete SELinux messages. run sealert -l b8ee3117-5d1d-452c-b6a9-34237fb55359
Sep 11 21:57:30 aristarchus setroubleshoot: SELinux is preventing audispd (auditd_t) "execute" usr_sbin_t. For complete SELinux messages. run sealert -l b8ee3117-5d1d-452c-b6a9-34237fb55359
Sep 11 21:57:30 aristarchus setroubleshoot: SELinux is preventing audispd (auditd_t) "execute" usr_sbin_t. For complete SELinux messages. run sealert -l b8ee3117-5d1d-452c-b6a9-34237fb55359
Sep 11 21:57:35 aristarchus setroubleshoot: SELinux is preventing sedispatch (auditd_t) "search" to /etc/selinux/config (dir_etc_selinux_t). For complete SELinux messages. run sealert -l 4ecc60c5-6f4f-40fb-ba35-02174e18c58c
Sep 11 21:57:35 aristarchus setroubleshoot: SELinux is preventing sedispatch (auditd_t) "search" to /etc/selinux/config (dir_etc_selinux_t). For complete SELinux messages. run sealert -l 4ecc60c5-6f4f-40fb-ba35-02174e18c58c
Sep 11 21:57:36 aristarchus setroubleshoot: SELinux is preventing sedispatch (auditd_t) "search" security_t. For complete SELinux messages. run sealert -l 8b30689f-65a4-43f9-a913-d9734fbd4d2d
Sep 11 21:57:36 aristarchus setroubleshoot: SELinux is preventing sedispatch (auditd_t) "read" security_t. For complete SELinux messages. run sealert -l 68d103ef-3f42-4753-8a2e-bac7e92f5805
Sep 11 21:57:36 aristarchus setroubleshoot: SELinux is preventing sedispatch (auditd_t) "write" to (null) (var_run_t). For complete SELinux messages. run sealert -l c125c2ef-533b-4155-bbfe-f279f7309e0e
Sep 11 21:57:36 aristarchus setroubleshoot: SELinux is preventing sedispatch (auditd_t) "write" to (null) (var_run_t). For complete SELinux messages. run sealert -l c125c2ef-533b-4155-bbfe-f279f7309e0e
Sep 11 21:58:04 aristarchus setroubleshoot: SELinux is preventing rsyslogd (syslogd_t) "read" proc_kmsg_t. For complete SELinux messages. run sealert -l 951fb7e8-f666-481f-992b-7c2608e296ea
Sep 11 21:58:04 aristarchus setroubleshoot: SELinux is preventing rsyslogd (syslogd_t) "read" proc_kmsg_t. For complete SELinux messages. run sealert -l 951fb7e8-f666-481f-992b-7c2608e296ea
Sep 11 21:58:04 aristarchus setroubleshoot: SELinux is preventing rsyslogd (syslogd_t) "read" proc_kmsg_t. For complete SELinux messages. run sealert -l 951fb7e8-f666-481f-992b-7c2608e296ea
Sep 11 21:58:12 aristarchus setroubleshoot: SELinux is preventing dhclient (dhclient_t) "read" to /var/run/nm-dhclient-wlan0.conf (dir_var_run_t). For complete SELinux messages. run sealert -l 555d19b8-c988-4b4e-8ad0-4ec519924970
Sep 11 21:58:12 aristarchus setroubleshoot: SELinux is preventing the nm-dhcp-client. (dhclient_t) from executing /usr/libexec/nm-dhcp-client.action. For complete SELinux messages. run sealert -l 7e065ee7-e146-421b-bb40-180bd121de44
Sep 11 21:58:12 aristarchus setroubleshoot: SELinux is preventing the nm-dhcp-client. (dhclient_t) from executing /usr/libexec/nm-dhcp-client.action. For complete SELinux messages. run sealert -l 7e065ee7-e146-421b-bb40-180bd121de44
Sep 11 21:58:12 aristarchus setroubleshoot: SELinux is preventing the nm-dhcp-client. (dhclient_t) from executing /usr/libexec/nm-dhcp-client.action. For complete SELinux messages. run sealert -l 7e065ee7-e146-421b-bb40-180bd121de44
Sep 11 21:58:12 aristarchus setroubleshoot: SELinux is preventing nm-dhcp-client. (dhclient_t) "write" to (null) (var_run_t). For complete SELinux messages. run sealert -l 06fac788-8857-429c-b580-b4476790080c
Sep 11 21:58:13 aristarchus setroubleshoot: SELinux is preventing nm-dhcp-client. (dhclient_t) "write" to (null) (var_run_t). For complete SELinux messages. run sealert -l 06fac788-8857-429c-b580-b4476790080c
Sep 11 22:00:01 aristarchus setroubleshoot: SELinux is preventing crond (crond_t) "execute" sbin_t. For complete SELinux messages. run sealert -l 297aded2-bb84-4f17-814f-b38399144d03
Sep 11 22:00:02 aristarchus setroubleshoot: SELinux is preventing crond (crond_t) "execute" sbin_t. For complete SELinux messages. run sealert -l 297aded2-bb84-4f17-814f-b38399144d03
Sep 11 22:00:02 aristarchus setroubleshoot: SELinux is preventing unix_chkpwd (crond_t) "execute_no_trans" sbin_t. For complete SELinux messages. run sealert -l 09171bd7-8b4e-4d5e-b3e6-7c09ebc09e55
Sep 11 22:00:02 aristarchus setroubleshoot: SELinux is preventing crond (crond_t) "setkeycreate" crond_t. For complete SELinux messages. run sealert -l 2974976e-ccda-4030-a624-c71f071d2dfd
Sep 11 22:00:02 aristarchus setroubleshoot: SELinux is preventing crond (crond_t) "setkeycreate" crond_t. For complete SELinux messages. run sealert -l 2974976e-ccda-4030-a624-c71f071d2dfd
Sep 11 22:00:02 aristarchus setroubleshoot: SELinux is preventing crond (crond_t) "search" system_crond_t. For complete SELinux messages. run sealert -l 63c17f67-3fd4-4830-869d-f7f35278a0f6
Sep 11 22:00:03 aristarchus setroubleshoot: SELinux is preventing crond (crond_t) "search" dir_var_www_t. For complete SELinux messages. run sealert -l f751045c-423c-4a22-9155-5731d4d43c99
Sep 11 22:00:03 aristarchus setroubleshoot: SELinux is preventing crond (crond_t) "search" dir_root_t. For complete SELinux messages. run sealert -l 17cc2d83-5b8f-4e64-b1e0-eef0a9fc7094
Sep 11 22:01:01 aristarchus setroubleshoot: SELinux is preventing unix_chkpwd (crond_t) "execute" sbin_t. For complete SELinux messages. run sealert -l 297aded2-bb84-4f17-814f-b38399144d03
Sep 11 22:01:01 aristarchus setroubleshoot: SELinux is preventing unix_chkpwd (crond_t) "execute" sbin_t. For complete SELinux messages. run sealert -l 297aded2-bb84-4f17-814f-b38399144d03
Sep 11 22:01:01 aristarchus setroubleshoot: SELinux is preventing unix_chkpwd (crond_t) "execute" sbin_t. For complete SELinux messages. run sealert -l 297aded2-bb84-4f17-814f-b38399144d03
Sep 11 22:01:01 aristarchus setroubleshoot: SELinux is preventing crond (crond_t) "setkeycreate" crond_t. For complete SELinux messages. run sealert -l 2974976e-ccda-4030-a624-c71f071d2dfd

Comment 8 Daniel Walsh 2009-09-12 03:18:57 UTC
You have some strange policy installed on your machine.  Are you running seedit?

Please remove that policy and just use selinux-policy-targeted.  If you want to use that policy, then switch to it.  You can not run targeted policy and seedit at the same time.

Comment 9 Roland Roberts 2009-09-13 00:11:03 UTC
Yes, I did have seedit installed.

While I can appreciate that the two policies are incompatible, I'd like to point out (1) under Fedora 10 I was not having this problem and I have no idea whether or not I actually had both of them installed then, and (2) this was a straight-forward upgrade.  So perhaps this issue should be recategorized as an upgrade issue or put in an upgrade FAQ like "you should remove either selinux-policy-targeted or seedit before upgrading as you cannot run both."

I've removed seedit, but now everything is totally whacked.  After removing the, I CAN'T run fixfiles.  Nor can I reinstall selinux-policy or selinux-policy-targeted

[root@aristarchus ~]# yum -y reinstall selinux-policy selinux-policy-targeted
Loaded plugins: allowdowngrade, dellsysidplugin2, downloadonly, fastestmirror, kernel-module, kmdl, list-data, priorities, protect-packages, protectbase, refresh-packagekit, verify
Setting up Reinstall Process
Loading mirror speeds from cached hostfile
 * fedora: mirror.liberty.edu
 * rpmfusion-free: mirror.liberty.edu
 * rpmfusion-free-updates: mirror.liberty.edu
 * rpmfusion-nonfree: mirror.liberty.edu
 * rpmfusion-nonfree-updates: mirror.liberty.edu
 * updates: mirror.liberty.edu
0 packages excluded due to repository protections
No package selinux-policy available.
  * Maybe you meant: selinux-policy
No package selinux-policy-targeted available.
  * Maybe you meant: selinux-policy-targeted
Nothing to do

Note that it "suggests" the exact package I attempted to install(!)



[root@aristarchus ~]# fixfiles restore
/etc/selinux/targeted/contexts/files/file_contexts:  line 3 has invalid context system_u:object_r:quota_db_t:s0
/etc/selinux/targeted/contexts/files/file_contexts:  line 4 has invalid context system_u:object_r:xen_image_t:s0
/etc/selinux/targeted/contexts/files/file_contexts:  line 5 has invalid context system_u:object_r:mnt_t:s0
/etc/selinux/targeted/contexts/files/file_contexts:  line 6 has invalid context system_u:object_r:mnt_t:s0
/etc/selinux/targeted/contexts/files/file_contexts:  line 15 has invalid context system_u:object_r:device_t:s0
/etc/selinux/targeted/contexts/files/file_contexts:  line 18 has invalid context system_u:object_r:admin_home_t:s0
/etc/selinux/targeted/contexts/files/file_contexts:  line 19 has invalid context system_u:object_r:usb_device_t:s0
/etc/selinux/targeted/contexts/files/file_contexts:  line 21 has invalid context system_u:object_r:mouse_device_t:s0
/etc/selinux/targeted/contexts/files/file_contexts:  line 23 has invalid context system_u:object_r:fixed_disk_device_t:s0
Exiting after 10 errors.

Comment 10 Roland Roberts 2009-09-13 00:15:28 UTC
The workaround to the reinstall problem was to uninstall them.  This also remove policycore-utils and setroubleshoot which had to be reinstalled.  I'm now running fixfiles restore.

Comment 11 Daniel Walsh 2009-09-14 15:59:32 UTC
I am adding a conflicts statement to selinux-policy-targeted and friends so you can not install both at the same time.


Note You need to log in before you can comment on or make changes to this bug.