Bug 546567 - AVCs appeared during setroubleshoot service start/stop when running SElinux in MLS mode
AVCs appeared during setroubleshoot service start/stop when running SElinux i...
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.4
All Linux
medium Severity medium
: rc
: ---
Assigned To: Daniel Walsh
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-12-11 04:07 EST by Milos Malik
Modified: 2009-12-11 15:36 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-12-11 15:36:19 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Milos Malik 2009-12-11 04:07:05 EST
Description of problem:
SELinux seems to block some operations which setroubleshoot init scripts wants to be done during start/stop procedure.

Version-Release number of selected component (if applicable):
selinux-policy-mls-2.4.6-255.el5
selinux-policy-targeted-2.4.6-255.el5
selinux-policy-2.4.6-255.el5
setroubleshoot-plugins-2.0.4-2.el5
setroubleshoot-server-2.0.5-5.el5

How reproducible:
always

Steps to Reproduce:
1. setup a MLS machine
2. setenforce 1
3. run_init service setroubleshoot start
4. sleep 1
5. run_init service setroubleshoot stop
6. sleep 1
7. ausearch -m AVC -ts recent
----
time->Fri Dec 11 04:00:10 2009
type=SYSCALL msg=audit(1260522010.186:64): arch=c0000032 syscall=1192 success=no exit=-13 a0=5 a1=2000000006175730 a2=19 a3=20000000075b2544 items=0 ppid=1 pid=30728 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1260522010.186:64): avc:  denied  { write } for  pid=30728 comm="setroubleshootd" name="audispd_events" dev=dm-0 ino=21954782 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:audisp_var_run_t:s15:c0.c1023 tclass=sock_file
----
time->Fri Dec 11 04:00:10 2009
type=SYSCALL msg=audit(1260522010.192:65): arch=c0000032 syscall=1191 success=no exit=-13 a0=5 a1=2000000006175730 a2=2f a3=2000000000250158 items=0 ppid=1 pid=30725 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1260522010.192:65): avc:  denied  { create } for  pid=30725 comm="setroubleshootd" name="setroubleshoot_server" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
8. tail -n 1 /var/log/messages 
Dec 11 04:00:10 nec-nx2-1 setroubleshoot: [server.ERROR] cannot start systen DBus service: Connection ":1.7" is not allowed to own the service "com.redhat.setroubleshootd" due to security policies in the configuration file

Actual results:
2 AVCs

Expected results:
no AVCs
Comment 1 Daniel Walsh 2009-12-11 15:36:19 EST
setroubleshoot is not supported in an MLS environment.  You would need to grab the policy from targeted/strict and make it work in MLS environment.  MLS only supports a small subset of apps that run in RHEL5.  Anything else the user of MLS is responsible for writing policy for it.

Note You need to log in before you can comment on or make changes to this bug.