Bug 546591 - MLS policy: Setroubleshoot daemon is dead after system boot
MLS policy: Setroubleshoot daemon is dead after system boot
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.4
All Linux
low Severity medium
: rc
: ---
Assigned To: Daniel Walsh
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-12-11 06:10 EST by Eduard Benes
Modified: 2010-11-09 08:13 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-12-11 16:03:35 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Eduard Benes 2009-12-11 06:10:07 EST
Booting a MLS system revealed taht Setroubleshoot service is dead after boot.

# run_init service setroubleshoot status
Authenticating root.
Password: 
setroubleshootd dead but pid file exists
# chkconfig --list setroubleshoot
setroubleshoot 	0:off	1:off	2:off	3:on	4:on	5:on	6:off
Hmm, let's check some log files:
# less /var/log/messages

Found some sealert message ...
# sealert -l 03eca7f9-66b4-4d26-93ac-c1e8a36772c0
failed to connect to server: No such file or directory

# run_init service setroubleshoot restart
Authenticating root.
Password: 
Stopping setroubleshootd:                                  [FAILED]
Starting setroubleshootd:                                  [  OK  ]
# sealert -l 03eca7f9-66b4-4d26-93ac-c1e8a36772c0
query_alerts error (1003): id (03eca7f9-66b4-4d26-93ac-c1e8a36772c0) not found

# getenforce 
Permissive
# ausearch -m avc -ts recent
----
time->Fri Dec 11 10:53:11 2009
type=SYSCALL msg=audit(1260525191.571:106): arch=40000003 syscall=4 success=no exit=-32 a0=6 a1=9cb5250 a2=c3 a3=c3 items=0 ppid=1676 pid=1678 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="audispd" exe="/sbin/audispd" subj=system_u:system_r:audisp_t:s15:c0.c1023 key=(null)
type=AVC msg=audit(1260525191.571:106): avc:  denied  { write } for  pid=1678 comm="audispd" path="socket:[10821]" dev=sockfs ino=10821 scontext=system_u:system_r:audisp_t:s15:c0.c1023 tcontext=system_u:system_r:audisp_t:s0-s15:c0.c1023 tclass=unix_stream_socket
----
time->Fri Dec 11 10:54:21 2009
type=SYSCALL msg=audit(1260525261.724:115): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=bfdc1900 a2=185118 a3=b7d65d2c items=0 ppid=1 pid=3307 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1260525261.724:115): avc:  denied  { create } for  pid=3307 comm="setroubleshootd" name="setroubleshoot_server" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
----
time->Fri Dec 11 10:54:21 2009
type=SYSCALL msg=audit(1260525261.724:116): arch=40000003 syscall=15 success=yes exit=0 a0=8724488 a1=1b6 a2=d988e4 a3=86e68ec items=0 ppid=1 pid=3307 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1260525261.724:116): avc:  denied  { setattr } for  pid=3307 comm="setroubleshootd" name="setroubleshoot_server" dev=dm-0 ino=1116764 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
----
time->Fri Dec 11 10:54:21 2009
type=SYSCALL msg=audit(1260525261.733:117): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=b6fbc7e0 a2=185118 a3=0 items=0 ppid=1 pid=3310 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1260525261.733:117): avc:  denied  { write } for  pid=3310 comm="setroubleshootd" name="audispd_events" dev=dm-0 ino=1116621 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:audisp_var_run_t:s15:c0.c1023 tclass=sock_file
----
time->Fri Dec 11 10:55:03 2009
type=SYSCALL msg=audit(1260525303.206:118): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bf8ef670 a2=22c118 a3=b7cabc98 items=0 ppid=2460 pid=3313 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="sealert" exe="/usr/bin/python" subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1260525303.206:118): avc:  denied  { connectto } for  pid=3313 comm="sealert" path="/var/run/setroubleshoot/setroubleshoot_server" scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=unix_stream_socket
[root@dhcp-lab-232 ~]# ausearch -m avc -ts recent | audit2allow

#============= audisp_t ==============
allow audisp_t self:unix_stream_socket write;

#============= initrc_t ==============
allow initrc_t audisp_var_run_t:sock_file write;
allow initrc_t var_run_t:sock_file { create setattr };

#============= sysadm_t ==============
allow sysadm_t initrc_t:unix_stream_socket connectto;

# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        mls

# rpm -qa selinux-* setroubleshoot*
setroubleshoot-plugins-2.0.4-2.el5
selinux-policy-targeted-2.4.6-255.el5_4.2
selinux-policy-minimum-2.4.6-255.el5_4.2
selinux-policy-devel-2.4.6-255.el5_4.2
selinux-policy-mls-2.4.6-255.el5_4.2
setroubleshoot-server-2.0.5-5.el5
setroubleshoot-2.0.5-5.el5
selinux-policy-2.4.6-255.el5_4.2
selinux-policy-strict-2.4.6-255.el5_4.2
Comment 1 Daniel Walsh 2009-12-11 16:03:35 EST
Not supported.

Note You need to log in before you can comment on or make changes to this bug.