Bug 546672 - MLS policy: AVC denials after reboot
Summary: MLS policy: AVC denials after reboot
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.4
Hardware: All
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-12-11 16:28 UTC by Eduard Benes
Modified: 2010-01-11 17:01 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-01-11 13:41:03 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Eduard Benes 2009-12-11 16:28:10 UTC 
Here are 4 AVC denials found after reboot of a system in MLS policy.

# ausearch -m avc -ts recent -sv no

----
time->Fri Dec 11 16:43:51 2009
type=SYSCALL msg=audit(1260546231.239:27): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bfbeeda0 a2=0 a3=81a5548 items=0 ppid=1 pid=2241 auid=4294967295 uid=43 gid=43 euid=43 suid=43 fsuid=43 egid=43 sgid=43 fsgid=43 tty=(none) ses=4294967295 comm="xfs" exe="/usr/bin/xfs" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1260546231.239:27): avc:  denied  { create } for  pid=2241 comm="xfs" name="fs7100" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=sock_file
----
time->Fri Dec 11 16:43:51 2009
type=SYSCALL msg=audit(1260546231.431:28): arch=40000003 syscall=5 success=no exit=-13 a0=9cd3690 a1=42 a2=180 a3=9cd3658 items=0 ppid=1 pid=2254 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="anacron" exe="/usr/sbin/anacron" subj=system_u:system_r:crond_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1260546231.431:28): avc:  denied  { write } for  pid=2254 comm="anacron" name="cron.daily" dev=dm-0 ino=1116699 scontext=system_u:system_r:crond_t:s0-s15:c0.c1023 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=file
----
time->Fri Dec 11 16:43:56 2009
type=SYSCALL msg=audit(1260546236.053:29): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bfaacdd0 a2=809e5e0 a3=2b67 items=0 ppid=2435 pid=2436 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ricci" exe="/usr/sbin/ricci" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1260546236.053:29): avc:  denied  { name_bind } for  pid=2436 comm="ricci" src=11111 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:ricci_port_t:s0 tclass=tcp_socket
----
time->Fri Dec 11 16:44:32 2009
type=SYSCALL msg=audit(1260546272.924:30): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=b6fa37e0 a2=359118 a3=0 items=0 ppid=1 pid=2022 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1260546272.924:30): avc:  denied  { write } for  pid=2022 comm="setroubleshootd" name="audispd_events" dev=dm-0 ino=1116623 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:audisp_var_run_t:s15:c0.c1023 tclass=sock_file
----

# ausearch -m avc -ts recent | audit2allow

#============= crond_t ==============
allow crond_t system_cron_spool_t:file write;

#============= initrc_t ==============
allow initrc_t audisp_var_run_t:sock_file write;
allow initrc_t initrc_tmp_t:sock_file create;
allow initrc_t ricci_port_t:tcp_socket name_bind;

# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        mls

# rpm -q selinux-policy-mls
selinux-policy-mls-2.4.6-255.el5_4.2
Comment 1 Daniel Walsh 2009-12-11 21:20:14 UTC 
Did you install the MLS approved packages?  You seem to have some app running as initrc_t which needs policy written for it.
Comment 2 Eduard Benes 2009-12-14 10:01:19 UTC 
Well, all are regular 5.4 packages. How should I check whether it is MLS approved pkg?

# rpm -qf /usr/sbin/ricci /usr/bin/xfs /usr/sbin/anacron
ricci-0.12.2-6.el5
xorg-x11-xfs-1.0.2-4
anacron-2.3-45.el5
Comment 3 Daniel Walsh 2009-12-14 12:48:58 UTC 
xorg/ricci are definitely not.


Steve do you have the list?
Comment 4 Steve Grubb 2009-12-14 14:27:07 UTC 
The list is in the cert rpm. ftp://ftp.redhat.com/pub/redhat/linux/eal/EAL4_RHEL5. Anything in X is not part of the CC evaluation. However, is MLS limited to only the rpms from LSPP or is it reasonable to expect other applications to work in MLS?
Comment 5 Daniel Walsh 2009-12-15 13:20:53 UTC 
MLS was only designed and tested to work with LSPP.  In RHEL6 I think we should broaden this.  But we simply did not include all of the policy modules in the mls policy to make this work.
Comment 6 Miroslav Grepl 2010-01-11 13:41:03 UTC 
As per comments above I am closing it as NOTABUG.
Comment 7 Eduard Benes 2010-01-11 17:01:04 UTC 
(In reply to comment #4)
> The list is in the cert rpm.
> ftp://ftp.redhat.com/pub/redhat/linux/eal/EAL4_RHEL5. Anything in X is not part
> of the CC evaluation. However, is MLS limited to only the rpms from LSPP or is
> it reasonable to expect other applications to work in MLS?   

I think the lists you are referring to can be found in the tarball from the RPM [1] in directory kickstart/src. So anything else not listed there is not expected to work in MLS on RHEL5. 

What do we  plan for RHEL6? Is there going to be a list of supported/expected to work packages in MLS?

[1] - ftp://ftp.redhat.com/pub/redhat/linux/eal/EAL4_RHEL5/IBM/RPMS/lspp-eal4-config-ibm-0.65-2.el5.noarch.rpm
Note You need to log in before you can comment on or make changes to this bug.