Bug 597076 - "semanage boolean -l" can kill setroubleshoot
"semanage boolean -l" can kill setroubleshoot
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: setroubleshoot (Show other bugs)
5.5
All Linux
low Severity medium
: rc
: ---
Assigned To: Daniel Walsh
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-05-28 01:04 EDT by Murray McAllister
Modified: 2015-01-04 17:36 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-07-27 08:48:37 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Murray McAllister 2010-05-28 01:04:37 EDT
Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Murray McAllister 2010-05-28 01:13:37 EDT
Slipped, sorry :(

Description of problem:
I ran "semanage boolean -l" and a denial popped up. Clicking the denial message displayed an empty setroubleshoot window with "connection lost to /var/run/setroubleshoot_server)". Subsequent denials are then logged only to audit.log (from what I could see). Further attempts to reproduce the issue required "semanage boolean -l" in a loop.

Version-Release number of selected component (if applicable):
Red Hat Enterprise Linux Client release 5.5 (Tikanga)
setroubleshoot-server-2.0.5-5.el5
setroubleshoot-2.0.5-5.el5
setroubleshoot-plugins-2.0.4-2.el5
selinux-policy-2.4.6-279.el5
libselinux-utils-1.33.4-5.5.el5
libselinux-1.33.4-5.5.el5
libselinux-python-1.33.4-5.5.el5
csb-selinux-policy-1.0-4.rhis
selinux-policy-devel-2.4.6-279.el5
selinux-policy-targeted-2.4.6-279.el5


How reproducible:
Often.

Steps to Reproduce:
1. run "semanage boolean -l".
2. if 1 does not do anything unexpected, put "semanage boolean -l" in a loop. The issue should occur before it has finished running 100 times.
3.

Actual results:
- denial pops up; lost connection to setroubleshoot server; no more denials to /var/log/messages until setroubleshoot service restarted.
- $ service setroubleshoot status
setroubleshootd dead but pid file exists

Expected results:


Additional info:
From /var/log/messages:

May 28 14:58:32 localhost setroubleshoot: SELinux is preventing semanage (semanage_t) "getattr" to / (fs_t). For complete SELinux messages. run sealert -l 553dcd31-6a8a-468c-9815-5e1c29e5c4cd
May 28 14:58:33 localhost last message repeated 18 times
May 28 14:58:33 localhost setroubleshoot: [program.ERROR] setroubleshoot generated AVC, exiting to avoid recursion, context=user_u:system_r:setroubleshootd_t:s0, AVC scontext=user_u:system_r:setroubleshootd_t:s0
May 28 14:58:33 localhost setroubleshoot: [program.ERROR] audit event host=mycomputer type=AVC msg=audit(1275022712.28:947): avc:  denied  { getattr } for  pid=21379 comm="uname" name="/" dev=dm-0 ino=2 scontext=user_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem 
May 28 14:58:33 localhost setroubleshoot: [rpc.ERROR] exception KeyboardInterrupt:  Traceback (most recent call last):   File "/usr/lib/python2.4/site-packages/setroubleshoot/rpc.py", line 940, in handle_client_io     self.receiver.feed(data)   File "/usr/lib/python2.4/site-packages/setroubleshoot/rpc.py", line 762, in feed     self.process()   File "/usr/lib/python2.4/site-packages/setroubleshoot/rpc.py", line 754, in process     self.dispatchFunc(self.header, self.body)   File "/usr/lib/python2.4/site-packages/setroubleshoot/rpc.py", line 982, in default_request_handler     self.emit_rpc(rpc_id, 'method_return', rpc_callback_def, *return_args)   File "/usr/lib/python2.4/site-packages/setroubleshoot/rpc.py", line 879, in emit_rpc     self.send_data(rpc_data)   File "/usr/lib/python2.4/site-packages/setroubleshoot/rpc.py", line 887, in send_data     self.acquire_write_lock()   File "/usr/lib/python2.4/site-packages/setroubleshoot/rpc.py", line 836, in acquire_write_lock     self.write_lock.acquire() KeyboardInterrupt
May 28 14:58:33 localhost setroubleshoot: [avc.ERROR] Plugin Exception catchall  Traceback (most recent call last):   File "/usr/lib/python2.4/site-packages/setroubleshoot/analyze.py", line 159, in analyze_avc     report_receiver.report_problem(report)   File "/usr/lib/python2.4/site-packages/setroubleshoot/server.py", line 137, in report_problem     siginfo = super(AlertPluginReportReceiver, self).report_problem(siginfo)   File "/usr/lib/python2.4/site-packages/setroubleshoot/analyze.py", line 201, in report_problem     self.database.modify_siginfo(database_siginfo)   File "/usr/lib/python2.4/site-packages/setroubleshoot/analyze.py", line 416, in modify_siginfo     self.notify.signatures_updated('modify', siginfo.local_id)   File "/usr/lib/python2.4/site-packages/setroubleshoot/server.py", line 376, in signatures_updated     for client in self.connection_pool.clients('sealert'):   File "/usr/lib/python2.4/site-packages/setroubleshoot/server.py", line 118, in clients     for client in self.client_pool: RuntimeError: dictionary c
May 28 14:58:33 localhost setroubleshoot: [program.ERROR] setroubleshoot generated AVC, exiting to avoid recursion, context=user_u:system_r:setroubleshootd_t:s0, AVC scontext=user_u:system_r:setroubleshootd_t:s0
May 28 14:58:33 localhost setroubleshoot: [program.ERROR] audit event host=mycomputer type=AVC msg=audit(1275022712.29:948): avc:  denied  { getattr } for  pid=21378 comm="sh" name="/" dev=dm-0 ino=2 scontext=user_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
Comment 2 Murray McAllister 2010-05-28 01:16:05 EDT
in comment #1, any reference to "semanage boolean -l" is running the command as a local user, not the root user.
Comment 4 RHEL Product and Program Management 2010-08-09 15:16:28 EDT
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.

Note You need to log in before you can comment on or make changes to this bug.