Bug 610812 - SELinux Policy does not allow freeradius2 to disable core dumps
SELinux Policy does not allow freeradius2 to disable core dumps
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.4
All Linux
low Severity low
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-07-02 09:53 EDT by Ben Wiechman
Modified: 2011-07-21 07:49 EDT (History)
3 users (show)

See Also:
Fixed In Version: selinux-policy-2.4.6-281.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-07-21 05:21:11 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ben Wiechman 2010-07-02 09:53:21 EDT
Description of problem:
There were modifications to freeradius2 in 2.1.9 related to core dumps. SELinux policy does not allow freeradius 2.1.9 to disable core dumps. 


Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.4.6-255.el5_4.4
libselinux-1.33.4-5.5.el5
libselinux-1.33.4-5.5.el5
libselinux-utils-1.33.4-5.5.el5
libselinux-python-1.33.4-5.5.el5
selinux-policy-2.4.6-255.el5_4.4
freeradius2 - rpms built from official release available at ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.9.tar.gz

How reproducible:
Always


Steps to Reproduce:
** SELinux in Enforcing mode
1. Build and install FR v2.1.9
2. Configure "allow_core_dumps = no" in /etc/raddb/radiusd.conf
3. Start/Restart FR.
  
Actual results:
The following will be logged in the FR log:
Wed Jun  2 16:19:57 2010 : Error: Failed disabling core dumps: Permission denied

Audit log:
type=SYSCALL msg=audit(1278078430.225:95619): arch=c000003e syscall=1 success=yes exit=1796774 a0=4 a1=2b254a26d000 a2=1b6aa6 a3=0 items=0 ppid=17551 pid=17552 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=16471 comm="load_policy" exe="/usr/sbin/load_policy" subj=user_u:system_r:load_policy_t:s0 key=(null)
type=AVC msg=audit(1278078436.202:95620): avc:  denied  { setrlimit } for  pid=17567 comm="radiusd" scontext=user_u:system_r:radiusd_t:s0 tcontext=user_u:system_r:radiusd_t:s0 tclass=process
type=SYSCALL msg=audit(1278078436.202:95620): arch=c000003e syscall=160 success=no exit=-13 a0=4 a1=7fff020338f0 a2=0 a3=ea items=0 ppid=17566 pid=17567 auid=500 uid=0 gid=95 euid=95 suid=0 fsuid=95 egid=95 sgid=95 fsgid=95 tty=pts0 ses=16471 comm="radiusd" exe="/usr/sbin/radiusd" subj=user_u:system_r:radiusd_t:s0 key=(null)

I cannot confirm whether FR still produces core dumps upon failure.

Expected results:
No SELinux errors and core dumps successfully disabled. 

Additional info:
audit2allow produces the following policy updates which appear to prevent this behavior:

module freeradius2 1.0;

require {
        type radiusd_t;
        class process setrlimit;
}

#============= radiusd_t ==============
allow radiusd_t self:process setrlimit;
Comment 1 Daniel Walsh 2010-07-12 15:58:30 EDT
This is allowed in RHEL6 should be back ported.
Comment 2 Miroslav Grepl 2010-07-22 05:25:35 EDT
Fixed in selinux-policy-2.4.6-281.el5.noarch
Comment 5 errata-xmlrpc 2011-07-21 05:21:11 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html
Comment 6 errata-xmlrpc 2011-07-21 07:49:45 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html

Note You need to log in before you can comment on or make changes to this bug.