Bug 657568 - selinux MLS policy prevents executing of run_init in single user mode
Summary: selinux MLS policy prevents executing of run_init in single user mode
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.0
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Karel Srot
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-11-26 14:11 UTC by Karel Srot
Modified: 2011-05-19 11:57 UTC (History)
2 users (show)

Fixed In Version: selinux-policy-3.7.19-60.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-05-19 11:57:07 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0526 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-05-19 09:37:41 UTC

Description Karel Srot 2010-11-26 14:11:52 UTC
Description of problem:

I am not sure whether this functionality is supposed to be working but it seems to me reasonable to be able to start e.g. network in single user mode.

Version-Release number of selected component (if applicable):
selinux-policy-mls-3.7.19-57.el6

How reproducible:
alwas, qemu-kvm virtual machine started into single user mode, using console

Steps to Reproduce:
1. start (virtual) machine in single user mode, open the console
2. run_init service network status/start
  
Actual results:
nothing happens, I am not even asked for a root password

Expected results:
run_init is working


Additional info:

type=1400 audit(1290774024.567:421): avc:  denied  { read } for  pid=790 comm="run_init" name="console" dev=devtmpfs ino=5059 scontext=system_u:system_r:run_init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file
type=1400 audit(1290774024.567:422): avc:  denied  { read } for  pid=790 comm="run_init" path="pipe:[10054]" dev=pipefs ino=10054 scontext=system_u:system_r:run_init_t:s0-s15:c0.c1023 tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=fifo_file
type=1400 audit(1290774024.567:423): avc:  denied  { rlimitinh } for  pid=790 comm="run_init" scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:run_init_t:s0-s15:c0.c1023 tclass=process
type=1400 audit(1290774024.567:424): avc:  denied  { siginh } for  pid=790 comm="run_init" scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:run_init_t:s0-s15:c0.c1023 tclass=process
type=1400 audit(1290774024.567:425): avc:  denied  { noatsecure } for  pid=790 comm="run_init" scontext=system_u:system_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:run_init_t:s0-s15:c0.c1023 tclass=process
type=1400 audit(1290774024.884:426): avc:  denied  { search } for  pid=790 comm="run_init" name="dbus" dev=vda2 ino=262233 scontext=system_u:system_r:run_init_t:s0-s15:c0.c1023 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir
type=1400 audit(1290774024.888:427): avc:  denied  { read } for  pid=791 comm="unix_chkpwd" name="console" dev=devtmpfs ino=5059 scontext=system_u:system_r:chkpwd_t:s0-s15:c0.c1023 tcontext=system_u:object_r:console_device_t:s0 tclass=chr_file
type=1400 audit(1290774024.888:428): avc:  denied  { rlimitinh } for  pid=791 comm="unix_chkpwd" scontext=system_u:system_r:run_init_t:s0-s15:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s15:c0.c1023 tclass=process
type=1400 audit(1290774024.888:429): avc:  denied  { siginh } for  pid=791 comm="unix_chkpwd" scontext=system_u:system_r:run_init_t:s0-s15:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s15:c0.c1023 tclass=process
type=1400 audit(1290774024.888:430): avc:  denied  { noatsecure } for  pid=791 comm="unix_chkpwd" scontext=system_u:system_r:run_init_t:s0-s15:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s15:c0.c1023 tclass=process


following module solved my problem:

module runinit 1.0;

require {
	type sysadm_t;
	type chkpwd_t;
	type init_t;
	type system_dbusd_var_run_t;
	type console_device_t;
	type run_init_t;
	class process { siginh noatsecure rlimitinh };
	class fifo_file read;
	class dir search;
	class chr_file read;
}

#============= chkpwd_t ==============
#!!!! This avc has a dontaudit rule in the current policy

allow chkpwd_t console_device_t:chr_file read;

#============= run_init_t ==============
#!!!! This avc has a dontaudit rule in the current policy

allow run_init_t chkpwd_t:process { siginh rlimitinh noatsecure };
#!!!! This avc has a dontaudit rule in the current policy

allow run_init_t console_device_t:chr_file read;
allow run_init_t init_t:fifo_file read;
#!!!! This avc has a dontaudit rule in the current policy

allow run_init_t system_dbusd_var_run_t:dir search;

#============= sysadm_t ==============
#!!!! This avc has a dontaudit rule in the current policy

allow sysadm_t run_init_t:process { siginh rlimitinh noatsecure };


Btw, to check this module I had to import it in permissive mode since I am not able to do it in enforcing mode in single user mode.. not sure whether this is a bug either.

Comment 1 Miroslav Grepl 2010-11-29 15:52:32 UTC
The problem is "/dev/console" is labeled as "console_device_t" and then the following access is needed

allow run_init_t console_device_t:chr_file read;

Comment 2 Miroslav Grepl 2010-11-29 15:57:40 UTC
(In reply to comment #1)
> The problem is "/dev/console" is labeled as "console_device_t" 

of course this is ok.

and then the
> following access is needed
> 
> allow run_init_t console_device_t:chr_file read;

Comment 4 Miroslav Grepl 2010-12-20 17:59:30 UTC
Fixed in selinux-policy-3.7.19-60.el6

Comment 7 errata-xmlrpc 2011-05-19 11:57:07 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0526.html


Note You need to log in before you can comment on or make changes to this bug.