Hide Forgot
Description of problem: Cannot start with selinux enforcing enabled: [root@test1169 ~]# service cgred start Starting CGroup Rules Engine Daemon: [ OK ] [root@test1169 ~]# ps ax | grep cg 1321 pts/0 S+ 0:00 grep cg [root@test1169 ~]# service cgred status cgred dead but pid file exists [root@test1169 ~]# service cgred stop Stopping CGroup Rules Engine Daemon... [FAILED] [root@test1169 ~]# service cgred stop Stopping CGroup Rules Engine Daemon... [ OK ] disable enforcing.... [root@test1169 ~]# setenforce 0 [root@test1169 ~]# service cgred start Starting CGroup Rules Engine Daemon: [ OK ] [root@test1169 ~]# service cgred status cgred (pid 1361) is running... [root@test1169 ~]# ps ax | grep cg 1361 ? Ss 0:00 /sbin/cgrulesengd -g cgred 1373 pts/0 S+ 0:00 grep cg [root@test1169 ~]# service cgred stop Stopping CGroup Rules Engine Daemon... [ OK ] [root@test1169 ~]# service cgred status cgred is stopped [root@test1169 ~]# ps ax | grep cg 1393 pts/0 S+ 0:00 grep cg I can however start the service by hand with selinux enabled: [root@test1169 ~]# setenforce 1 [root@test1169 ~]# getenforce Enforcing [root@test1169 ~]# /sbin/cgrulesengd -g cgred [root@test1169 ~]# ps ax | grep cg 1402 ? Ss 0:00 /sbin/cgrulesengd -g cgred 1405 pts/0 S+ 0:00 grep cg Version-Release number of selected component (if applicable): [root@test1169 ~]# uname -r 2.6.32-112.el6.i686.debug [root@test1169 ~]# rpm -qa | grep selinux selinux-policy-3.7.19-67.el6.noarch libselinux-2.0.94-2.el6.i686 libselinux-utils-2.0.94-2.el6.i686 selinux-policy-targeted-3.7.19-67.el6.noarch [root@test1169 ~]# rpm -q libcgroup libcgroup-0.37-1.el6.i686 How reproducible: always It makes no difference if I use the service command or /etc/init.d/ I have also reproduced this on x86_64 with and without the debug kernel. Steps to Reproduce: 1.Start the cgconfig service, then attempt to start cgred via the initscripts 2. 3. Actual results: init script reports service started, however it did not type=AVC msg=audit(1296768725.309:23): avc: denied { unlink } for pid=1426 comm="cgrulesengd" name="cgred.socket" dev=dm-0 ino=140687 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file type=SYSCALL msg=audit(1296768725.309:23): arch=40000003 syscall=10 success=no exit=-13 a0=804aac9 a1=0 a2=2 a3=bfcb45de items=0 ppid=1 pid=1426 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null) Expected results: Service starts Additional info:
cgrulesengd has changed a lot in RHEL 6.1, the SELinux policy needs to be updated accordingly.
This looks like a labeling issue. Where is the cgred.socket created?
(In reply to comment #3) > This looks like a labeling issue. Where is the cgred.socket created? /var/run/cgred.socket
I guess you are back porting all the stuff that is in F15? Miroslav, lets backport all of cgroup.* to RHEL6
Fixed in selinux-policy-3.7.19-69.el6
It looks like we get by the unlink denial, but now I'm seeing a different avc this time which is causing the service to fail to start similar to the symptom before. I can confirm everything starts as expected when I disable selinux enforcing. type=AVC msg=audit(1297201222.766:16647): avc: denied { chown } for pid=19763 comm="cgrulesengd" capability=0 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=capability type=SYSCALL msg=audit(1297201222.766:16647): arch=c000003e syscall=92 success=no exit=-1 a0=40312d a1=ffffffff a2=1f4 a3=0 items=0 ppid=1 pid=19763 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null) [root@test1239 libcgroup-tools-tests]# rpm -qa | grep selinux selinux-policy-targeted-3.7.19-69.el6.noarch selinux-policy-3.7.19-69.el6.noarch libselinux-2.0.94-2.el6.x86_64 libselinux-utils-2.0.94-2.el6.x86_64 [root@test1239 libcgroup-tools-tests]# rpm -q libcgroup libcgroup-0.37-1.el6.x86_64 [root@test1239 libcgroup-tools-tests]# uname -r 2.6.32-115.el6.x86_64 I did a 'touch /.autorelabel' and rebooted the machine before testing.
I am fixing it. Thanks. Mike, could you add a local policy and make sure it works in Enforcing. # grep cgred_t /var/log/audit/audit.log | audit2allow -M mycgroup # semodule -i mycgroup.pp
Created attachment 477910 [details] audit denials for cgred_t
Here is the ruleset from audit2allow, the audit logs from cgred_t are in the attachment in comment 11. [mpg@dhcp231-174 x86_64]$ cat /tmp/mycgroup.te module mycgroup 1.0; require { type cgred_t; class capability { chown fsetid }; } #============= cgred_t ============== allow cgred_t self:capability { chown fsetid };
I have confirmed the ruleset in comment# 12 has fixed this issue for me. Every item for the libcgroup init script sanity test we have now passes except for one which is failing due to the init script exiting with the wrong code which I'll take up in a separate bz as it has nothing to do with selinux policy.
Easy to reproduce without the local policy mentioned in comment#12: ---- time->Wed Feb 16 03:55:02 2011 type=SYSCALL msg=audit(1297846502.811:21): arch=c000003e syscall=92 success=no exit=-1 a0=40312d a1=ffffffff a2=1f4 a3=7fff8fb8f910 items=0 ppid=1 pid=10919 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null) type=AVC msg=audit(1297846502.811:21): avc: denied { chown } for pid=10919 comm="cgrulesengd" capability=0 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=capability ----
Fixed in selinux-policy-3.7.19-71.el6
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0526.html