676664 – avc denied message when starting cmirrord

Bug 676664 - avc denied message when starting cmirrord

Summary: avc denied message when starting cmirrord

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.0
Hardware:	x86_64
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-02-10 16:42 UTC by Corey Marthaler
Modified:	2012-11-23 21:07 UTC (History)
CC List:	4 users (show)
Fixed In Version:	selinux-policy-3.7.19-72.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-05-19 11:57:36 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2011:0526	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2011-05-19 09:37:41 UTC

Description Corey Marthaler 2011-02-10 16:42:00 UTC

Description of problem:

Feb 10 10:35:32 taft-01 cmirrord[2408]: Starting cmirrord:
Feb 10 10:35:32 taft-01 cmirrord[2408]:  Built: Feb  8 2011 11:10:52#012


type=AVC msg=audit(1297355732.742:35): avc:  denied  { setfscreate } for  pid=2408 comm="cmirrord" scontext=unconfined_u:system_r:cmirrord_t:s0 tcontext=unconfined_u:system_r:cmirrord_t:s0 tclass=process


Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-67.el6.noarch


2.6.32-94.el6.x86_64

lvm2-2.02.83-2.el6    BUILT: Tue Feb  8 10:10:57 CST 2011
lvm2-libs-2.02.83-2.el6    BUILT: Tue Feb  8 10:10:57 CST 2011
lvm2-cluster-2.02.83-2.el6    BUILT: Tue Feb  8 10:10:57 CST 2011
udev-147-2.31.el6    BUILT: Wed Jan 26 05:39:15 CST 2011
device-mapper-1.02.62-2.el6    BUILT: Tue Feb  8 10:10:57 CST 2011
device-mapper-libs-1.02.62-2.el6    BUILT: Tue Feb  8 10:10:57 CST 2011
device-mapper-event-1.02.62-2.el6    BUILT: Tue Feb  8 10:10:57 CST 2011
device-mapper-event-libs-1.02.62-2.el6    BUILT: Tue Feb  8 10:10:57 CST 2011
cmirror-2.02.83-2.el6    BUILT: Tue Feb  8 10:10:57 CST 2011

Comment 1 Daniel Walsh 2011-02-10 18:28:17 UTC

Does cmirrord have kerberos support?  Or did someone add selinux smarts to it?

Comment 2 Jonathan Earl Brassow 2011-02-10 19:34:33 UTC

cmirrord does not perform any kerberos actions.

I haven't added any selinux-related code to it.

Comment 3 Daniel Walsh 2011-02-10 19:55:02 UTC

Well it must be a library that it is calling.

Comment 4 Daniel Walsh 2011-02-10 20:00:40 UTC

SELinux does not lie.    :^)

ldd /usr/sbin/cmirrord  | grep devmap
	libdevmapper.so.1.02 => /lib64/libdevmapper.so.1.02 (0x0000003437800000

nm -D /lib64/libdevmapper.so.1.02  | grep setfscreate
                 U setfscreatecon


Does cmirrord create devices in /dev?

Comment 5 Jonathan Earl Brassow 2011-02-10 21:11:01 UTC

It used to, but this is how it looks now:

        // LOG_DBG("Creating /dev/mapper/%d-%d", major, minor);
        // sprintf(path_rtn, "/dev/mapper/%d-%d", major, minor);
        // r = mknod(path_rtn, S_IFBLK | S_IRUSR | S_IWUSR, MKDEV(major, minor));

LVM/device-mapper is responsible for creating the devices.

I don't have a rhel6 box available right now, but I think I use the device-mapper library only for its list and bitop macros.  If I can get a rhel6 box and compile the binaries without stripping them, I could do a 'nm -o cmirrord ...' to find any symbols used.

Comment 6 Daniel Walsh 2011-02-11 16:54:21 UTC

So the library will do all of that for you.

Miroslav I think we are going to need to add

allow cmirrord_t self:process setfscreate;
storage_create_fixed_disk_dev(cmirrord_t)
seutil_read_file_contexts(cmirrord_t)

Comment 7 Miroslav Grepl 2011-02-14 13:34:38 UTC

Jonathan,
does it work for you if you add the following local policy

# cat mypol.te
policy_module(mypol,1.0)

require{
 type cmirrord_t;
}

allow cmirrord_t self:process setfscreate;
storage_create_fixed_disk_dev(cmirrord_t)
seutil_read_file_contexts(cmirrord_t)


And execute

# make -f /usr/share/selinux/devel/Makefile
# semodule -i mypol.pp

Comment 8 Jonathan Earl Brassow 2011-02-15 18:30:10 UTC

That's a question for the bug filer, I think.

Comment 9 Corey Marthaler 2011-02-15 20:04:17 UTC

This is all I see when executing what's in comment #7.

Feb 15 13:59:44 grant-02 dbus: avc:  received policyload notice (seqno=2)
Feb 15 13:59:44 grant-02 dbus: [system] Reloaded configuration
Feb 15 13:59:44 grant-02 kernel: type=1403 audit(1297799984.702:4): policy loaded auid=0 ses=1

Comment 10 Miroslav Grepl 2011-02-15 21:54:50 UTC

So cmirrord works with these rules.

Comment 11 Milos Malik 2011-02-16 08:49:31 UTC

Easy to reproduce without local policy mentioned in comment#7:

----
time->Wed Feb 16 03:42:26 2011
type=SYSCALL msg=audit(1297845746.271:13): arch=c000003e syscall=1 success=no exit=-13 a0=4 a1=0 a2=0 a3=7fffb2341340 items=0 ppid=9410 pid=9411 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="cmirrord" exe="/usr/sbin/cmirrord" subj=unconfined_u:system_r:cmirrord_t:s0 key=(null)
type=AVC msg=audit(1297845746.271:13): avc:  denied  { setfscreate } for  pid=9411 comm="cmirrord" scontext=unconfined_u:system_r:cmirrord_t:s0 tcontext=unconfined_u:system_r:cmirrord_t:s0 tclass=process
----

Comment 12 Miroslav Grepl 2011-02-17 15:24:10 UTC

Fixed in selinux-policy-3.7.19-71.el6

Comment 14 Corey Marthaler 2011-02-18 21:16:04 UTC

Seeing a different error now:

[root@taft-01 ~]# service cmirrord start
Starting cmirrord: Failed to create lockfile
Process already running?
                                                           [FAILED]


type=AVC msg=audit(1298063220.345:44): avc:  denied  { create } for  pid=2328 comm="cmirrord" name="cmirrord.pid" scontext=unconfined_u:system_r:cmirrord_t:s0 tcontext=system_u:object_r:cmirrord_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1298063220.345:44): arch=c000003e syscall=2 success=no exit=-13 a0=417208 a1=41 a2=1a4 a3=6165726373662f72 items=0 ppid=2327 pid=2328 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="cmirrord" exe="/usr/sbin/cmirrord" subj=unconfined_u:system_r:cmirrord_t:s0 key=(null)

Comment 15 Corey Marthaler 2011-02-18 21:18:44 UTC

This is with the latest policy:
selinux-policy-3.7.19-71.el6.noarch

Comment 16 Daniel Walsh 2011-02-18 21:34:54 UTC

Since the service is running as 

unconfined_u:system_r:cmirrord_t:s0

in stead of 

system_u:system_r:cmirrord_t:s0

The creation of the file is failing.  If you had run this application from init on boot it would have worked.  When you restarted it, it ended up with your user componant.

Miroslav you will need.


domain_obj_id_change_exemption(cmirrord_t)


If you wanted to restart it with system_u, you could execute

run_init service cmirrord restart

Comment 17 Miroslav Grepl 2011-02-22 17:53:59 UTC

Fixed in selinux-policy-3.7.19-72.el6

Comment 20 errata-xmlrpc 2011-05-19 11:57:36 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0526.html

Note You need to log in before you can comment on or make changes to this bug.