693792 – Please include SELinux policy for foghorn (runs as initrc_t)

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 693792 - Please include SELinux policy for foghorn (runs as initrc_t)

Summary: Please include SELinux policy for foghorn (runs as initrc_t)

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.1
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	832330
TreeView+	depends on / blocked

Reported:	2011-04-05 15:24 UTC by Jaroslav Kortus
Modified:	2014-06-17 14:07 UTC (History)
CC List:	5 users (show)
Fixed In Version:	selinux-policy-3.7.19-85.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-05-19 12:27:37 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2011:0526	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2011-05-19 09:37:41 UTC

Description Jaroslav Kortus 2011-04-05 15:24:20 UTC

Description of problem:
Foghorn must be confined. Please see https://bugzilla.redhat.com/show_bug.cgi?id=677802 for more info

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-80.el6.noarch

How reproducible:
always

Steps to Reproduce:
1.start foghorn
2.
3.
  
Actual results:
initrc context

Expected results:
foghorn confined context

Additional info:

Comment 1 Jaroslav Kortus 2011-04-05 15:26:23 UTC

https://bugzilla.redhat.com/show_bug.cgi?id=660324 is the proper foghorn bug, the previously mentioned one covers cluster+dbus.

Comment 2 Ryan O'Hara 2011-04-05 15:30:47 UTC

677802 is for the cluster daemons that emit dbus signals (eg. fenced, rgmanager). I don't think that is related to how foghorn is labelled.

Comment 4 RHEL Program Management 2011-04-05 15:43:45 UTC

Since RHEL 6.1 External Beta has begun, and this bug remains
unresolved, it has been rejected as it is not proposed as
exception or blocker.

Red Hat invites you to ask your support representative to
propose this request, if appropriate and relevant, in the
next release of Red Hat Enterprise Linux.

Comment 5 Daniel Walsh 2011-04-05 15:54:18 UTC

Do we need this for 6.1 or 6.2?

Comment 6 Miroslav Grepl 2011-04-05 15:58:01 UTC

We have support for foghorn in RHEL6.1.

Comment 7 Ryan O'Hara 2011-04-05 16:22:11 UTC

Just to state the obvious, foghorn being labelled initrc_t doesn't cause any avc denials, etc. My understanding is that this is just undesirable.

Comment 8 Ryan O'Hara 2011-04-05 16:30:40 UTC

This appears to be fixed in the latest RHEL6.1 build.

# ls -alZ `which foghorn`
-rwxr-xr-x. root root system_u:object_r:foghorn_exec_t:s0 /usr/sbin/foghorn

Comment 9 Daniel Walsh 2011-04-05 16:40:30 UTC

I guess I can mark this modified

Comment 10 Ryan O'Hara 2011-04-06 19:57:02 UTC

Moving this back to assigned since foghorn daemon generates AVC denials. Details to follow.

Comment 11 Ryan O'Hara 2011-04-06 21:46:41 UTC

# rpm -q selinux-policy
selinux-policy-3.7.19-80.el6.noarch

# service foghorn start
Starting foghorn:                                          [  OK  ]

From audit.log:

type=AVC msg=audit(1302126247.066:47137): avc:  denied  { read } for  pid=29852 comm="foghorn" name="mib_indexes" dev=dm-0 ino=1575065 scontext=unconfined_u:system_r:foghorn_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1302126247.066:47137): avc:  denied  { open } for  pid=29852 comm="foghorn" name="mib_indexes" dev=dm-0 ino=1575065 scontext=unconfined_u:system_r:foghorn_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1302126247.066:47137): arch=c000003e syscall=2 success=yes exit=8 a0=7fffb7411410 a1=90800 a2=7fffb741142d a3=7fffb7411040 items=0 ppid=29851 pid=29852 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=184 comm="foghorn" exe="/usr/sbin/foghorn" subj=unconfined_u:system_r:foghorn_t:s0 key=(null)
type=AVC msg=audit(1302126247.067:47138): avc:  denied  { read } for  pid=29852 comm="foghorn" name="0" dev=dm-0 ino=1575066 scontext=unconfined_u:system_r:foghorn_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1302126247.067:47138): arch=c000003e syscall=2 success=yes exit=9 a0=7fffb7411410 a1=0 a2=1b6 a3=0 items=0 ppid=29851 pid=29852 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=184 comm="foghorn" exe="/usr/sbin/foghorn" subj=unconfined_u:system_r:foghorn_t:s0 key=(null)

Comment 12 Daniel Walsh 2011-04-06 22:18:31 UTC

That is allowed in F15.

Miroslav please backport rhce.te to RHEL6

Comment 13 Miroslav Grepl 2011-04-07 12:46:45 UTC

Yes, I did not add it to RHEL6. It needs to be fixed.

Comment 14 Jaroslav Kortus 2011-04-08 17:47:16 UTC

AVC obtained by running all the services together and doing service relocation:
selinux-policy-3.7.19-82.el6.noarch

#============= foghorn_t ==============
allow foghorn_t self:udp_socket { ioctl create };
allow foghorn_t snmpd_t:unix_stream_socket connectto;
allow foghorn_t snmpd_var_lib_t:dir { read getattr open search };
allow foghorn_t snmpd_var_lib_t:file { read getattr open };
allow foghorn_t snmpd_var_lib_t:sock_file write;


$ cat audit.log | grep foghorn
type=AVC msg=audit(1302284078.166:71): avc:  denied  { getattr } for  pid=6309 comm="foghorn" path="/var/lib/net-snmp" dev=dm-0 ino=263109 scontext=unconfined_u:system_r:foghorn_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1302284078.166:71): arch=c000003e syscall=4 success=yes exit=0 a0=2112010 a1=7fff52db8200 a2=7fff52db8200 a3=12 items=0 ppid=6308 pid=6309 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="foghorn" exe="/usr/sbin/foghorn" subj=unconfined_u:system_r:foghorn_t:s0 key=(null)
type=AVC msg=audit(1302284078.167:72): avc:  denied  { search } for  pid=6309 comm="foghorn" name="net-snmp" dev=dm-0 ino=263109 scontext=unconfined_u:system_r:foghorn_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1302284078.167:72): arch=c000003e syscall=4 success=no exit=-2 a0=7fff52db8290 a1=7fff52db8200 a2=7fff52db8200 a3=fffffff9 items=0 ppid=6308 pid=6309 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="foghorn" exe="/usr/sbin/foghorn" subj=unconfined_u:system_r:foghorn_t:s0 key=(null)
type=AVC msg=audit(1302284078.167:73): avc:  denied  { read } for  pid=6309 comm="foghorn" name="urandom" dev=devtmpfs ino=3640 scontext=unconfined_u:system_r:foghorn_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
type=AVC msg=audit(1302284078.167:73): avc:  denied  { open } for  pid=6309 comm="foghorn" name="urandom" dev=devtmpfs ino=3640 scontext=unconfined_u:system_r:foghorn_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1302284078.167:73): arch=c000003e syscall=2 success=yes exit=8 a0=3d91535f32 a1=900 a2=7fff52db8230 a3=7fff52db7dd0 items=0 ppid=6308 pid=6309 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="foghorn" exe="/usr/sbin/foghorn" subj=unconfined_u:system_r:foghorn_t:s0 key=(null)
type=AVC msg=audit(1302284078.167:74): avc:  denied  { getattr } for  pid=6309 comm="foghorn" path="/dev/urandom" dev=devtmpfs ino=3640 scontext=unconfined_u:system_r:foghorn_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1302284078.167:74): arch=c000003e syscall=5 success=yes exit=0 a0=8 a1=7fff52db8070 a2=7fff52db8070 a3=7fff52db7dd0 items=0 ppid=6308 pid=6309 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="foghorn" exe="/usr/sbin/foghorn" subj=unconfined_u:system_r:foghorn_t:s0 key=(null)
type=AVC msg=audit(1302284078.169:75): avc:  denied  { read } for  pid=6309 comm="foghorn" name="mib_indexes" dev=dm-0 ino=263126 scontext=unconfined_u:system_r:foghorn_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1302284078.169:75): avc:  denied  { open } for  pid=6309 comm="foghorn" name="mib_indexes" dev=dm-0 ino=263126 scontext=unconfined_u:system_r:foghorn_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1302284078.169:75): arch=c000003e syscall=2 success=yes exit=8 a0=7fff52db8290 a1=90800 a2=7fff52db82ad a3=7fff52db7ec0 items=0 ppid=6308 pid=6309 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="foghorn" exe="/usr/sbin/foghorn" subj=unconfined_u:system_r:foghorn_t:s0 key=(null)
type=AVC msg=audit(1302284078.169:76): avc:  denied  { search } for  pid=6309 comm="foghorn" name="mib_indexes" dev=dm-0 ino=263126 scontext=unconfined_u:system_r:foghorn_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1302284078.169:76): avc:  denied  { read } for  pid=6309 comm="foghorn" name="0" dev=dm-0 ino=263127 scontext=unconfined_u:system_r:foghorn_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=file
type=AVC msg=audit(1302284078.169:76): avc:  denied  { open } for  pid=6309 comm="foghorn" name="0" dev=dm-0 ino=263127 scontext=unconfined_u:system_r:foghorn_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1302284078.169:76): arch=c000003e syscall=2 success=yes exit=9 a0=7fff52db8290 a1=0 a2=1b6 a3=0 items=0 ppid=6308 pid=6309 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="foghorn" exe="/usr/sbin/foghorn" subj=unconfined_u:system_r:foghorn_t:s0 key=(null)
type=AVC msg=audit(1302284078.169:77): avc:  denied  { getattr } for  pid=6309 comm="foghorn" path="/var/lib/net-snmp/mib_indexes/0" dev=dm-0 ino=263127 scontext=unconfined_u:system_r:foghorn_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1302284078.169:77): arch=c000003e syscall=5 success=yes exit=0 a0=9 a1=7fff52db7fd0 a2=7fff52db7fd0 a3=7fff52db7ec0 items=0 ppid=6308 pid=6309 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="foghorn" exe="/usr/sbin/foghorn" subj=unconfined_u:system_r:foghorn_t:s0 key=(null)
type=AVC msg=audit(1302284078.170:78): avc:  denied  { read } for  pid=6309 comm="foghorn" name="HOST-RESOURCES-MIB.txt" dev=dm-0 ino=1963610 scontext=unconfined_u:system_r:foghorn_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
type=AVC msg=audit(1302284078.170:78): avc:  denied  { open } for  pid=6309 comm="foghorn" name="HOST-RESOURCES-MIB.txt" dev=dm-0 ino=1963610 scontext=unconfined_u:system_r:foghorn_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
type=SYSCALL msg=audit(1302284078.170:78): arch=c000003e syscall=2 success=yes exit=8 a0=2114890 a1=0 a2=1b6 a3=0 items=0 ppid=6308 pid=6309 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="foghorn" exe="/usr/sbin/foghorn" subj=unconfined_u:system_r:foghorn_t:s0 key=(null)
type=AVC msg=audit(1302284078.171:79): avc:  denied  { getattr } for  pid=6309 comm="foghorn" path="/usr/share/snmp/mibs/HOST-RESOURCES-MIB.txt" dev=dm-0 ino=1963610 scontext=unconfined_u:system_r:foghorn_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
type=SYSCALL msg=audit(1302284078.171:79): arch=c000003e syscall=5 success=yes exit=0 a0=8 a1=7fff52db7fa0 a2=7fff52db7fa0 a3=7fff52db7e20 items=0 ppid=6308 pid=6309 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="foghorn" exe="/usr/sbin/foghorn" subj=unconfined_u:system_r:foghorn_t:s0 key=(null)
type=AVC msg=audit(1302284078.257:80): avc:  denied  { write } for  pid=6309 comm="foghorn" name="master" dev=dm-0 ino=262409 scontext=unconfined_u:system_r:foghorn_t:s0 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=sock_file
type=AVC msg=audit(1302284078.257:80): avc:  denied  { connectto } for  pid=6309 comm="foghorn" path="/var/agentx/master" scontext=unconfined_u:system_r:foghorn_t:s0 tcontext=unconfined_u:system_r:snmpd_t:s0 tclass=unix_stream_socket
type=SYSCALL msg=audit(1302284078.257:80): arch=c000003e syscall=42 success=yes exit=0 a0=8 a1=7fff52db7ce0 a2=6e a3=7fff52db7a20 items=0 ppid=6308 pid=6309 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="foghorn" exe="/usr/sbin/foghorn" subj=unconfined_u:system_r:foghorn_t:s0 key=(null)
type=AVC msg=audit(1302284104.005:81): avc:  denied  { create } for  pid=6310 comm="foghorn" scontext=unconfined_u:system_r:foghorn_t:s0 tcontext=unconfined_u:system_r:foghorn_t:s0 tclass=udp_socket
type=SYSCALL msg=audit(1302284104.005:81): arch=c000003e syscall=41 success=yes exit=10 a0=2 a1=2 a2=0 a3=7fff52db7cd0 items=0 ppid=1 pid=6310 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="foghorn" exe="/usr/sbin/foghorn" subj=unconfined_u:system_r:foghorn_t:s0 key=(null)
type=AVC msg=audit(1302284104.006:82): avc:  denied  { ioctl } for  pid=6310 comm="foghorn" path="socket:[19642]" dev=sockfs ino=19642 scontext=unconfined_u:system_r:foghorn_t:s0 tcontext=unconfined_u:system_r:foghorn_t:s0 tclass=udp_socket
type=SYSCALL msg=audit(1302284104.006:82): arch=c000003e syscall=16 success=yes exit=0 a0=a a1=8912 a2=7fff52db7f00 a3=7fff52db7c80 items=0 ppid=1 pid=6310 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="foghorn" exe="/usr/sbin/foghorn" subj=unconfined_u:system_r:foghorn_t:s0 key=(null)
type=AVC msg=audit(1302284225.441:88): avc:  denied  { create } for  pid=6310 comm="foghorn" scontext=unconfined_u:system_r:foghorn_t:s0 tcontext=unconfined_u:system_r:foghorn_t:s0 tclass=udp_socket
type=SYSCALL msg=audit(1302284225.441:88): arch=c000003e syscall=41 success=yes exit=10 a0=2 a1=2 a2=0 a3=4 items=0 ppid=1 pid=6310 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="foghorn" exe="/usr/sbin/foghorn" subj=unconfined_u:system_r:foghorn_t:s0 key=(null)
type=AVC msg=audit(1302284225.442:89): avc:  denied  { ioctl } for  pid=6310 comm="foghorn" path="socket:[25123]" dev=sockfs ino=25123 scontext=unconfined_u:system_r:foghorn_t:s0 tcontext=unconfined_u:system_r:foghorn_t:s0 tclass=udp_socket
type=SYSCALL msg=audit(1302284225.442:89): arch=c000003e syscall=16 success=yes exit=0 a0=a a1=8912 a2=7fff52db7f00 a3=0 items=0 ppid=1 pid=6310 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="foghorn" exe="/usr/sbin/foghorn" subj=unconfined_u:system_r:foghorn_t:s0 key=(null)

Comment 15 Miroslav Grepl 2011-04-11 10:12:21 UTC

Fixed in selinux-policy-3.7.19-84.el6

Comment 20 Milos Malik 2011-04-12 13:38:16 UTC

When I enable global_ssp boolean, the list of AVCs gets reduced to:

----
time->Tue Apr 12 09:36:39 2011
type=SYSCALL msg=audit(1302615399.586:11159): arch=40000003 syscall=102 success=yes exit=8 a0=1 a1=bff1f7c0 a2=fb6cd8 a3=8585b08 items=0 ppid=6114 pid=6115 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="foghorn" exe="/usr/sbin/foghorn" subj=unconfined_u:system_r:foghorn_t:s0 key=(null)
type=AVC msg=audit(1302615399.586:11159): avc:  denied  { create } for  pid=6115 comm="foghorn" scontext=unconfined_u:system_r:foghorn_t:s0 tcontext=unconfined_u:system_r:foghorn_t:s0 tclass=tcp_socket
----
time->Tue Apr 12 09:36:39 2011
type=SYSCALL msg=audit(1302615399.586:11160): arch=40000003 syscall=102 success=no exit=-111 a0=3 a1=bff1f7c0 a2=fb6cd8 a3=8585b08 items=0 ppid=6114 pid=6115 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="foghorn" exe="/usr/sbin/foghorn" subj=unconfined_u:system_r:foghorn_t:s0 key=(null)
type=AVC msg=audit(1302615399.586:11160): avc:  denied  { name_connect } for  pid=6115 comm="foghorn" dest=705 scontext=unconfined_u:system_r:foghorn_t:s0 tcontext=system_u:object_r:agentx_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1302615399.586:11160): avc:  denied  { connect } for  pid=6115 comm="foghorn" scontext=unconfined_u:system_r:foghorn_t:s0 tcontext=unconfined_u:system_r:foghorn_t:s0 tclass=tcp_socket
----

Comment 21 Miroslav Grepl 2011-04-12 13:45:54 UTC

Ok, different issues which I need to fix.

Comment 23 Miroslav Grepl 2011-04-13 10:52:36 UTC

Fixed in selinux-policy-3.7.19-85.el6.

Comment 25 errata-xmlrpc 2011-05-19 12:27:37 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0526.html

Note You need to log in before you can comment on or make changes to this bug.