Bug 697924 - faillock avcs when booting with mls policy
Summary: faillock avcs when booting with mls policy
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
(Show other bugs)
Version: 6.1
Hardware: All Linux
urgent
high
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Keywords:
Depends On:
Blocks: RHEL62CCC 846801 846802
TreeView+ depends on / blocked
 
Reported: 2011-04-19 16:25 UTC by Linda Knippers
Modified: 2012-08-08 18:29 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.7.19-87.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-05-19 12:27:50 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0526 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-05-19 09:37:41 UTC

Description Linda Knippers 2011-04-19 16:25:36 UTC
Description of problem:

I noticed the following messages when booting my RHEL6.1 snap 3
system with the MLS policy.  They happen on every boot.  

Enabling local filesystem quotas:  [  OK  ]
rm: cannot remove `/var/run/faillock/ljk': Permission denied
rm: cannot remove `/var/run/faillock/root': Permission denied
Enabling /etc/fstab swaps:  [  OK  ]

Additional info:

The files are labeled:

# ls -lZd /var/run/faillock
drwxr-xr-x. root root system_u:object_r:faillog_t:SystemLow /var/run/faillock

# ls -lZ /var/run/faillock
-rw-------. ljk  root system_u:object_r:faillog_t:SystemLow ljk
-rw-------. root root system_u:object_r:faillog_t:SystemLow root

The labeling is correct according to restorecon.

The AVCs/audit records are:
type=AVC msg=audit(1303172721.588:4): avc:  denied  { write } for  pid=1319 comm="rm" name="faillock" dev=dm-0 ino=393729 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir
type=SYSCALL msg=audit(1303172721.588:4): arch=c000003e syscall=263 success=no exit=-13 a0=ffffffffffffff9c a1=7870c0 a2=0 a3=7ffff2928780 items=0 ppid=1312 pid=1319 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rm" exe="/bin/rm" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1303172721.589:5): avc:  denied  { write } for  pid=1320 comm="rm" name="faillock" dev=dm-0 ino=393729 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir
type=SYSCALL msg=audit(1303172721.589:5): arch=c000003e syscall=263 success=no exit=-13 a0=ffffffffffffff9c a1=175b0c0 a2=0 a3=7fffc4635500 items=0 ppid=1312 pid=1320 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rm" exe="/bin/rm" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null)


audit2allow shows:

#============= initrc_t ==============
#!!!! The source type 'initrc_t' can write to a 'dir' of the following types:
# etc_runtime_t, mysqld_db_t, initrc_tmp_t, pam_var_console_t, udev_var_run_t, virt_var_lib_t, cgroup_t, boot_t, cert_t, mnt_t, root_t, tmp_t, var_t, named_conf_t, system_dbusd_var_lib_t, dkim_milter_data_t, lockfile, pidfile, tmpfile, etc_mail_t, device_t, initrc_state_t, etc_t, file_t, fonts_t, postgresql_db_t, tmpfs_t, alsa_etc_rw_t, gconf_etc_t, var_spool_t, var_lib_t, var_run_t, xserver_log_t, virt_cache_t, dhcpc_state_t, squid_log_t, svc_svc_t, var_log_t, ipsec_var_run_t, pam_var_run_t, ricci_var_lib_t, rpm_var_lib_t, net_conf_t, quota_flag_t, var_lib_nfs_t

allow initrc_t faillog_t:dir write;

Comment 1 Linda Knippers 2011-04-19 16:31:35 UTC
SELinux policy packages:

selinux-policy-3.7.19-82.el6.noarch
selinux-policy-mls-3.7.19-82.el6.noarch
selinux-policy-targeted-3.7.19-82.el6.noarch

Comment 3 Miroslav Grepl 2011-04-20 07:55:47 UTC
We have in F15 policy

auth_manage_faillog(initrc_t)

Comment 5 Miroslav Grepl 2011-04-20 14:52:39 UTC
Fixed in selinux-policy-3.7.19-87.el6

Comment 8 errata-xmlrpc 2011-05-19 12:27:50 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0526.html


Note You need to log in before you can comment on or make changes to this bug.