698144 – AVCs appear when starting tgtd

Bug 698144 - AVCs appear when starting tgtd

Summary: AVCs appear when starting tgtd

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.1
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Karel Srot
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-04-20 10:10 UTC by Milos Malik
Modified:	2012-09-22 08:45 UTC (History)
CC List:	3 users (show)
Fixed In Version:	selinux-policy-3.7.19-87.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-05-19 12:27:55 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2011:0526	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2011-05-19 09:37:41 UTC

Description Milos Malik 2011-04-20 10:10:46 UTC

Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-minimum-3.7.19-86.el6.noarch
selinux-policy-doc-3.7.19-86.el6.noarch
selinux-policy-mls-3.7.19-86.el6.noarch
selinux-policy-3.7.19-86.el6.noarch
selinux-policy-targeted-3.7.19-86.el6.noarch
scsi-target-utils-1.0.14-2.el6

How reproducible:
always

Steps to Reproduce:
# service tgtd start
Starting SCSI target daemon: [FAILED]
# service tgtd status
tgtd is stopped
# service tgtd restart
Stopping SCSI target daemon: not running[FAILED]
Starting SCSI target daemon: [FAILED]
# service tgtd status
tgtd is stopped

  
Actual results (enforcing mode):
----
type=SYSCALL msg=audit(04/20/2011 06:02:55.917:3260) : arch=x86_64 syscall=bind success=no exit=-13(Permission denied) a0=6 a1=7fffff669fe0 a2=6e a3=2 items=0 ppid=17717 pid=17718 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=7 comm=tgtd exe=/usr/sbin/tgtd subj=unconfined_u:system_r:tgtd_t:s0 key=(null) 
type=AVC msg=audit(04/20/2011 06:02:55.917:3260) : avc:  denied  { write } for  pid=17718 comm=tgtd name=run dev=dm-0 ino=2622195 scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir 
----
type=SYSCALL msg=audit(04/20/2011 06:02:58.196:3261) : arch=x86_64 syscall=bind success=no exit=-13(Permission denied) a0=6 a1=7fffd5b50d30 a2=6e a3=2 items=0 ppid=17765 pid=17766 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=7 comm=tgtd exe=/usr/sbin/tgtd subj=unconfined_u:system_r:tgtd_t:s0 key=(null) 
type=AVC msg=audit(04/20/2011 06:02:58.196:3261) : avc:  denied  { write } for  pid=17766 comm=tgtd name=run dev=dm-0 ino=2622195 scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir 
----

Actual results (permissive mode):
----
time->Wed Apr 20 06:03:48 2011
type=SYSCALL msg=audit(1303293828.107:3263): arch=c000003e syscall=49 success=yes exit=0 a0=6 a1=7fffa3f08e70 a2=6e a3=2 items=0 ppid=18110 pid=18111 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=7 comm="tgtd" exe="/usr/sbin/tgtd" subj=unconfined_u:system_r:tgtd_t:s0 key=(null)
type=AVC msg=audit(1303293828.107:3263): avc:  denied  { create } for  pid=18111 comm="tgtd" name="tgtd.ipc_abstract_namespace.0" scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1303293828.107:3263): avc:  denied  { add_name } for  pid=18111 comm="tgtd" name="tgtd.ipc_abstract_namespace.0" scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
type=AVC msg=audit(1303293828.107:3263): avc:  denied  { write } for  pid=18111 comm="tgtd" name="run" dev=dm-0 ino=2622195 scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
----
time->Wed Apr 20 06:03:50 2011
type=SYSCALL msg=audit(1303293830.622:3265): arch=c000003e syscall=87 success=yes exit=0 a0=7fffe6a0bc00 a1=4309fa a2=26 a3=7fffe6a0b980 items=0 ppid=18171 pid=18172 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=7 comm="tgtd" exe="/usr/sbin/tgtd" subj=unconfined_u:system_r:tgtd_t:s0 key=(null)
type=AVC msg=audit(1303293830.622:3265): avc:  denied  { unlink } for  pid=18172 comm="tgtd" name="tgtd.ipc_abstract_namespace.0" dev=dm-0 ino=2623284 scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1303293830.622:3265): avc:  denied  { remove_name } for  pid=18172 comm="tgtd" name="tgtd.ipc_abstract_namespace.0" dev=dm-0 ino=2623284 scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
----

Expected results:
no AVCs

Comment 1 Miroslav Grepl 2011-04-20 11:34:48 UTC

I added fixes to F15. I am adding it to RHEL6.

Comment 3 Miroslav Grepl 2011-04-20 14:52:13 UTC

Fixed in selinux-policy-3.7.19-87.el6

Comment 6 errata-xmlrpc 2011-05-19 12:27:55 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0526.html

Note You need to log in before you can comment on or make changes to this bug.