Hide Forgot
Description of problem: If I add a NIS username to /etc/cgrules.conf, I get a avc: denied message which prevents cgroups from properly applying rules to NIS users Version-Release number of selected component (if applicable): How reproducible: put a NIS user rule into /etc/cgrules.conf Steps to Reproduce: 1. edit /etc/cgrules.conf adding: jbaron:/tmp/loop cpu low-priority 2. start cgconfig service 3. start cgred service Actual results: From the audit.log file: type=AVC msg=audit(1305907326.265:264): avc: denied { create } for pid=24941 comm="cgrulesengd" scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=tcp_socket Expected results: Cgroups properly adds rules for NIS users. Additional info:
Easy to reproduce: ---- time->Mon May 23 03:35:34 2011 type=SYSCALL msg=audit(1306136134.886:44354): arch=40000003 syscall=102 success=no exit=-13 a0=1 a1=bf873854 a2=514ff4 a3=93a0b28 items=0 ppid=15863 pid=15864 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=3582 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null) type=AVC msg=audit(1306136134.886:44354): avc: denied { create } for pid=15864 comm="cgrulesengd" scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=tcp_socket ---- # rpm -qa | grep -e selinux-policy -e ypbind -e ypserv | sort selinux-policy-3.7.19-93.el6.noarch selinux-policy-minimum-3.7.19-93.el6.noarch selinux-policy-mls-3.7.19-93.el6.noarch selinux-policy-targeted-3.7.19-93.el6.noarch ypbind-1.20.4-29.el6.i686 ypserv-2.19-18.el6.i686 #
Could you test it also with # semanage permissive -a cgred_t
Following AVCs appeared when ypbind and ypserv were not running: ---- time->Mon May 23 05:48:46 2011 type=SYSCALL msg=audit(1306144126.802:44671): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=bf994164 a2=514ff4 a3=4 items=0 ppid=18694 pid=18695 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null) type=AVC msg=audit(1306144126.802:44671): avc: denied { node_bind } for pid=18695 comm="cgrulesengd" scontext=unconfined_u:system_r:cgred_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=tcp_socket type=AVC msg=audit(1306144126.802:44671): avc: denied { bind } for pid=18695 comm="cgrulesengd" scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=tcp_socket ---- time->Mon May 23 05:48:46 2011 type=SYSCALL msg=audit(1306144126.801:44670): arch=40000003 syscall=102 success=yes exit=4 a0=1 a1=bf994164 a2=514ff4 a3=8cebb28 items=0 ppid=18694 pid=18695 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null) type=AVC msg=audit(1306144126.801:44670): avc: denied { create } for pid=18695 comm="cgrulesengd" scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=tcp_socket ---- time->Mon May 23 05:48:46 2011 type=SYSCALL msg=audit(1306144126.802:44672): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bf994164 a2=514ff4 a3=4 items=0 ppid=18694 pid=18695 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null) type=AVC msg=audit(1306144126.802:44672): avc: denied { name_connect } for pid=18695 comm="cgrulesengd" dest=111 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1306144126.802:44672): avc: denied { connect } for pid=18695 comm="cgrulesengd" lport=58245 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=tcp_socket ---- time->Mon May 23 05:48:46 2011 type=SYSCALL msg=audit(1306144126.803:44673): arch=40000003 syscall=4 success=yes exit=60 a0=4 a1=8cebc50 a2=3c a3=3c items=0 ppid=18694 pid=18695 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null) type=AVC msg=audit(1306144126.803:44673): avc: denied { write } for pid=18695 comm="cgrulesengd" path="socket:[3265378]" dev=sockfs ino=3265378 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=tcp_socket ---- time->Mon May 23 05:48:46 2011 type=SYSCALL msg=audit(1306144126.803:44674): arch=40000003 syscall=3 success=yes exit=32 a0=4 a1=8cebde0 a2=190 a3=8cebba0 items=0 ppid=18694 pid=18695 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null) type=AVC msg=audit(1306144126.803:44674): avc: denied { read } for pid=18695 comm="cgrulesengd" path="socket:[3265378]" dev=sockfs ino=3265378 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=tcp_socket ----
Following AVCs appeared when ypbind and ypserv were running: ---- time->Mon May 23 05:51:45 2011 type=SYSCALL msg=audit(1306144305.951:44687): arch=40000003 syscall=102 success=yes exit=4 a0=1 a1=bff8c4e4 a2=514ff4 a3=8731b28 items=0 ppid=18896 pid=18897 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null) type=AVC msg=audit(1306144305.951:44687): avc: denied { create } for pid=18897 comm="cgrulesengd" scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=tcp_socket ---- time->Mon May 23 05:51:45 2011 type=SYSCALL msg=audit(1306144305.952:44688): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=bff8c4e4 a2=514ff4 a3=4 items=0 ppid=18896 pid=18897 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null) type=AVC msg=audit(1306144305.952:44688): avc: denied { node_bind } for pid=18897 comm="cgrulesengd" scontext=unconfined_u:system_r:cgred_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=tcp_socket type=AVC msg=audit(1306144305.952:44688): avc: denied { bind } for pid=18897 comm="cgrulesengd" scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=tcp_socket ---- time->Mon May 23 05:51:45 2011 type=SYSCALL msg=audit(1306144305.953:44689): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bff8c4e4 a2=514ff4 a3=4 items=0 ppid=18896 pid=18897 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null) type=AVC msg=audit(1306144305.953:44689): avc: denied { name_connect } for pid=18897 comm="cgrulesengd" dest=111 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1306144305.953:44689): avc: denied { connect } for pid=18897 comm="cgrulesengd" lport=44500 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=tcp_socket ---- time->Mon May 23 05:51:45 2011 type=SYSCALL msg=audit(1306144305.953:44690): arch=40000003 syscall=4 success=yes exit=60 a0=4 a1=8731c50 a2=3c a3=3c items=0 ppid=18896 pid=18897 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null) type=AVC msg=audit(1306144305.953:44690): avc: denied { write } for pid=18897 comm="cgrulesengd" path="socket:[3266325]" dev=sockfs ino=3266325 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=tcp_socket ---- time->Mon May 23 05:51:45 2011 type=SYSCALL msg=audit(1306144305.953:44691): arch=40000003 syscall=3 success=yes exit=32 a0=4 a1=8731de0 a2=190 a3=8731ba0 items=0 ppid=18896 pid=18897 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null) type=AVC msg=audit(1306144305.953:44691): avc: denied { read } for pid=18897 comm="cgrulesengd" path="socket:[3266325]" dev=sockfs ino=3266325 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=tcp_socket ---- time->Mon May 23 05:51:45 2011 type=SYSCALL msg=audit(1306144305.953:44692): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=bff8c510 a2=514ff4 a3=bff8c524 items=0 ppid=18896 pid=18897 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null) type=AVC msg=audit(1306144305.953:44692): avc: denied { net_bind_service } for pid=18897 comm="cgrulesengd" capability=10 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=capability type=AVC msg=audit(1306144305.953:44692): avc: denied { name_bind } for pid=18897 comm="cgrulesengd" src=841 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket ---- time->Mon May 23 05:51:45 2011 type=SYSCALL msg=audit(1306144305.954:44693): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bff8c548 a2=514ff4 a3=8731b28 items=0 ppid=18896 pid=18897 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null) type=AVC msg=audit(1306144305.954:44693): avc: denied { name_connect } for pid=18897 comm="cgrulesengd" dest=797 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket ---- time->Mon May 23 05:51:45 2011 type=SYSCALL msg=audit(1306144305.976:44694): arch=40000003 syscall=102 success=yes exit=4 a0=1 a1=bff8c52c a2=514ff4 a3=8731b28 items=0 ppid=18896 pid=18897 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null) type=AVC msg=audit(1306144305.976:44694): avc: denied { create } for pid=18897 comm="cgrulesengd" scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=udp_socket ---- time->Mon May 23 05:51:45 2011 type=SYSCALL msg=audit(1306144305.976:44695): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=bff8c4f4 a2=514ff4 a3=bff8c508 items=0 ppid=18896 pid=18897 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null) type=AVC msg=audit(1306144305.976:44695): avc: denied { node_bind } for pid=18897 comm="cgrulesengd" src=842 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=udp_socket type=AVC msg=audit(1306144305.976:44695): avc: denied { name_bind } for pid=18897 comm="cgrulesengd" src=842 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket type=AVC msg=audit(1306144305.976:44695): avc: denied { bind } for pid=18897 comm="cgrulesengd" scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=udp_socket ---- time->Mon May 23 05:51:45 2011 type=SYSCALL msg=audit(1306144305.976:44696): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bff8c52c a2=514ff4 a3=8731b28 items=0 ppid=18896 pid=18897 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null) type=AVC msg=audit(1306144305.976:44696): avc: denied { setopt } for pid=18897 comm="cgrulesengd" lport=842 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=udp_socket ---- time->Mon May 23 05:51:45 2011 type=SYSCALL msg=audit(1306144305.976:44697): arch=40000003 syscall=102 success=yes exit=88 a0=b a1=bff8c508 a2=514ff4 a3=8731b30 items=0 ppid=18896 pid=18897 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null) type=AVC msg=audit(1306144305.976:44697): avc: denied { write } for pid=18897 comm="cgrulesengd" lport=842 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=udp_socket ---- time->Mon May 23 05:51:46 2011 type=SYSCALL msg=audit(1306144306.001:44698): arch=40000003 syscall=102 success=yes exit=92 a0=c a1=bff8c508 a2=514ff4 a3=8731b28 items=0 ppid=18896 pid=18897 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3572 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=unconfined_u:system_r:cgred_t:s0 key=(null) type=AVC msg=audit(1306144306.001:44698): avc: denied { read } for pid=18897 comm="cgrulesengd" lport=842 scontext=unconfined_u:system_r:cgred_t:s0 tcontext=unconfined_u:system_r:cgred_t:s0 tclass=udp_socket ----
It looks like it needs auth_use_nsswitch(cgred_t).
nm -D /sbin/cgrulesengd | grep pw U getpwnam It needs auth_use_nsswitch
I see this fix in selinux-policy-3.7.19-98.fc16
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1511.html