Description of problem: iprinit, iprdump and iprupdate services work well with targeted policy, but they struggle with MLS policy. iprinit - IBM Power RAID adapter/device initialization utility iprupdate - IBM Power RAID adapter/device microcode update utility iprdump - IBM Power RAID adapter dump utility Version-Release number of selected component (if applicable): selinux-policy-2.4.6-311.el5 selinux-policy-devel-2.4.6-311.el5 selinux-policy-minimum-2.4.6-311.el5 selinux-policy-mls-2.4.6-311.el5 selinux-policy-strict-2.4.6-311.el5 selinux-policy-targeted-2.4.6-311.el5 iprutils-2.3.4-1.el5 How reproducible: always Steps to Reproduce: (have a ppc64 machine with MLS policy installed, runlevel 3, logged in as root via console) # setenforce 1 # run_init service iprinit start Authenticating root. Password: Starting ipr initialization daemon /bin/bash: line 1: 3361 Segmentation fault /sbin/iprinit --daemon [FAILED] # run_init service iprupdate start Authenticating root. Password: Checking ipr microcode levels /bin/bash: line 1: 3382 Segmentation fault /sbin/iprupdate --daemon Completed ipr microcode updates[FAILED] # run_init service iprdump start Authenticating root. Password: Starting ipr dump daemon[ OK ] # ausearch -m avc -m user_avc -ts recent Actual results: ---- time->Wed Jun 8 05:17:22 2011 type=SYSCALL msg=audit(1307524642.665:350): arch=14 syscall=5 success=no exit=-13 a0=1005f09e a1=2 a2=0 a3=0 items=0 ppid=3360 pid=3361 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="iprinit" exe="/sbin/iprinit" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1307524642.665:350): avc: denied { read write } for pid=3361 comm="iprinit" name="sg0" dev=tmpfs ino=16680 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file ---- time->Wed Jun 8 05:19:11 2011 type=SYSCALL msg=audit(1307524751.121:418): arch=14 syscall=5 success=no exit=-13 a0=1006f09e a1=2 a2=0 a3=8 items=0 ppid=3381 pid=3382 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="iprupdate" exe="/sbin/iprupdate" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1307524751.121:418): avc: denied { read write } for pid=3382 comm="iprupdate" name="sg0" dev=tmpfs ino=16680 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file ---- time->Wed Jun 8 05:21:33 2011 type=SYSCALL msg=audit(1307524893.775:486): arch=14 syscall=102 success=no exit=-13 a0=1 a1=ffa9f744 a2=f a3=0 items=0 ppid=1 pid=3423 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="iprdump" exe="/sbin/iprdump" subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1307524893.775:486): avc: denied { create } for pid=3423 comm="iprdump" scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket ---- Expected results: no denials
Could you try the same fix which we added to RHEL6.
# ls -Z /sbin/ipr* -rwxr-xr-x root root system_u:object_r:sbin_t:SystemLow /sbin/iprconfig -rwx------ root root system_u:object_r:sbin_t:SystemLow /sbin/iprdbg -rwxr-xr-x root root system_u:object_r:mdadm_exec_t:SystemLow /sbin/iprdump -rwxr-xr-x root root system_u:object_r:mdadm_exec_t:SystemLow /sbin/iprinit -rwxr-xr-x root root system_u:object_r:mdadm_exec_t:SystemLow /sbin/iprupdate # run_init service iprinit start Authenticating root. Password: Starting ipr initialization daemon[ OK ] # run_init service iprupdate start Authenticating root. Password: Checking ipr microcode levels Completed ipr microcode updates[ OK ] # run_init service iprdump start Authenticating root. Password: Starting ipr dump daemon[ OK ] # ausearch -m avc -m user_avc -ts recent ---- time->Wed Jun 8 06:19:06 2011 type=SYSCALL msg=audit(1307528346.879:497): arch=14 syscall=5 success=no exit=-13 a0=10031220 a1=2 a2=0 a3=0 items=0 ppid=3654 pid=3655 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="iprinit" exe="/sbin/iprinit" subj=system_u:system_r:mdadm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1307528346.879:497): avc: denied { read write } for pid=3655 comm="iprinit" name="sda" dev=tmpfs ino=13892 scontext=system_u:system_r:mdadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023 tclass=blk_file ---- time->Wed Jun 8 06:19:18 2011 type=SYSCALL msg=audit(1307528358.628:500): arch=14 syscall=5 success=no exit=-13 a0=10041220 a1=2 a2=ffb3fa94 a3=18 items=0 ppid=3672 pid=3673 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="iprupdate" exe="/sbin/iprupdate" subj=system_u:system_r:mdadm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1307528358.628:500): avc: denied { read write } for pid=3673 comm="iprupdate" name="sda" dev=tmpfs ino=13892 scontext=system_u:system_r:mdadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023 tclass=blk_file ---- #
Ok, we have these rules in RHEL6.
Fixed in selinux-policy-2.4.6-312.el5
Ok, I also need to add mls_file_read_all_levels(mdadm_t) mls_file_write_all_levels(mdadm_t)
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-1069.html