RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 720939 - Various AVC denied for initrc_t:unix_stream_socket { read write }
Summary: Various AVC denied for initrc_t:unix_stream_socket { read write }
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.1
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks: 720949
TreeView+ depends on / blocked
 
Reported: 2011-07-13 10:01 UTC by Robert Scheck
Modified: 2018-11-14 11:34 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-3.7.19-105.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 720949 (view as bug list)
Environment:
Last Closed: 2011-12-06 10:09:20 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Initial hearbeat policy (1.57 KB, application/x-compressed-tar)
2011-08-08 13:57 UTC, Miroslav Grepl 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1511 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-12-06 00:39:17 UTC

Description Robert Scheck 2011-07-13 10:01:59 UTC 
Description of problem:
I'm a bit irritated if this is a SELinux issue or a Heartbeat issue/bug:
Getting various AVC denied for initrc_t:unix_stream_socket { read write },
e.g.:

#============= logrotate_t ==============
allow logrotate_t initrc_t:unix_stream_socket { read write };

#============= logwatch_t ==============
allow logwatch_t initrc_t:unix_stream_socket { read write };

#============= prelink_cron_system_t ==============
allow prelink_cron_system_t initrc_t:unix_stream_socket { read write };

#============= system_mail_t ==============
allow system_mail_t initrc_t:unix_stream_socket { read write };

#============= webalizer_t ==============
allow webalizer_t initrc_t:unix_stream_socket { read write };

I have to mention that crond was started via heartbeat and everything above
results from a cronjob from what I can see. Heartbeat uses the regular cron
initscript as provided with the RPM package.

Here are some "ps auxZ" for cron and initrc_t:

unconfined_u:system_r:crond_t:s0-s0:c0.c1023 root 3609 0.0  0.0 20340 1352 ?   Ss   Jul12   0:00 crond
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 13756 0.0  0.0 105304 924 pts/0 S+ 11:58   0:00 grep cron

system_u:system_r:initrc_t:s0   root      1647  0.0  0.0 108456  1736 ?        Ss   Jul12   0:00 /bin/bash /etc/rc.d/rc 3
system_u:system_r:initrc_t:s0   root      2509  0.0  0.0 108192  1468 ?        S    Jul12   0:00 /bin/bash /etc/rc3.d/S70drbd start
system_u:system_r:initrc_t:s0   root      2587  0.0  0.0   4312   924 ?        S    Jul12   0:02 /sbin/drbdadm wait-con-int
system_u:system_r:initrc_t:s0   root      2589  0.0  0.0   4104   636 ?        S    Jul12   0:00 /sbin/drbdsetup 0 wait-connect --degr-wfc-timeout=120
system_u:system_r:initrc_t:s0   root      2590  0.0  0.0   4104   636 ?        S    Jul12   0:00 /sbin/drbdsetup 1 wait-connect --degr-wfc-timeout=120
unconfined_u:system_r:initrc_t:s0 root    2886  0.0  0.0  52584  7584 ?        SLs  Jul12   0:26 heartbeat: master control process
unconfined_u:system_r:initrc_t:s0 root    2888  0.0  0.0  52000  7000 ?        SL   Jul12   0:01 heartbeat: FIFO reader        
unconfined_u:system_r:initrc_t:s0 root    2889  0.3  0.0  51996  6996 ?        SL   Jul12   3:46 heartbeat: write: ucast em2   
unconfined_u:system_r:initrc_t:s0 root    2890  0.0  0.0  51996  6996 ?        SL   Jul12   0:00 heartbeat: read: ucast em2    
unconfined_u:system_r:initrc_t:s0 root    2891  0.0  0.0  51996  6996 ?        SL   Jul12   0:04 heartbeat: write: ping 91.196.144.1
unconfined_u:system_r:initrc_t:s0 root    2892  0.0  0.0  51996  6996 ?        SL   Jul12   0:02 heartbeat: read: ping 91.196.144.1
unconfined_u:system_r:initrc_t:s0 498     2894  0.0  0.0  36272  1424 ?        S    Jul12   0:02 /usr/lib64/heartbeat/ipfail
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 13758 0.0  0.0 105304 924 pts/0 S+ 11:59   0:00 grep initrc_t

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-93.el6.noarch
selinux-policy-targeted-3.7.19-93.el6.noarch
heartbeat-3.0.4-1.el6.x86_64

Actual results:
Various AVC denied for initrc_t:unix_stream_socket { read write }.

Expected results:
No AVC denied for initrc_t:unix_stream_socket { read write }.

Additional info:
I know heartbeat is not a part of RHEL, the package is from EPEL. And I can
not exclude that this is a heartbeat issue. But it would help to know, if it
is a SELinux issue or not.
Comment 2 Miroslav Grepl 2011-07-13 10:27:42 UTC 
These are leak file descriptors.

Also we have drbd policy in Fedora and looks like we also need a policy for heartbeat.
Comment 3 Daniel Walsh 2011-07-13 12:52:08 UTC 
Is heartbeat leaking or is it the cron job?
Comment 4 Robert Scheck 2011-07-13 12:55:35 UTC 
I would assume this is heartbeat, because I think you would have gotten lots
of reports if either the crond or e.g. logrotate/prelink/webalizer causes the 
issue.
Comment 5 Robert Scheck 2011-07-14 10:43:08 UTC 
I've cross-filed this issue as Service Request 506720.
Comment 6 Miroslav Grepl 2011-07-25 13:23:57 UTC 
(In reply to comment #5)
> I've cross-filed this issue as Service Request 506720.

Ok. I will backport drbd policy from Fedora.
Comment 7 Miroslav Grepl 2011-07-27 13:30:35 UTC 
Fixed in selinux-policy-3.7.19-105.el6
Comment 10 Robert Scheck 2011-08-06 14:06:45 UTC 
Miroslav? May you let me know what the source code fix for this issue is?
Your colleagues keep asking for a sosreport which doesn't really make sense
for them, I think.

I'm also wondering why you backported the drbd policy from Fedora, because
drbd doesn't start/stop these services, but heartbeat does. Shouldn't there
be simply a "dontaudit" for the services with leaked file descriptors?
Comment 11 Miroslav Grepl 2011-08-08 12:59:57 UTC 
They needs to close file descriptors on exec.

fcntl(fd, F_SETFD, FD_CLOEXEC)

Yes, I added drbd policy because the drbd daemon was running as initrc_t domain. This means a daemon is not confined by SELinux. And we have this policy in Fedora.

A new hearbeat policy needs to be created.
Comment 12 Miroslav Grepl 2011-08-08 13:40:00 UTC 
Robert,
could add your output of

# ps -efZ |grep heartbeat
Comment 13 Robert Scheck 2011-08-08 13:45:07 UTC 
# ps -efZ |grep heartbeat
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 3209 3177  0 15:43 pts/0 00:00:00 grep heartbeat
unconfined_u:system_r:initrc_t:s0 root    7052     1  0 Aug05 ?        00:02:23 heartbeat: master control process
unconfined_u:system_r:initrc_t:s0 root    7055  7052  0 Aug05 ?        00:00:05 heartbeat: FIFO reader
unconfined_u:system_r:initrc_t:s0 root    7056  7052  0 Aug05 ?        00:00:08 heartbeat: write: ucast em2
unconfined_u:system_r:initrc_t:s0 root    7057  7052  0 Aug05 ?        00:00:05 heartbeat: read: ucast em2
unconfined_u:system_r:initrc_t:s0 root    7058  7052  0 Aug05 ?        00:00:17 heartbeat: write: ping 91.196.144.1
unconfined_u:system_r:initrc_t:s0 root    7059  7052  0 Aug05 ?        00:00:16 heartbeat: read: ping 91.196.144.1
unconfined_u:system_r:initrc_t:s0 root    7060  7052  0 Aug05 ?        00:00:18 heartbeat: write: ping 172.16.32.5
unconfined_u:system_r:initrc_t:s0 root    7061  7052  0 Aug05 ?        00:00:17 heartbeat: read: ping 172.16.32.5
unconfined_u:system_r:initrc_t:s0 498     7065  7052  0 Aug05 ?        00:00:07 /usr/lib64/heartbeat/ipfail
#
Comment 14 Miroslav Grepl 2011-08-08 13:57:49 UTC 
Created attachment 517225 [details]
Initial hearbeat policy

Here is the initial heartbeat policy.

tar xvf /tmp/heartbeat.tgz
cd /tmp/
sh heartbeat.sh

echo "-w /etc/shadow -p wa" >> /etc/audit/audit.rules
service auditd restart

service heartbeat restart

And start collecting AVC's
Comment 16 errata-xmlrpc 2011-12-06 10:09:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html
Note You need to log in before you can comment on or make changes to this bug.