727078 – Getting AVC error messages in /var/log/audit/audit.log

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 727078 - Getting AVC error messages in /var/log/audit/audit.log

Summary: Getting AVC error messages in /var/log/audit/audit.log

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.1
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:	710357 752155
Blocks:
TreeView+	depends on / blocked

Reported:	2011-08-01 09:39 UTC by RHEL Program Management
Modified:	2011-11-08 17:23 UTC (History)
CC List:	10 users (show)
Fixed In Version:	selinux-policy-3.7.19-93.el6_1.4
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-08-22 12:45:50 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2011:1193	0	normal	SHIPPED_LIVE	selinux-policy bug fix update	2011-08-22 12:45:35 UTC

Description RHEL Program Management 2011-08-01 09:39:28 UTC

This bug has been copied from bug #710357 and has been proposed
to be backported to 6.1 z-stream (EUS).

Comment 4 Miroslav Grepl 2011-08-02 12:24:21 UTC

Fixed in selinux-policy-3.7.19-93.el6_1.4.

Comment 6 Karel Srot 2011-08-05 10:58:41 UTC

May I kindly ask to retest this bug on RHEL6.1 with selinux-policy-3.7.19-93.el6_1.4? Thank you in advance.

Comment 7 Nathan Kinder 2011-08-08 16:54:42 UTC

(In reply to comment #6)
> May I kindly ask to retest this bug on RHEL6.1 with
> selinux-policy-3.7.19-93.el6_1.4? Thank you in advance.

This package version had some problems that were addressed in selinux-policy-3.7.19-93.el6_1.5 (see bug 727039 for details).

I tested for this bug using the new selinux-policy-3.7.19-93.el6_1.5 package, but I still encounter a problem.  I still see the following AVC:

type=AVC msg=audit(1312821744.482:25274): avc:  denied  { write } for  pid=7132 comm="ns-slapd" path="/tmp/startup.7125" dev=dm-0 ino=234193 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:object_r:dirsrvadmin_tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1312821744.482:25274): arch=40000003 syscall=11 success=yes exit=0 a0=8723600 a1=87239f0 a2=8723418 a3=87239f0 items=0 ppid=7129 pid=7132 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null)

The startup output is redirected to a tmp file by the CGI, but ns-slapd (dirsrv_t) is blocked from writing to that file since it is labelled as dirsrvadmin_tmp_t.  We can just allow dirsrv_t to write to dirsrvadmin_tmp_t files to resolve this.

Comment 8 Miroslav Grepl 2011-08-08 18:28:43 UTC

Are you getting only this AVC msg? Could you try to swith to permissive mode globally

setenforce 0

and make sure that only this avc remaining.

Comment 9 Nathan Kinder 2011-08-08 19:24:53 UTC

(In reply to comment #8)
> Are you getting only this AVC msg? Could you try to swith to permissive mode
> globally
> 
> setenforce 0
> 
> and make sure that only this avc remaining.

Yes, this was in permissive mode.

Comment 10 Miroslav Grepl 2011-08-09 09:04:47 UTC

Nathan,
could you test it with 

https://brewweb.devel.redhat.com/buildinfo?buildID=175311

before I update errata. Thanks.

Comment 11 Nathan Kinder 2011-08-09 15:04:06 UTC

(In reply to comment #10)
> Nathan,
> could you test it with 
> 
> https://brewweb.devel.redhat.com/buildinfo?buildID=175311
> 
> before I update errata. Thanks.

Looks good.  I get no AVC messages now when doing a DS instance restart via Console.  Thanks for the quick turn-around on this new package!

Comment 12 Karel Srot 2011-08-10 10:53:23 UTC

Unfortunately the bug is not fixed.
I think Nathat did the test in permissive and therefore missed dontaudited denials.
I tried to reproduce the test scenario from Nathan (directory server reboot fails in enforcing) with
selinux-policy-3.7.19-93.el6_1.6.noarch
redhat-ds-9.0.0-1.el6.x86_64
389-ds-console-1.2.6-1.el6.noarch
389-console-1.1.7-1.el6.noarch
389-adminutil-1.1.14-1.el6.x86_64
389-ds-base-1.2.8.2-1.el6_1.8.x86_64
389-admin-console-1.1.8-1.el6.noarch
389-ds-console-doc-1.2.6-1.el6.noarch
389-ds-base-libs-1.2.8.2-1.el6_1.8.x86_64
389-admin-1.1.21-1.el6.x86_64
389-admin-console-doc-1.1.8-1.el6.noarch

creating a ds produce (dontaudited) AVCs:

type=AVC msg=audit(1312970664.912:101314): avc:  denied  { read write } for  pid=7038 comm="ns-slapd" path="socket:[66837]" dev=sockfs ino=66837 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1312970664.912:101314): avc:  denied  { read write } for  pid=7038 comm="ns-slapd" path="socket:[66834]" dev=sockfs ino=66834 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=unix_stream_socket

restarting a ds produce (dontaudited) AVCs (restart fails):

type=AVC msg=audit(1312970819.720:101326): avc:  denied  { read write } for  pid=7437 comm="ds_restart" path="socket:[71804]" dev=sockfs ino=71804 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1312970819.720:101326): avc:  denied  { read write } for  pid=7437 comm="ds_restart" path="socket:[71804]" dev=sockfs ino=71804 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1312970819.720:101326): avc:  denied  { read write } for  pid=7437 comm="ds_restart" path="socket:[66834]" dev=sockfs ino=66834 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1312970821.738:101327): avc:  denied  { write } for  pid=7439 comm="sh" name="/" dev=dm-0 ino=2 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir


I have created a module using audit2allow -M and load it.
After that, domain restart produced another AVC (admin GUI freezed) so I have switched to permissive and restarted directory server which resulted in:

type=AVC msg=audit(1312971115.445:101341): avc:  denied  { add_name } for  pid=8031 comm="sh" name="startup.8028" scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir
type=AVC msg=audit(1312971561.610:101349): avc:  denied  { create } for  pid=8815 comm="sh" name="startup.8812" scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:object_r:root_t:s0 tclass=file
type=AVC msg=audit(1312971903.080:101370): avc:  denied  { write open } for  pid=9684 comm="sh" name="startup.9681" dev=dm-0 ino=12 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:object_r:root_t:s0 tclass=file
type=AVC msg=audit(1312971904.195:101372): avc:  denied  { read } for  pid=9681 comm="ds_restart" name="startup.9681" dev=dm-0 ino=12 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:object_r:root_t:s0 tclass=file
type=AVC msg=audit(1312971904.195:101373): avc:  denied  { getattr } for  pid=9681 comm="ds_restart" path="/startup.9681" dev=dm-0 ino=12 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:object_r:root_t:s0 tclass=file
type=AVC msg=audit(1312971904.195:101374): avc:  denied  { remove_name } for  pid=9681 comm="ds_restart" name="startup.9681" dev=dm-0 ino=12 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir
type=AVC msg=audit(1312971904.195:101374): avc:  denied  { unlink } for  pid=9681 comm="ds_restart" name="startup.9681" dev=dm-0 ino=12 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:object_r:root_t:s0 tclass=file

With all those denials allowed I can successfuly create a directory server instance, restart it and remove (in enforcing, no AVC).

For some reason the "Start directory server" action didn't work (window freeze, action in progress, never finished with message like "instance started") but that wasn't selinux related issue (same thing in permissive mode)

Comment 13 Miroslav Grepl 2011-08-10 11:01:47 UTC

> type=AVC msg=audit(1312970664.912:101314): avc:  denied  { read write } for 
> pid=7038 comm="ns-slapd" path="socket:[66837]" dev=sockfs ino=66837
> scontext=unconfined_u:system_r:dirsrv_t:s0
> tcontext=unconfined_u:system_r:httpd_t:s0 tclass=unix_stream_socket
> type=AVC msg=audit(1312970664.912:101314): avc:  denied  { read write } for 
> pid=7038 comm="ns-slapd" path="socket:[66834]" dev=sockfs ino=66834
> scontext=unconfined_u:system_r:dirsrv_t:s0
> tcontext=unconfined_u:system_r:httpd_t:s0 tclass=unix_stream_socket

make sense to fix and I need to add them.

Comment 14 Miroslav Grepl 2011-08-10 11:04:21 UTC

Nathan,
AVC messages related to "root_t:s0" are the same which we discussed in 

https://bugzilla.redhat.com/show_bug.cgi?id=710357#c11

and you fixed them in

https://bugzilla.redhat.com/show_bug.cgi?id=724808

Comment 15 Miroslav Grepl 2011-08-10 11:42:15 UTC

(In reply to comment #13)
> > type=AVC msg=audit(1312970664.912:101314): avc:  denied  { read write } for 
> > pid=7038 comm="ns-slapd" path="socket:[66837]" dev=sockfs ino=66837
> > scontext=unconfined_u:system_r:dirsrv_t:s0
> > tcontext=unconfined_u:system_r:httpd_t:s0 tclass=unix_stream_socket
> > type=AVC msg=audit(1312970664.912:101314): avc:  denied  { read write } for 
> > pid=7038 comm="ns-slapd" path="socket:[66834]" dev=sockfs ino=66834
> > scontext=unconfined_u:system_r:dirsrv_t:s0
> > tcontext=unconfined_u:system_r:httpd_t:s0 tclass=unix_stream_socket
> 
> make sense to fix and I need to add them.

I thought these

type=AVC msg=audit(1312970819.720:101326): avc:  denied  { read write } for 
pid=7437 comm="ds_restart" path="socket:[71804]" dev=sockfs ino=71804
scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0
tcontext=unconfined_u:system_r:httpd_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1312970819.720:101326): avc:  denied  { read write } for 
pid=7437 comm="ds_restart" path="socket:[71804]" dev=sockfs ino=71804
scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0

Comment 16 Nathan Kinder 2011-08-10 14:48:50 UTC

(In reply to comment #14)
> Nathan,
> AVC messages related to "root_t:s0" are the same which we discussed in 
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=710357#c11
> 
> and you fixed them in
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=724808

That is correct.  These were a bug in the 389-admin package that was recently fixed.  We do not have a build with this fix yet, though we expect one in the next day or two.  We can ignore the root_t issues as far as the testing for this bug goes.

(In reply to comment #12)
> For some reason the "Start directory server" action didn't work (window freeze,
> action in progress, never finished with message like "instance started") but
> that wasn't selinux related issue (same thing in permissive mode)

It has a timeout of 600 seconds to read the startup output, so it will appear to freeze until that timeout expires.  At that point, an error dialog will pop up.  This is due to the root_t issues mentioned above.

Comment 17 Miroslav Grepl 2011-08-10 15:01:00 UTC

Great.

Comment 18 Karel Srot 2011-08-11 06:45:28 UTC

> (In reply to comment #12)
> > For some reason the "Start directory server" action didn't work (window freeze,
> > action in progress, never finished with message like "instance started") but
> > that wasn't selinux related issue (same thing in permissive mode)
> 
> It has a timeout of 600 seconds to read the startup output, so it will appear
> to freeze until that timeout expires.  At that point, an error dialog will pop
> up.  This is due to the root_t issues mentioned above.

Do you mean that root_t issue is not only selinux related? Because I have created a module to allow all root_t issues and also tried it in permissive mode. The start up didn't work anyway. If there are some non-selinux issues too, it is OK then. But it is definitely selinux fault.

> We do not have a build with this fix yet, though we expect one in the
> next day or two.  We can ignore the root_t issues as far as the testing for
> this bug goes.
I would prefer to retest it on a build with the root_t fix. Just to be sure we do not realease the update with unresolved issues.

Comment 19 Karel Srot 2011-08-11 09:48:52 UTC

Tested with selinux-policy-3.7.19-93.el6_1.7 on i386 platform.

I have successfuly performed following actions:
-service dirsrv-admin restart
-service dirsrv restart

Using redhat-idm-console"
- create directory server instance
- stop/start/restart directory server instance
- remove directory server instance

No AVC nor crashes/freeze.

Anyway I would like to restest it with the new 389 build on x86_64 before switching this bug to VERIFIED.

Comment 20 Nathan Kinder 2011-08-11 14:40:42 UTC

(In reply to comment #18)
> Do you mean that root_t issue is not only selinux related? Because I have
> created a module to allow all root_t issues and also tried it in permissive
> mode. The start up didn't work anyway. If there are some non-selinux issues
> too, it is OK then. But it is definitely selinux fault.

What I mean is that 389-ds-base should not be writing to '/' (root_t) in the first place.  The policy is correct, as dirsrv_t should not be allowed to write to a root_t area.  There was a path creation bug in the 389-admin package that caused us to write to '/' instead of '/tmp', which is what you are seeing on your x86_64 system.

> I would prefer to retest it on a build with the root_t fix. Just to be sure we
> do not realease the update with unresolved issues.

I will let you know as soon as the new 389-admin build is ready.

Comment 21 Nathan Kinder 2011-08-11 21:26:57 UTC

(In reply to comment #19)
> Anyway I would like to restest it with the new 389 build on x86_64 before
> switching this bug to VERIFIED.

The fix is available in 389-admin-1.1.22-1.el6, which can be downloaded from the following location:

  https://brewweb.devel.redhat.com/buildinfo?buildID=175618

Just as an FYI, there may be a newer build available by the time you read this update, as we're working on a 389-admin-1.1.23-1.el6 for a different fix.  Just use the latest that you find available.  These should go into the DS testing repo tonight, but you can grab them from brew if you don't see them in the repo.

Comment 23 errata-xmlrpc 2011-08-22 12:45:50 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1193.html

Note You need to log in before you can comment on or make changes to this bug.