Bug 734431 - rhts selinux module fails to load on RHEL6.0
Summary: rhts selinux module fails to load on RHEL6.0
Alias: None
Product: Beaker
Classification: Community
Component: beah
Version: 0.6
Hardware: Unspecified
OS: Unspecified
unspecified vote
Target Milestone: ---
Assignee: Bill Peck
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2011-08-30 11:50 UTC by Jan Stancek
Modified: 2019-05-22 13:40 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2011-09-08 02:42:59 UTC

Attachments (Terms of Use)

Description Jan Stancek 2011-08-30 11:50:59 UTC
Description of problem:
We recently started to get many AVC errors from ltp syslog test on RHEL 6.0, just like this one:
type=1400 audit(1314394496.000:252629): avc:  denied  { read append } for  pid=63576 comm="rsyslogd" path="/mnt/testarea/RHEL6KT1LITE.log" dev=dm-0 ino=541457 scontext=unconfined_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:mnt_t:s0 tclass=file

The files created in /mnt are not of tmp_t type anymore:
touch /mnt/testarea/dummy
ls -laZ /mnt/testarea/dummy 
-rw-r--r--. root root unconfined_u:object_r:mnt_t:s0   /mnt/testarea/dummy

This is because, rhts.pp selinux module is not loaded:
semodule -l | grep rhts

The loading is most likely attempted, but fails, just like when I try to load it from command line:
semodule -i /usr/share/selinux/packages/rhts/rhts.pp
libsepol.permission_copy_callback: Module rhts depends on permission read_policy in class security, not satisfied (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule:  Failed!

If I rebuild the module from sources on same host, it loads OK, new files in /mnt/testarea have tmp_t type, and ltp syslog test does not generate AVCs anymore.

Version-Release number of selected component (if applicable):
Red Hat Enterprise Linux Server release 6.0 (Santiago)

How reproducible:

Steps to Reproduce:
1. install RHEL 6.0 and rhts-test-env-4.38-1.el6eso.noarch
2. check if rhts module is loaded, load if necessary
semodule -l | grep rhts
semodule -i /usr/share/selinux/packages/rhts/rhts.pp
3. try to create dummy file, check its selinux type 
touch /mnt/testarea/dummy
ls -laZ /mnt/testarea/dummy 

Actual results:
-rw-r--r--. root root unconfined_u:object_r:mnt_t:s0   /mnt/testarea/dummy

Expected results:
-rw-r--r--. root root unconfined_u:object_r:tmp_t:s0   /mnt/testarea/dummy

Additional info:

Comment 3 Raymond Mancy 2011-09-06 06:33:44 UTC
on beaker-stage:
[root@dev-kvm-guest-03 ~]# semodule -l | grep rhts
rhts	2.0.1

Comment 4 Dan Callaghan 2011-09-08 02:42:59 UTC
Beaker 0.7.1 has been released.

Note You need to log in before you can comment on or make changes to this bug.