Bug 735729 - SELinux is preventing /bin/cp from relabelfrom operation on the file rng_update.lock
Summary: SELinux is preventing /bin/cp from relabelfrom operation on the file rng_upda...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.2
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-09-05 08:28 UTC by Milos Malik
Modified: 2012-11-23 21:07 UTC (History)
1 user (show)

Fixed In Version: selinux-policy-3.7.19-110.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-12-06 10:18:17 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1511 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-12-06 00:39:17 UTC

Description Milos Malik 2011-09-05 08:28:37 UTC
Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-109.el6.noarch
selinux-policy-targeted-3.7.19-109.el6.noarch
selinux-policy-doc-3.7.19-109.el6.noarch
selinux-policy-mls-3.7.19-109.el6.noarch
selinux-policy-minimum-3.7.19-109.el6.noarch

How reproducible:
always

Steps to Reproduce:
1. get fresh RHEL-6.2 machine
2. turn off firewall
3. run following automated test
/CoreOS/selinux-policy/bugzillas/288771

Actual results:
----
type=PATH msg=audit(09/05/2011 10:15:14.005:26655) : item=0 name=(null) inode=34764 dev=fd:00 mode=file,600 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:corosync_tmp_t:s0 
type=SYSCALL msg=audit(09/05/2011 10:15:14.005:26655) : arch=i386 syscall=fsetxattr success=no exit=-13(Permission denied) a0=4 a1=bfa71370 a2=958dad8 a3=2b items=1 ppid=26662 pid=26696 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=tty2 ses=1 comm=cp exe=/bin/cp subj=unconfined_u:system_r:corosync_t:s0 key=(null) 
type=AVC msg=audit(09/05/2011 10:15:14.005:26655) : avc:  denied  { relabelfrom } for  pid=26696 comm=cp name=rng_update.lock dev=dm-0 ino=34764 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=unconfined_u:object_r:corosync_tmp_t:s0 tclass=file 
----

Expected results:
* no AVCs

Comment 1 Milos Malik 2011-09-05 08:34:25 UTC
More AVCs of the same kind appear during the run of the automated test. They differ in file name fields:
cluster.rng
fence_agents.rng.cache
fence_agents.rng.hash
resources.rng.cache
resources.rng.hash

Comment 2 Miroslav Grepl 2011-09-05 10:31:30 UTC
I added a fix to Fedora. Will backport.

Comment 3 Miroslav Grepl 2011-09-08 14:30:39 UTC
Fixed in selinux-policy-3.7.19-110.el6

Comment 6 errata-xmlrpc 2011-12-06 10:18:17 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html


Note You need to log in before you can comment on or make changes to this bug.