735729 – SELinux is preventing /bin/cp from relabelfrom operation on the file rng_update.lock

Bug 735729 - SELinux is preventing /bin/cp from relabelfrom operation on the file rng_update.lock

Summary: SELinux is preventing /bin/cp from relabelfrom operation on the file rng_upda...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.2
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-09-05 08:28 UTC by Milos Malik
Modified:	2012-11-23 21:07 UTC (History)
CC List:	1 user (show)
Fixed In Version:	selinux-policy-3.7.19-110.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-12-06 10:18:17 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2011:1511	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2011-12-06 00:39:17 UTC

Description Milos Malik 2011-09-05 08:28:37 UTC

Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-109.el6.noarch
selinux-policy-targeted-3.7.19-109.el6.noarch
selinux-policy-doc-3.7.19-109.el6.noarch
selinux-policy-mls-3.7.19-109.el6.noarch
selinux-policy-minimum-3.7.19-109.el6.noarch

How reproducible:
always

Steps to Reproduce:
1. get fresh RHEL-6.2 machine
2. turn off firewall
3. run following automated test
/CoreOS/selinux-policy/bugzillas/288771

Actual results:
----
type=PATH msg=audit(09/05/2011 10:15:14.005:26655) : item=0 name=(null) inode=34764 dev=fd:00 mode=file,600 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:corosync_tmp_t:s0 
type=SYSCALL msg=audit(09/05/2011 10:15:14.005:26655) : arch=i386 syscall=fsetxattr success=no exit=-13(Permission denied) a0=4 a1=bfa71370 a2=958dad8 a3=2b items=1 ppid=26662 pid=26696 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=tty2 ses=1 comm=cp exe=/bin/cp subj=unconfined_u:system_r:corosync_t:s0 key=(null) 
type=AVC msg=audit(09/05/2011 10:15:14.005:26655) : avc:  denied  { relabelfrom } for  pid=26696 comm=cp name=rng_update.lock dev=dm-0 ino=34764 scontext=unconfined_u:system_r:corosync_t:s0 tcontext=unconfined_u:object_r:corosync_tmp_t:s0 tclass=file 
----

Expected results:
* no AVCs

Comment 1 Milos Malik 2011-09-05 08:34:25 UTC

More AVCs of the same kind appear during the run of the automated test. They differ in file name fields:
cluster.rng
fence_agents.rng.cache
fence_agents.rng.hash
resources.rng.cache
resources.rng.hash

Comment 2 Miroslav Grepl 2011-09-05 10:31:30 UTC

I added a fix to Fedora. Will backport.

Comment 3 Miroslav Grepl 2011-09-08 14:30:39 UTC

Fixed in selinux-policy-3.7.19-110.el6

Comment 6 errata-xmlrpc 2011-12-06 10:18:17 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html

Note You need to log in before you can comment on or make changes to this bug.