Bug 736388 - SELinux is preventing /usr/sbin/pulse from executing /usr/sbin/fos
Summary: SELinux is preventing /usr/sbin/pulse from executing /usr/sbin/fos
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.2
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-09-07 15:06 UTC by Milos Malik
Modified: 2012-09-21 08:32 UTC (History)
2 users (show)

Fixed In Version: selinux-policy-3.7.19-112.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-12-06 10:18:29 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1511 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-12-06 00:39:17 UTC

Description Milos Malik 2011-09-07 15:06:26 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-109.el6.noarch
selinux-policy-targeted-3.7.19-109.el6.noarch
selinux-policy-minimum-3.7.19-109.el6.noarch
selinux-policy-mls-3.7.19-109.el6.noarch

How reproducible:
always

Steps to Reproduce:
1. get a fresh RHEL-6.2 machine
2. log in as root via ssh
3. run following automated test:
/CoreOS/selinux-policy/Regression/bz584451-piranha-and-ipvsadm
  
Actual results:
----
time->Wed Sep  7 11:03:16 2011
type=SYSCALL msg=audit(1315407796.572:325736): arch=c000003e syscall=59 success=no exit=-13 a0=40d219 a1=7fff81e4d3d0 a2=7fff81e4df58 a3=7f75952999d0 items=0 ppid=23164 pid=15173 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=55 comm="pulse" exe="/usr/sbin/pulse" subj=unconfined_u:system_r:piranha_pulse_t:s0 key=(null)
type=AVC msg=audit(1315407796.572:325736): avc:  denied  { execute } for  pid=15173 comm="pulse" name="fos" dev=dm-0 ino=1449036 scontext=unconfined_u:system_r:piranha_pulse_t:s0 tcontext=system_u:object_r:piranha_fos_exec_t:s0 tclass=file
----

Expected results:
* no AVCs
Comment 1 Miroslav Grepl 2011-09-07 15:10:44 UTC 
I am fixing a bug in the policy.
Comment 2 Miroslav Grepl 2011-09-08 14:29:40 UTC 
Fixed in   selinux-policy-3.7.19-110.el6
Comment 4 Miroslav Grepl 2011-09-14 11:39:39 UTC 
Is this a default port?
Comment 5 Milos Malik 2011-09-14 12:13:59 UTC 
# rpm -qf /etc/sysconfig/ha/web/secure/help.php
piranha-0.8.5-7.el6.x86_64
# rpm -V piranha
# grep -A 3 -i "heartbeat runs on port" /etc/sysconfig/ha/web/secure/help.php 
Heartbeat runs on port:
        It is possible to alter the port that heartbeat runs on. The default
        if not set is 1050. Normally you should not have to touch this.
</PRE>
#
Comment 6 Daniel Walsh 2011-09-15 14:53:20 UTC 
cma             1050/udp                # CORBA Management Agent
Comment 7 Daniel Walsh 2011-09-15 14:53:55 UTC 
We currently have 

corenet_udp_bind_apertus_ldp_port(piranha_pulse_t)
corenet_udp_bind_cma_port(piranha_pulse_t)


Should we label this port as either of these?
Comment 8 Miroslav Grepl 2011-09-15 17:02:55 UTC 
(In reply to comment #7)
> We currently have 
> 
> corenet_udp_bind_apertus_ldp_port(piranha_pulse_t)
> corenet_udp_bind_cma_port(piranha_pulse_t)

This is a fix which I added to Fedora. Will add to RHEL6.
> 
> 
> Should we label this port as either of these?
Comment 11 errata-xmlrpc 2011-12-06 10:18:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html
Note You need to log in before you can comment on or make changes to this bug.