Bug 739047 - Update against RHN Live-selinux Test fails
Summary: Update against RHN Live-selinux Test fails
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.2
Hardware: All
OS: Linux
low
low
Target Milestone: alpha
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-09-16 12:04 UTC by Iveta Wiedermann
Modified: 2012-09-22 07:26 UTC (History)
2 users (show)

Fixed In Version: selinux-policy-3.7.19-112.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-12-06 10:19:03 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1511 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-12-06 00:39:17 UTC

Description Iveta Wiedermann 2011-09-16 12:04:14 UTC
Description of problem: while there were running tps jobs, it failed with this message:

Running: /sbin/ausearch -sv no -m AVC -ts 09/16/2011 03:40:17 SELinux Check: FAIL SELinux AVC messages found: type=1400 audit(1316158860.115:39690): avc: denied { signull } for pid=21318 comm="who" scontext=unconfined_u:system_r:sblim_gatherd_t:s0 tcontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=process type=1400 audit(1316158860.255:39691): avc: denied { search } for pid=21321 comm="ps" name="home" dev=sdb1 ino=2129921 scontext=unconfined_u:system_r:sblim_gatherd_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir type=1400 audit(1316158888.795:39692): avc: denied { name_connect } for pid=2641 comm="polkitd" dest=111 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:portmap_port_t:s0 tclass=tcp_socket


Version-Release number of selected component (if applicable):
# rpm -qa selinux-policy\*
selinux-policy-doc-3.7.19-93.el6_1.7.noarch
selinux-policy-targeted-3.7.19-93.el6_1.7.noarch
selinux-policy-minimum-3.7.19-93.el6_1.7.noarch
selinux-policy-3.7.19-93.el6_1.7.noarch
selinux-policy-mls-3.7.19-93.el6_1.7.noarch


How reproducible:
Using below scenario

Steps to Reproduce:
1. Run tps-RHNqa job

  
Actual results:
SELinux AVC messages

Expected results:
No SELinux AVC messages expected

Comment 3 Milos Malik 2011-09-16 12:51:32 UTC
The same problem leads to different AVCs:
----
time->Fri Sep 16 04:11:00 2011
type=SYSCALL msg=audit(1316160660.101:39741): arch=c000003e syscall=62 success=
yes exit=0 a0=725d a1=0 a2=1546030 a3=8 items=0 ppid=30359 pid=30360 auid=0 uid
=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4600 comm="who" exe="/usr/bin/who" subj=unconfined_u:system_r:sblim_gatherd_t:s0 key=(null)
type=AVC msg=audit(1316160660.101:39741): avc:  denied  { signull } for  pid=30360 comm="who" scontext=unconfined_u:system_r:sblim_gatherd_t:s0 tcontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=process
----
time->Fri Sep 16 05:36:00 2011
type=SYSCALL msg=audit(1316165760.560:384): arch=40000003 syscall=270 success=y
es exit=0 a0=4b95 a1=4ba4 a2=6 a3=0 items=0 ppid=1 pid=19364 auid=0 uid=0 gid=0
 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2917 comm="gatherd"
 exe="/usr/sbin/gatherd" subj=unconfined_u:system_r:sblim_gatherd_t:s0 key=(null)
type=AVC msg=audit(1316165760.560:384): avc:  denied  { signal } for  pid=19364 comm="gatherd" scontext=unconfined_u:system_r:sblim_gatherd_t:s0 tcontext=unconfined_u:system_r:sblim_gatherd_t:s0 tclass=process
----
time->Fri Sep 16 06:23:00 2011
type=SYSCALL msg=audit(1316168580.361:498): arch=40000003 syscall=195 success=yes exit=0 a0=12d7e0 a1=bf8b11ec a2=2ccff4 a3=3 items=0 ppid=19811 pid=19812 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2917 comm="ps" exe="/bin/ps" subj=unconfined_u:system_r:sblim_gatherd_t:s0 key=(null)
type=AVC msg=audit(1316168580.361:498): avc:  denied  { search } for  pid=19812 comm="ps" name=".vnc" dev=vda2 ino=1529157 scontext=unconfined_u:system_r:sblim_gatherd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1316168580.361:498): avc:  denied  { search } for  pid=19812 comm="ps" name="test" dev=vda2 ino=1528916 scontext=unconfined_u:system_r:sblim_gatherd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1316168580.361:498): avc:  denied  { search } for  pid=19812 comm="ps" name="home" dev=vda2 ino=1528913 scontext=unconfined_u:system_r:sblim_gatherd_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
----

Comment 4 Milos Malik 2011-09-16 12:54:20 UTC
Whatever runs these actions it's pretty invasive:
----
time->Fri Sep 16 06:02:00 2011
type=SYSCALL msg=audit(1316167320.360:30726): arch=80000015 syscall=106 success
=yes exit=0 a0=80fd4049a8 a1=ffffea81388 a2=ffffea81388 a3=7fffffff items=0 ppi
d=12854 pid=12855 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=
0 tty=(none) ses=5421 comm="ps" exe="/bin/ps" subj=unconfined_u:system_r:sblim_
gatherd_t:s0 key=(null)
type=AVC msg=audit(1316167320.360:30726): avc:  denied  { search } for  pid=12855 comm="ps" name="" dev=0:16 ino=2 scontext=unconfined_u:system_r:sblim_gatherd_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir
----

Comment 5 Miroslav Grepl 2011-09-16 13:04:54 UTC
Ok, sblim needs more fixes. 

Not sure why but I did not make only this new domain as unconfined domain which I need to fix.

Comment 7 Miroslav Grepl 2011-09-20 15:32:50 UTC
Fixed in selinux-policy-3.7.19-112.el6

Comment 11 errata-xmlrpc 2011-12-06 10:19:03 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html


Note You need to log in before you can comment on or make changes to this bug.