Bug 739886 - avc: denied { read } for pid=19050 comm="rndc" path="/proc/loadavg"
Summary: avc: denied { read } for pid=19050 comm="rndc" path="/proc/loadavg"
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.1
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-09-20 10:34 UTC by Robert Scheck
Modified: 2018-11-14 10:28 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.7.19-136.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-06-20 12:24:48 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2012:0780 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2012-06-19 20:34:59 UTC

Description Robert Scheck 2011-09-20 10:34:23 UTC
Description of problem:
type=AVC msg=audit(1315704063.389:193228): avc:  denied  { read } for  pid=19050 comm="rndc" path="/proc/loadavg" dev=proc ino=4026532014 scontext=system_u:system_r:ndc_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=SYSCALL msg=audit(1315704063.389:193228): arch=c000003e syscall=59 success=yes exit=0 a0=101e350 a1=101dfd0 a2=101e660 a3=18 items=0 ppid=19046 pid=19050 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4341 comm="rndc" exe="/usr/sbin/rndc" subj=system_u:system_r:ndc_t:s0 key=(null)

type=AVC msg=audit(1315099084.187:175386): avc:  denied  { read } for  pid=26174 comm="rndc" path="/proc/loadavg" dev=proc ino=4026532014 scontext=system_u:system_r:ndc_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file
type=SYSCALL msg=audit(1315099084.187:175386): arch=c000003e syscall=59 success=yes exit=0 a0=1ab6350 a1=1ab5fd0 a2=1ab6660 a3=18 items=0 ppid=26170 pid=26174 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1470 comm="rndc" exe="/usr/sbin/rndc" subj=system_u:system_r:ndc_t:s0 key=(null)

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-93.el6_1.7.noarch

How reproducible:
No idea, just happens somehow sometimes.

Expected results:
No AVC denied.

Comment 1 Robert Scheck 2011-09-20 10:37:15 UTC
I've cross-filed this issue as Service Request 00532319.

Comment 3 Miroslav Grepl 2011-09-20 11:02:01 UTC
I added to Fedora, adding to RHEL6.

Comment 4 Milos Malik 2011-09-20 13:05:00 UTC
The AVC contains "success=yes". Could it mean a leaked file descriptor ?

Comment 5 Miroslav Grepl 2011-09-20 13:08:44 UTC
Good catch. I overlooked it. Yes, it looks like a leak.

Do you use confined users? Or a tool when this happens?

Also, what does 

# ps -eZ |grep initrc

Comment 6 Robert Scheck 2011-09-20 15:32:13 UTC
# ps -eZ |grep initrc
system_u:system_r:initrc_t:s0    2742 ?        00:03:16 heartbeat
system_u:system_r:initrc_t:s0    2771 ?        00:00:04 heartbeat
system_u:system_r:initrc_t:s0    2773 ?        00:00:09 heartbeat
system_u:system_r:initrc_t:s0    2775 ?        00:00:04 heartbeat
system_u:system_r:initrc_t:s0    2776 ?        00:00:20 heartbeat
system_u:system_r:initrc_t:s0    2777 ?        00:00:15 heartbeat
system_u:system_r:initrc_t:s0    2779 ?        00:00:22 heartbeat
system_u:system_r:initrc_t:s0    2780 ?        00:00:16 heartbeat
system_u:system_r:initrc_t:s0    3093 ?        00:00:08 ipfail
system_u:system_r:initrc_t:s0    3165 ?        00:00:08 dsm_sa_datamgrd
system_u:system_r:initrc_t:s0    3272 ?        00:00:01 dsm_sa_eventmgr
system_u:system_r:initrc_t:s0    3289 ?        00:00:00 rhnsd
system_u:system_r:initrc_t:s0    3299 ?        00:00:00 rhsmcertd
system_u:system_r:initrc_t:s0    3357 ?        00:00:00 dsm_om_shrsvcd
# 

The line above that AVC denied in audit.log is always logrotate related and 
logrotate is executed by cron which is getting restarted by heartbeat.

/etc/logrotate.d/named contains an "/etc/init.d/named reload" which executes
an "/usr/sbin/rndc reload" again. Could that match?

Comment 7 Miroslav Grepl 2011-09-21 08:45:15 UTC
Ok, so it looks heartbeat is leaking.

Comment 8 Miroslav Grepl 2011-09-21 12:37:31 UTC
Robert,
could you test the policy from the 

https://bugzilla.redhat.com/show_bug.cgi?id=720939#c14

Heartbeat needs to fix this leaking and also we need to add policy for it.

Comment 12 Miroslav Grepl 2012-01-26 08:50:56 UTC
We treat hearbeat with corosync policy.

Fixed in selinux-policy-3.7.19-136.el6

Comment 17 errata-xmlrpc 2012-06-20 12:24:48 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0780.html


Note You need to log in before you can comment on or make changes to this bug.