Bug 744291 - [RHEL6.2] AVC denied comm="hald-probe-stor" comm="hald-probe-volu"
Summary: [RHEL6.2] AVC denied comm="hald-probe-stor" comm="hald-probe-volu"
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.2
Hardware: All
OS: Linux
low
low
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-10-07 19:03 UTC by PaulB
Modified: 2014-01-24 14:44 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.7.19-138.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-06-20 12:24:53 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2012:0780 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2012-06-19 20:34:59 UTC

Description PaulB 2011-10-07 19:03:48 UTC 
Description of problem:
 We are seeing the following AVC failure intermittently when running the 
/kernel/storage/iscsi/iscsi-target-ipv4 test.

Version-Release number of selected component (if applicable):
 selinux-policy-3.7.19-113.el6.noarch

How reproducible:
 Intermittently

Steps to Reproduce:
1. Clone the following test job:
   https://beaker.engineering.redhat.com/jobs/139280 
2. Test job will install a target(Server) and initiator(Client) host
   with the basedistro = RHEL6.2-20110923.3 and install kernel = 2.6.32-206.el6
   then run the /kernel/storage/iscsi/iscsi-target-ipv4 test.
  
Actual results:
Following messages were found in dmesg:
type=1400 audit(1317766616.039:287270): avc:  denied  { read } for  pid=4067 comm="hald-probe-stor" name="modules.dep" dev=dm-0 ino=923352 scontext=system_u:system_r:hald_t:s0 tcontext=unconfined_u:object_r:modules_object_t:s0 tclass=file
type=1400 audit(1317766616.283:287271): avc:  denied  { read } for  pid=4068 comm="hald-probe-volu" name="modules.dep" dev=dm-0 ino=923352 scontext=system_u:system_r:hald_t:s0 tcontext=unconfined_u:object_r:modules_object_t:s0 tclass=file
type=1400 audit(1317766619.350:287272): avc:  denied  { read } for  pid=4163 comm="hald-probe-stor" name="modules.dep" dev=dm-0 ino=923352 scontext=system_u:system_r:hald_t:s0 tcontext=unconfined_u:object_r:modules_object_t:s0 tclass=file
type=1400 audit(1317766619.504:287273): avc:  denied  { read } for  pid=4166 comm="hald-probe-volu" name="modules.dep" dev=dm-0 ino=923352 scontext=system_u:system_r:hald_t:s0 tcontext=unconfined_u:object_r:modules_object_t:s0 tclass=file

Expected results:
 There should be no AVC failure.

Additional info:
 This issue was seen here:
https://beaker.engineering.redhat.com/jobs/139280
http://beaker-archive.app.eng.bos.redhat.com/beaker-logs/2011/10/1392/139280/288566/3174348/16851506/test_log--kernel-storage-iscsi-iscsi-target-ipv4-initiator-avc.log

-pbunyan
Comment 2 Miroslav Grepl 2011-10-10 14:02:12 UTC 
Could you add your output of

# ls -Z PATHO/modules.dep

# matchpathcon PATHO/modules.dep
Comment 3 Daniel Walsh 2011-10-11 17:07:04 UTC 
Looks like it could be a labeling issue.  Is your test script creating these dep files?  If so where are they located, does running restorecon on them change the label?
Comment 4 PaulB 2011-10-12 14:58:23 UTC 
(In reply to comment #2)
> Could you add your output of
> 
> # ls -Z PATHO/modules.dep
> 
> # matchpathcon PATHO/modules.dep

Miroslav,
As this issue is intermittent, the test will need to be modifed in order to gather this data.

I will contact test owner and look into modify the /kernel/storage/iscsi/iscsi-target-ipv4 test.

Best,
-pbunyan
Comment 5 PaulB 2011-10-12 15:06:23 UTC 
(In reply to comment #3)
> Looks like it could be a labeling issue. 
    I agree it looks like a labeling issue.
    Can you please tell me what the label is suppose to be.
>Is your test script creating these dep files? 
   No we are not creating the file module.dep.
>If so where are they located, does running restorecon on them change the label?
   I have not tried, since this is intermittent during automated testing.


Best,
-pbunyan
Comment 6 Miroslav Grepl 2011-10-12 15:12:53 UTC 
(In reply to comment #5)
> (In reply to comment #3)
> > Looks like it could be a labeling issue. 
>     I agree it looks like a labeling issue.
>     Can you please tell me what the label is suppose to be.

# matchpathcon PATHO/modules.dep

> >Is your test script creating these dep files? 
>    No we are not creating the file module.dep.
> >If so where are they located, does running restorecon on them change the label?
>    I have not tried, since this is intermittent during automated testing.
> 
> 
> Best,
> -pbunyan
Comment 7 PaulB 2011-10-12 15:29:06 UTC 
(In reply to comment #6)
> (In reply to comment #5)
> > (In reply to comment #3)
> > > Looks like it could be a labeling issue. 
> >     I agree it looks like a labeling issue.
> >     Can you please tell me what the label is suppose to be.
> 
> # matchpathcon PATHO/modules.dep

I know what this returns on my machine, but what is this "suppose to return" on a RHEL 6.2 installed system. 

-pbunyan
Comment 8 Miroslav Grepl 2011-10-12 16:59:44 UTC 
matchpathcon returns the default SELinux security context from the policy.

should be labeled as modules_dep_t
Comment 9 RHEL Program Management 2011-10-18 18:40:43 UTC 
Since RHEL 6.2 External Beta has begun, and this bug remains
unresolved, it has been rejected as it is not proposed as
exception or blocker.

Red Hat invites you to ask your support representative to
propose this request, if appropriate and relevant, in the
next release of Red Hat Enterprise Linux.
Comment 10 Miroslav Grepl 2011-10-18 18:50:06 UTC 
Still looks like mislabeling issue. Closing as NOTABUG.
Comment 11 PaulB 2011-10-19 14:15:29 UTC 
Miroslav,
As this issue is intermittent, seems like a bug to me.

I modified the kernel/storage/iscsi/iscsi-target-ipv4 test to provide your requested data:
+selinuxcheck(){
+        ls -Z /lib/modules/`uname -r`/modules.dep
+        matchpathcon /lib/modules/`uname -r`/modules.dep
+}

Issue was reproduced here:
https://beaker.engineering.redhat.com/jobs/144495
http://beaker-archive.app.eng.bos.redhat.com/beaker-logs/2011/10/1444/144495/300552/3313348/17698271/test_log--kernel-storage-iscsi-iscsi-target-ipv4-initiator.log
<-SNIP->
-rw-r--r--. root root unconfined_u:object_r:modules_object_t:s0 /lib/modules/2.6.32-210.el6.ppc64/modules.dep
/lib/modules/2.6.32-210.el6.ppc64/modules.dep	system_u:object_r:modules_dep_t:s0
<-SNIP->

-pbunyan
Comment 12 Daniel Walsh 2011-10-20 20:22:06 UTC 
That looks incorrect to me.  What is creating these files?
Comment 13 Daniel Walsh 2011-10-21 18:05:02 UTC 
Miroslav lets just add

files_read_kernel_modules(hald_t)

And try to figure out why these files are getting the wrong label in Fedora.
Comment 14 Milos Malik 2011-10-24 10:16:07 UTC 
I would say that depmod is the culprit:

# rpm -qa selinux-policy\*
selinux-policy-mls-3.7.19-118.el6.noarch
selinux-policy-doc-3.7.19-118.el6.noarch
selinux-policy-3.7.19-118.el6.noarch
selinux-policy-targeted-3.7.19-118.el6.noarch
selinux-policy-minimum-3.7.19-118.el6.noarch
# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted
# id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
# restorecon -Rv /lib/modules/2.6.32-211.el6.i686/
restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.ofmap context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0
restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.inputmap context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0
restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.ccwmap context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0
restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.symbols context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0
restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.alias.bin context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0
restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.pcimap context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0
restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.alias context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0
restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.dep.bin context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0
restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.seriomap context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0
restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.usbmap context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0
restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.symbols.bin context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0
restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.ieee1394map context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0
restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.dep context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0
restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.isapnpmap context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0
# depmod -ae
# restorecon -Rv /lib/modules/2.6.32-211.el6.i686/
restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.ofmap context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0
restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.inputmap context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0
restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.ccwmap context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0
restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.symbols context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0
restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.alias.bin context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0
restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.pcimap context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0
restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.alias context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0
restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.dep.bin context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0
restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.seriomap context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0
restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.usbmap context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0
restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.symbols.bin context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0
restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.ieee1394map context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0
restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.dep context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0
restorecon reset /lib/modules/2.6.32-211.el6.i686/modules.isapnpmap context unconfined_u:object_r:modules_object_t:s0->unconfined_u:object_r:modules_dep_t:s0
#
Comment 15 Milos Malik 2011-10-24 10:17:52 UTC 
After reboot I saw following AVCs:
----
time->Mon Oct 24 12:00:35 2011
type=PATH msg=audit(1319450435.031:11125): item=0 name="/lib/modules/2.6.32-211.el6.i686/modules.dep" inode=83316 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:modules_object_t:s0
type=CWD msg=audit(1319450435.031:11125):  cwd="/usr/libexec"
type=SYSCALL msg=audit(1319450435.031:11125): arch=40000003 syscall=5 success=no exit=-13 a0=bf9719b6 a1=8000 a2=1b6 a3=a77e8d items=1 ppid=1411 pid=1454 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hald-probe-volu" exe="/usr/libexec/hald-probe-volume" subj=system_u:system_r:hald_t:s0 key=(null)
type=AVC msg=audit(1319450435.031:11125): avc:  denied  { read } for  pid=1454 comm="hald-probe-volu" name="modules.dep" dev=dm-0 ino=83316 scontext=system_u:system_r:hald_t:s0 tcontext=unconfined_u:object_r:modules_object_t:s0 tclass=file
----
time->Mon Oct 24 12:00:34 2011
type=PATH msg=audit(1319450434.795:11124): item=0 name="/lib/modules/2.6.32-211.el6.i686/modules.dep" inode=83316 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:modules_object_t:s0
type=CWD msg=audit(1319450434.795:11124):  cwd="/usr/libexec"
type=SYSCALL msg=audit(1319450434.795:11124): arch=40000003 syscall=5 success=no exit=-13 a0=bf9cb246 a1=8000 a2=1b6 a3=a77e8d items=1 ppid=1411 pid=1440 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hald-probe-stor" exe="/usr/libexec/hald-probe-storage" subj=system_u:system_r:hald_t:s0 key=(null)
type=AVC msg=audit(1319450434.795:11124): avc:  denied  { read } for  pid=1440 comm="hald-probe-stor" name="modules.dep" dev=dm-0 ino=83316 scontext=system_u:system_r:hald_t:s0 tcontext=unconfined_u:object_r:modules_object_t:s0 tclass=file
----
Comment 16 Miroslav Grepl 2011-10-24 10:42:49 UTC 
Good catch. 

This means the modules.dep is re-created by depmod which is running in the unconfined_t domain in this case.

This is fixed by file name transition in Fedora. Not sure how we should handle this in RHEL6, probably just add the rule.

We have

modutils_run_depmod(sysadm_t, sysadm_r)

So

modutils_run_depmod(unconfined_t, unconfined_r)

could be tested.
Comment 17 Miroslav Grepl 2011-10-25 16:22:58 UTC 
Paul,
try to test it with the latest -119 release from brew.
Comment 27 errata-xmlrpc 2012-06-20 12:24:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0780.html
Note You need to log in before you can comment on or make changes to this bug.