745531 – Cloudform need SELinux policies support

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 745531 - Cloudform need SELinux policies support

Summary: Cloudform need SELinux policies support

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.2
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Chandrasekar Kannan
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	750914 752757
TreeView+	depends on / blocked

Reported:	2011-10-12 15:48 UTC by Francesco Vollero
Modified:	2015-01-04 23:51 UTC (History)
CC List:	8 users (show)
Fixed In Version:	selinux-policy-3.7.19-122.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-12-06 10:19:55 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
cloudform policy (20.00 KB, application/x-tar) 2011-10-18 16:43 UTC, Miroslav Grepl	no flags	Details
Updated cloudform policies (20.00 KB, application/x-tar) 2011-10-20 12:03 UTC, Miroslav Grepl	no flags	Details
aeolus-configure -p mock (1.68 KB, text/plain) 2011-10-21 16:54 UTC, wes hayutin	no flags	Details
automation log (205.87 KB, text/plain) 2011-11-02 18:30 UTC, wes hayutin	no flags	Details
Show Obsolete (1) View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2011:1511	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2011-12-06 00:39:17 UTC

Description Francesco Vollero 2011-10-12 15:48:04 UTC

We see that our Cloudform daemons are running in initrc_t.

Comment 2 Miroslav Grepl 2011-10-12 18:23:15 UTC

ok, we have policies for deltacloud, thin, mongod, iwhd services. But these policies needs to be tested by Cloudform QA guys.

Comment 5 wes hayutin 2011-10-17 15:11:11 UTC

I've installed some patches from Francesco and my sanity tests pass w/ selinux enforced.  We have tests lined and and we're ready to go.

Comment 6 Miroslav Grepl 2011-10-17 20:40:00 UTC

Ok, we need to sort this bug. 

Yes, we have added some fixes which make AEOLUS working but this bug is about cloudform daemons running as initrc_t.

So you just execute

# ps -eZ |grep initrc

and you will see.

I am fine to move this on RHEL6.3 since everything should work in enforcing mode and add confinement for cloudform daemons for RHEL6.3?

Comment 7 Hugh Brock 2011-10-18 15:26:44 UTC

Clearly we can't ship services that run on boot in initrc_t context. They need to be confined properly for a production app that protects potentially sensitive customer data like the image warehouse.

Comment 10 Miroslav Grepl 2011-10-18 16:43:53 UTC

Created attachment 528847 [details]
cloudform policy

I attached cloudform policy which contains policy for cloud daemons.

If we add this policy to RHEL6.2, I will add them as unconfined. But I would like to see if I need to add some a new types for files, directories and so on and if all services are running in their contexts.

For QA:

Just download, extract the archive and run

# sh cloudform.sh
# echo "-w /etc/shadow -p wa" >> /etc/audit/audit.rules
# service auditd restart

and you can start/restart services and test them. Then I need to see outputs of

# ps -eZ |grep initrc

# ausearch -m avc -ts recent

Comment 12 wes hayutin 2011-10-19 15:55:44 UTC

FYI.. I have not installed the same policy rpms that I received from Francesco Vollero. Whats not clear to me is whether or not to install the same rpms that Francesco gave me and run this shell script.

Can someone please clarify

10.11.230.102  

[root@unused ~]# getenforce 
Enforcing
[root@unused ~]# sh cloudform.sh 
Building and Loading Policy
+ make -f /usr/share/selinux/devel/Makefile
Compiling targeted cloudform module
/usr/bin/checkmodule:  loading policy configuration from tmp/cloudform.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/cloudform.mod
Creating targeted cloudform.pp policy package
rm tmp/cloudform.mod.fc tmp/cloudform.mod
+ /usr/sbin/semodule -i cloudform.pp
+ /sbin/restorecon -F -R -v /usr/bin/iwhd
+ /sbin/restorecon -F -R -v /etc/rc.d/init.d/iwhd
+ /sbin/restorecon -F -R -v /var/run/iwhd.pid
+ /sbin/restorecon -F -R -v /var/lib/iwhd
+ /sbin/restorecon -F -R -v /usr/bin/deltacloudd
+ /sbin/restorecon -F -R -v /usr/bin/mongod
+ /sbin/restorecon -F -R -v /etc/rc.d/init.d/mongod
+ /sbin/restorecon -F -R -v /var/lib/mongodb
+ /sbin/restorecon -F -R -v /var/log/mongodb
+ /sbin/restorecon -F -R -v /var/run/mongodb
+ /sbin/restorecon -F -R -v /usr/bin/thin
[root@unused ~]# echo "-w /etc/shadow -p wa" >> /etc/audit/audit.rules
[root@unused ~]# service auditd restart
Stopping auditd:                                           [  OK  ]
Starting auditd:                                           [  OK  ]
[root@unused ~]# ps -eZ | grep initrc
system_u:system_r:initrc_t:s0    8095 ?        00:00:00 rhsmcertd
[root@unused ~]# ausearch -m avc -ts recent
<no matches>
[root@unused ~]# 



aeolus-configure -d -v -p ec2
during aeolus-configure... got the following denials..

[root@unused ~]# tail -f /var/log/audit/audit.log | grep -i denied
type=AVC msg=audit(1319039312.122:62237): avc:  denied  { read } for  pid=9186 comm="mongod" name="urandom" dev=devtmpfs ino=3640 scontext=unconfined_u:system_r:mongod_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
type=AVC msg=audit(1319039312.122:62237): avc:  denied  { open } for  pid=9186 comm="mongod" name="urandom" dev=devtmpfs ino=3640 scontext=unconfined_u:system_r:mongod_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
type=AVC msg=audit(1319039312.219:62240): avc:  denied  { execmem } for  pid=9189 comm="mongod" scontext=unconfined_u:system_r:mongod_t:s0 tcontext=unconfined_u:system_r:mongod_t:s0 tclass=process
type=AVC msg=audit(1319039358.135:62264): avc:  denied  { search } for  pid=9536 comm="thin" name="pki" dev=dm-0 ino=392492 scontext=unconfined_u:system_r:thin_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir
type=AVC msg=audit(1319039358.135:62264): avc:  denied  { read } for  pid=9536 comm="thin" name="cert.pem" dev=dm-0 ino=392496 scontext=unconfined_u:system_r:thin_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=lnk_file
type=AVC msg=audit(1319039358.135:62264): avc:  denied  { read } for  pid=9536 comm="thin" name="ca-bundle.crt" dev=dm-0 ino=392498 scontext=unconfined_u:system_r:thin_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file
type=AVC msg=audit(1319039358.135:62264): avc:  denied  { open } for  pid=9536 comm="thin" name="ca-bundle.crt" dev=dm-0 ino=392498 scontext=unconfined_u:system_r:thin_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file
type=AVC msg=audit(1319039358.136:62265): avc:  denied  { getattr } for  pid=9536 comm="thin" path="/etc/pki/tls/certs/ca-bundle.crt" dev=dm-0 ino=392498 scontext=unconfined_u:system_r:thin_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file

*************************************************
[root@unused ~]# ausearch -m avc -ts recent
----
time->Wed Oct 19 11:48:32 2011
type=PATH msg=audit(1319039312.122:62237): item=0 name="/dev/urandom" inode=3640 dev=00:05 mode=020666 ouid=0 ogid=0 rdev=01:09 obj=system_u:object_r:urandom_device_t:s0
type=CWD msg=audit(1319039312.122:62237):  cwd="/"
type=SYSCALL msg=audit(1319039312.122:62237): arch=c000003e syscall=2 success=yes exit=3 a0=7dcd42 a1=0 a2=1b6 a3=0 items=1 ppid=9185 pid=9186 auid=0 uid=498 gid=496 euid=498 suid=498 fsuid=498 egid=496 sgid=496 fsgid=496 tty=(none) ses=5 comm="mongod" exe="/usr/bin/mongod" subj=unconfined_u:system_r:mongod_t:s0 key=(null)
type=AVC msg=audit(1319039312.122:62237): avc:  denied  { open } for  pid=9186 comm="mongod" name="urandom" dev=devtmpfs ino=3640 scontext=unconfined_u:system_r:mongod_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
type=AVC msg=audit(1319039312.122:62237): avc:  denied  { read } for  pid=9186 comm="mongod" name="urandom" dev=devtmpfs ino=3640 scontext=unconfined_u:system_r:mongod_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
----
time->Wed Oct 19 11:48:32 2011
type=SYSCALL msg=audit(1319039312.219:62240): arch=c000003e syscall=9 success=yes exit=140714481811456 a0=0 a1=10000 a2=7 a3=22 items=0 ppid=1 pid=9189 auid=0 uid=498 gid=496 euid=498 suid=498 fsuid=498 egid=496 sgid=496 fsgid=496 tty=(none) ses=5 comm="mongod" exe="/usr/bin/mongod" subj=unconfined_u:system_r:mongod_t:s0 key=(null)
type=AVC msg=audit(1319039312.219:62240): avc:  denied  { execmem } for  pid=9189 comm="mongod" scontext=unconfined_u:system_r:mongod_t:s0 tcontext=unconfined_u:system_r:mongod_t:s0 tclass=process
----
time->Wed Oct 19 11:49:18 2011
type=PATH msg=audit(1319039358.135:62264): item=0 name="/etc/pki/tls/cert.pem" inode=392498 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cert_t:s0
type=CWD msg=audit(1319039358.135:62264):  cwd="/"
type=SYSCALL msg=audit(1319039358.135:62264): arch=c000003e syscall=2 success=yes exit=3 a0=7fc5856b5623 a1=0 a2=1b6 a3=0 items=1 ppid=9533 pid=9536 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="thin" exe="/usr/bin/ruby" subj=unconfined_u:system_r:thin_t:s0 key=(null)
type=AVC msg=audit(1319039358.135:62264): avc:  denied  { open } for  pid=9536 comm="thin" name="ca-bundle.crt" dev=dm-0 ino=392498 scontext=unconfined_u:system_r:thin_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file
type=AVC msg=audit(1319039358.135:62264): avc:  denied  { read } for  pid=9536 comm="thin" name="ca-bundle.crt" dev=dm-0 ino=392498 scontext=unconfined_u:system_r:thin_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file
type=AVC msg=audit(1319039358.135:62264): avc:  denied  { read } for  pid=9536 comm="thin" name="cert.pem" dev=dm-0 ino=392496 scontext=unconfined_u:system_r:thin_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=lnk_file
type=AVC msg=audit(1319039358.135:62264): avc:  denied  { search } for  pid=9536 comm="thin" name="pki" dev=dm-0 ino=392492 scontext=unconfined_u:system_r:thin_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir
----
time->Wed Oct 19 11:49:18 2011
type=SYSCALL msg=audit(1319039358.136:62265): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7fff688971c0 a2=7fff688971c0 a3=7fff688970b0 items=0 ppid=9533 pid=9536 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="thin" exe="/usr/bin/ruby" subj=unconfined_u:system_r:thin_t:s0 key=(null)
type=AVC msg=audit(1319039358.136:62265): avc:  denied  { getattr } for  pid=9536 comm="thin" path="/etc/pki/tls/certs/ca-bundle.crt" dev=dm-0 ino=392498 scontext=unconfined_u:system_r:thin_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file
----
time->Wed Oct 19 11:49:29 2011
type=PATH msg=audit(1319039369.337:62270): item=1 name=(null) inode=17741 dev=00:14 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:autofs_t:s0
type=PATH msg=audit(1319039369.337:62270): item=0 name="./net/ssh.rb"
type=CWD msg=audit(1319039369.337:62270):  cwd="/"
type=SYSCALL msg=audit(1319039369.337:62270): arch=c000003e syscall=4 success=no exit=-2 a0=7fe5d6c5a420 a1=7fff306a7c60 a2=7fff306a7c60 a3=8 items=2 ppid=1 pid=9587 auid=0 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=5 comm="deltacloudd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:deltacloudd_t:s0 key=(null)
type=AVC msg=audit(1319039369.337:62270): avc:  denied  { search } for  pid=9587 comm="deltacloudd" name="/" dev=autofs ino=17741 scontext=unconfined_u:system_r:deltacloudd_t:s0 tcontext=system_u:object_r:autofs_t:s0 tclass=dir
----
time->Wed Oct 19 11:49:30 2011
type=SOCKADDR msg=audit(1319039370.469:62271): saddr=0A000BBA000000000000000000000000000000000000000100000000
type=SYSCALL msg=audit(1319039370.469:62271): arch=c000003e syscall=42 success=no exit=-115 a0=a a1=babac0 a2=1c a3=7fff68818e10 items=0 ppid=1 pid=9540 auid=0 uid=451 gid=451 euid=451 suid=451 fsuid=451 egid=451 sgid=451 fsgid=451 tty=(none) ses=5 comm="thin" exe="/usr/bin/ruby" subj=unconfined_u:system_r:thin_t:s0 key=(null)
type=AVC msg=audit(1319039370.469:62271): avc:  denied  { name_connect } for  pid=9540 comm="thin" dest=3002 scontext=unconfined_u:system_r:thin_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
----
time->Wed Oct 19 11:49:31 2011
type=PATH msg=audit(1319039371.087:62272): item=1 name="/var/log/iwhd.log" inode=133123 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:var_log_t:s0
type=PATH msg=audit(1319039371.087:62272): item=0 name="/var/log/" inode=131639 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_log_t:s0
type=CWD msg=audit(1319039371.087:62272):  cwd="/"
type=SYSCALL msg=audit(1319039371.087:62272): arch=c000003e syscall=2 success=yes exit=5 a0=7fff41cbff7b a1=441 a2=1b6 a3=7fff41cbd960 items=2 ppid=1 pid=9625 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="iwhd" exe="/usr/bin/iwhd" subj=unconfined_u:system_r:iwhd_t:s0 key=(null)
type=AVC msg=audit(1319039371.087:62272): avc:  denied  { create } for  pid=9625 comm="iwhd" name="iwhd.log" scontext=unconfined_u:system_r:iwhd_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1319039371.087:62272): avc:  denied  { add_name } for  pid=9625 comm="iwhd" name="iwhd.log" scontext=unconfined_u:system_r:iwhd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
type=AVC msg=audit(1319039371.087:62272): avc:  denied  { write } for  pid=9625 comm="iwhd" name="log" dev=dm-0 ino=131639 scontext=unconfined_u:system_r:iwhd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
----
time->Wed Oct 19 11:49:31 2011
type=SOCKADDR msg=audit(1319039371.089:62273): saddr=020069897F0000010000000000000000
type=SYSCALL msg=audit(1319039371.089:62273): arch=c000003e syscall=42 success=yes exit=0 a0=5 a1=7fff41cbd7e8 a2=10 a3=7f99cdb3e9f0 items=0 ppid=1 pid=9628 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="iwhd" exe="/usr/bin/iwhd" subj=unconfined_u:system_r:iwhd_t:s0 key=(null)
type=AVC msg=audit(1319039371.089:62273): avc:  denied  { name_connect } for  pid=9628 comm="iwhd" dest=27017 scontext=unconfined_u:system_r:iwhd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
----
time->Wed Oct 19 11:49:31 2011
type=SOCKADDR msg=audit(1319039371.089:62274): saddr=02002382000000000000000000000000
type=SYSCALL msg=audit(1319039371.089:62274): arch=c000003e syscall=49 success=yes exit=0 a0=6 a1=7fff41cbdb60 a2=10 a3=7fff41cbd860 items=0 ppid=1 pid=9625 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="iwhd" exe="/usr/bin/iwhd" subj=unconfined_u:system_r:iwhd_t:s0 key=(null)
type=AVC msg=audit(1319039371.089:62274): avc:  denied  { name_bind } for  pid=9625 comm="iwhd" src=9090 scontext=unconfined_u:system_r:iwhd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
----
time->Wed Oct 19 11:49:42 2011
type=PATH msg=audit(1319039382.876:62288): item=1 name="/var/tmp/deltacloud-mock-nobody" inode=133113 dev=fd:00 mode=040755 ouid=99 ogid=99 rdev=00:00 obj=unconfined_u:object_r:tmp_t:s0
type=PATH msg=audit(1319039382.876:62288): item=0 name="/var/tmp/" inode=130905 dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0
type=CWD msg=audit(1319039382.876:62288):  cwd="/"
type=SYSCALL msg=audit(1319039382.876:62288): arch=c000003e syscall=83 success=yes exit=0 a0=2c148e0 a1=1ff a2=2c148ff a3=7fff306a1350 items=2 ppid=1 pid=9587 auid=0 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=5 comm="deltacloudd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:deltacloudd_t:s0 key=(null)
type=AVC msg=audit(1319039382.876:62288): avc:  denied  { create } for  pid=9587 comm="deltacloudd" name="deltacloud-mock-nobody" scontext=unconfined_u:system_r:deltacloudd_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1319039382.876:62288): avc:  denied  { add_name } for  pid=9587 comm="deltacloudd" name="deltacloud-mock-nobody" scontext=unconfined_u:system_r:deltacloudd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1319039382.876:62288): avc:  denied  { write } for  pid=9587 comm="deltacloudd" name="tmp" dev=dm-0 ino=130905 scontext=unconfined_u:system_r:deltacloudd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
----
time->Wed Oct 19 11:49:42 2011
type=PATH msg=audit(1319039382.877:62289): item=1 name="/var/tmp/deltacloud-mock-nobody/storage_snapshots" inode=133114 dev=fd:00 mode=040755 ouid=99 ogid=99 rdev=00:00 obj=unconfined_u:object_r:tmp_t:s0
type=PATH msg=audit(1319039382.877:62289): item=0 name="/var/tmp/deltacloud-mock-nobody/" inode=133113 dev=fd:00 mode=040755 ouid=99 ogid=99 rdev=00:00 obj=unconfined_u:object_r:tmp_t:s0
type=CWD msg=audit(1319039382.877:62289):  cwd="/"
type=SYSCALL msg=audit(1319039382.877:62289): arch=c000003e syscall=83 success=yes exit=0 a0=2c152b0 a1=1ff a2=2c152e1 a3=8 items=2 ppid=1 pid=9587 auid=0 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=5 comm="deltacloudd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:deltacloudd_t:s0 key=(null)
type=AVC msg=audit(1319039382.877:62289): avc:  denied  { add_name } for  pid=9587 comm="deltacloudd" name="storage_snapshots" scontext=unconfined_u:system_r:deltacloudd_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1319039382.877:62289): avc:  denied  { write } for  pid=9587 comm="deltacloudd" name="deltacloud-mock-nobody" dev=dm-0 ino=133113 scontext=unconfined_u:system_r:deltacloudd_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=dir
----
time->Wed Oct 19 11:49:42 2011
type=PATH msg=audit(1319039382.877:62290): item=1 name="/var/tmp/deltacloud-mock-nobody/storage_snapshots/snap3.yml" inode=133115 dev=fd:00 mode=0100644 ouid=99 ogid=99 rdev=00:00 obj=unconfined_u:object_r:tmp_t:s0
type=PATH msg=audit(1319039382.877:62290): item=0 name="/var/tmp/deltacloud-mock-nobody/storage_snapshots/" inode=133114 dev=fd:00 mode=040755 ouid=99 ogid=99 rdev=00:00 obj=unconfined_u:object_r:tmp_t:s0
type=CWD msg=audit(1319039382.877:62290):  cwd="/"
type=SYSCALL msg=audit(1319039382.877:62290): arch=c000003e syscall=2 success=yes exit=4 a0=2c16960 a1=241 a2=81a4 a3=7fff30693e10 items=2 ppid=1 pid=9587 auid=0 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=5 comm="deltacloudd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:deltacloudd_t:s0 key=(null)
type=AVC msg=audit(1319039382.877:62290): avc:  denied  { write open } for  pid=9587 comm="deltacloudd" name="snap3.yml" dev=dm-0 ino=133115 scontext=unconfined_u:system_r:deltacloudd_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1319039382.877:62290): avc:  denied  { create } for  pid=9587 comm="deltacloudd" name="snap3.yml" scontext=unconfined_u:system_r:deltacloudd_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file
----
time->Wed Oct 19 11:49:42 2011
type=SYSCALL msg=audit(1319039382.881:62291): arch=c000003e syscall=5 success=yes exit=0 a0=4 a1=7fff30693e90 a2=7fff30693e90 a3=238 items=0 ppid=1 pid=9587 auid=0 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=5 comm="deltacloudd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:deltacloudd_t:s0 key=(null)
type=AVC msg=audit(1319039382.881:62291): avc:  denied  { getattr } for  pid=9587 comm="deltacloudd" path="/var/tmp/deltacloud-mock-nobody/storage_snapshots/snap3.yml" dev=dm-0 ino=133115 scontext=unconfined_u:system_r:deltacloudd_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file
----
time->Wed Oct 19 11:49:42 2011
type=SYSCALL msg=audit(1319039382.887:62292): arch=c000003e syscall=41 success=yes exit=3 a0=1 a1=80002 a2=0 a3=0 items=0 ppid=1 pid=9587 auid=0 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=5 comm="deltacloudd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:deltacloudd_t:s0 key=(null)
type=AVC msg=audit(1319039382.887:62292): avc:  denied  { create } for  pid=9587 comm="deltacloudd" scontext=unconfined_u:system_r:deltacloudd_t:s0 tcontext=unconfined_u:system_r:deltacloudd_t:s0 tclass=unix_dgram_socket
----
time->Wed Oct 19 11:49:42 2011
type=PATH msg=audit(1319039382.887:62293): item=0 name=(null) inode=12101 dev=00:05 mode=0140666 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:devlog_t:s0
type=SOCKADDR msg=audit(1319039382.887:62293): saddr=01002F6465762F6C6F6700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
type=SYSCALL msg=audit(1319039382.887:62293): arch=c000003e syscall=42 success=yes exit=0 a0=3 a1=7fe5d5e8d1a0 a2=6e a3=0 items=1 ppid=1 pid=9587 auid=0 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=5 comm="deltacloudd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:deltacloudd_t:s0 key=(null)
type=AVC msg=audit(1319039382.887:62293): avc:  denied  { sendto } for  pid=9587 comm="deltacloudd" path="/dev/log" scontext=unconfined_u:system_r:deltacloudd_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket
type=AVC msg=audit(1319039382.887:62293): avc:  denied  { write } for  pid=9587 comm="deltacloudd" name="log" dev=devtmpfs ino=12101 scontext=unconfined_u:system_r:deltacloudd_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file
type=AVC msg=audit(1319039382.887:62293): avc:  denied  { connect } for  pid=9587 comm="deltacloudd" scontext=unconfined_u:system_r:deltacloudd_t:s0 tcontext=unconfined_u:system_r:deltacloudd_t:s0 tclass=unix_dgram_socket
----
time->Wed Oct 19 11:49:42 2011
type=SYSCALL msg=audit(1319039382.979:62294): arch=c000003e syscall=44 success=yes exit=100 a0=3 a1=2b04280 a2=64 a3=4000 items=0 ppid=1 pid=9587 auid=0 uid=99 gid=99 euid=99 suid=99 fsuid=99 egid=99 sgid=99 fsgid=99 tty=(none) ses=5 comm="deltacloudd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:deltacloudd_t:s0 key=(null)
type=AVC msg=audit(1319039382.979:62294): avc:  denied  { write } for  pid=9587 comm="deltacloudd" scontext=unconfined_u:system_r:deltacloudd_t:s0 tcontext=unconfined_u:system_r:deltacloudd_t:s0 tclass=unix_dgram_socket
[root@unused ~]#

Comment 13 wes hayutin 2011-10-19 16:45:58 UTC

same thing w/ the rpms supplied by fvollero

root@dhcp231-79 selinux]# ls -ltra
total 8472
-rw-r--r--. 1 root root 2366844 Sep 29 08:10 selinux-policy-mls-3.7.19-114.el6.noarch.rpm
-rw-r--r--. 1 root root  511032 Sep 29 08:10 selinux-policy-doc-3.7.19-114.el6.noarch.rpm
-rw-r--r--. 1 root root 2579860 Sep 29 08:10 selinux-policy-targeted-3.7.19-114.el6.noarch.rpm
-rw-r--r--. 1 root root  784464 Sep 29 08:10 selinux-policy-3.7.19-114.el6.noarch.rpm
-rw-r--r--. 1 root root 2420212 Sep 29 08:10 selinux-policy-minimum-3.7.19-114.el6.noarch.rpm
dr-xr-x---. 3 root root    4096 Oct 19 12:22 ..
drwxr-xr-x. 2 root root    4096 Oct 19 12:23 .
[root@dhcp231-79 selinux]# yum localinstall *
Loaded plugins: product-id, subscription-manager
Updating Red Hat repositories.
Setting up Local Package Process
Examining selinux-policy-3.7.19-114.el6.noarch.rpm: selinux-policy-3.7.19-114.el6.noarch
Marking selinux-policy-3.7.19-114.el6.noarch.rpm as an update to selinux-policy-3.7.19-93.el6.noarch
rhel6                                                    | 4.0 kB     00:00     
rhel6/primary_db                                         | 3.0 MB     00:00     
rhel6-optional                                           | 3.8 kB     00:00     
rhel6-optional/primary_db                                | 1.3 MB     00:00     
Examining selinux-policy-doc-3.7.19-114.el6.noarch.rpm: selinux-policy-doc-3.7.19-114.el6.noarch
Marking selinux-policy-doc-3.7.19-114.el6.noarch.rpm to be installed
Examining selinux-policy-minimum-3.7.19-114.el6.noarch.rpm: selinux-policy-minimum-3.7.19-114.el6.noarch
Marking selinux-policy-minimum-3.7.19-114.el6.noarch.rpm to be installed
Examining selinux-policy-mls-3.7.19-114.el6.noarch.rpm: selinux-policy-mls-3.7.19-114.el6.noarch
Marking selinux-policy-mls-3.7.19-114.el6.noarch.rpm to be installed
Examining selinux-policy-targeted-3.7.19-114.el6.noarch.rpm: selinux-policy-targeted-3.7.19-114.el6.noarch
Marking selinux-policy-targeted-3.7.19-114.el6.noarch.rpm as an update to selinux-policy-targeted-3.7.19-93.el6.noarch
Resolving Dependencies
--> Running transaction check
---> Package selinux-policy.noarch 0:3.7.19-93.el6 will be updated
---> Package selinux-policy.noarch 0:3.7.19-114.el6 will be an update
---> Package selinux-policy-doc.noarch 0:3.7.19-114.el6 will be installed
---> Package selinux-policy-minimum.noarch 0:3.7.19-114.el6 will be installed
--> Processing Dependency: policycoreutils-python >= 2.0.78-1 for package: selinux-policy-minimum-3.7.19-114.el6.noarch
---> Package selinux-policy-mls.noarch 0:3.7.19-114.el6 will be installed
--> Processing Dependency: policycoreutils-newrole >= 2.0.78-1 for package: selinux-policy-mls-3.7.19-114.el6.noarch
--> Processing Dependency: setransd for package: selinux-policy-mls-3.7.19-114.el6.noarch
---> Package selinux-policy-targeted.noarch 0:3.7.19-93.el6 will be updated
---> Package selinux-policy-targeted.noarch 0:3.7.19-114.el6 will be an update
--> Running transaction check
---> Package mcstrans.x86_64 0:0.3.1-4.el6 will be installed
---> Package policycoreutils-newrole.x86_64 0:2.0.83-19.8.el6_0 will be installed
---> Package policycoreutils-python.x86_64 0:2.0.83-19.8.el6_0 will be installed
--> Processing Dependency: libsemanage-python >= 2.0.43-4 for package: policycoreutils-python-2.0.83-19.8.el6_0.x86_64
--> Processing Dependency: audit-libs-python >= 1.4.2-1 for package: policycoreutils-python-2.0.83-19.8.el6_0.x86_64
--> Processing Dependency: setools-libs-python for package: policycoreutils-python-2.0.83-19.8.el6_0.x86_64
--> Processing Dependency: libselinux-python for package: policycoreutils-python-2.0.83-19.8.el6_0.x86_64
--> Running transaction check
---> Package audit-libs-python.x86_64 0:2.1-5.el6 will be installed
---> Package libselinux-python.x86_64 0:2.0.94-5.el6 will be installed
---> Package libsemanage-python.x86_64 0:2.0.43-4.el6 will be installed
---> Package setools-libs-python.x86_64 0:3.3.7-4.el6 will be installed
--> Processing Dependency: setools-libs = 3.3.7-4.el6 for package: setools-libs-python-3.3.7-4.el6.x86_64
--> Processing Dependency: libpoldiff.so.1(VERS_1.3)(64bit) for package: setools-libs-python-3.3.7-4.el6.x86_64
--> Processing Dependency: libqpol.so.1(VERS_1.2)(64bit) for package: setools-libs-python-3.3.7-4.el6.x86_64
--> Processing Dependency: libqpol.so.1(VERS_1.4)(64bit) for package: setools-libs-python-3.3.7-4.el6.x86_64
--> Processing Dependency: libsefs.so.4(VERS_4.0)(64bit) for package: setools-libs-python-3.3.7-4.el6.x86_64
--> Processing Dependency: libseaudit.so.4(VERS_4.2)(64bit) for package: setools-libs-python-3.3.7-4.el6.x86_64
--> Processing Dependency: libseaudit.so.4(VERS_4.1)(64bit) for package: setools-libs-python-3.3.7-4.el6.x86_64
--> Processing Dependency: libqpol.so.1(VERS_1.3)(64bit) for package: setools-libs-python-3.3.7-4.el6.x86_64
--> Processing Dependency: libapol.so.4(VERS_4.1)(64bit) for package: setools-libs-python-3.3.7-4.el6.x86_64
--> Processing Dependency: libapol.so.4(VERS_4.0)(64bit) for package: setools-libs-python-3.3.7-4.el6.x86_64
--> Processing Dependency: libpoldiff.so.1(VERS_1.2)(64bit) for package: setools-libs-python-3.3.7-4.el6.x86_64
--> Processing Dependency: libapol.so.4()(64bit) for package: setools-libs-python-3.3.7-4.el6.x86_64
--> Processing Dependency: libpoldiff.so.1()(64bit) for package: setools-libs-python-3.3.7-4.el6.x86_64
--> Processing Dependency: libqpol.so.1()(64bit) for package: setools-libs-python-3.3.7-4.el6.x86_64
--> Processing Dependency: libseaudit.so.4()(64bit) for package: setools-libs-python-3.3.7-4.el6.x86_64
--> Processing Dependency: libsefs.so.4()(64bit) for package: setools-libs-python-3.3.7-4.el6.x86_64
--> Running transaction check
---> Package setools-libs.x86_64 0:3.3.7-4.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package                 Arch   Version           Repository               Size
================================================================================
Installing:
 selinux-policy-doc      noarch 3.7.19-114.el6    /selinux-policy-doc-3.7.19-114.el6.noarch
                                                                           12 M
 selinux-policy-minimum  noarch 3.7.19-114.el6    /selinux-policy-minimum-3.7.19-114.el6.noarch
                                                                          2.7 M
 selinux-policy-mls      noarch 3.7.19-114.el6    /selinux-policy-mls-3.7.19-114.el6.noarch
                                                                          2.6 M
Updating:
 selinux-policy          noarch 3.7.19-114.el6    /selinux-policy-3.7.19-114.el6.noarch
                                                                          7.8 M
 selinux-policy-targeted noarch 3.7.19-114.el6    /selinux-policy-targeted-3.7.19-114.el6.noarch
                                                                          2.9 M
Installing for dependencies:
 audit-libs-python       x86_64 2.1-5.el6         rhel6                    57 k
 libselinux-python       x86_64 2.0.94-5.el6      rhel6                   201 k
 libsemanage-python      x86_64 2.0.43-4.el6      rhel6                    81 k
 mcstrans                x86_64 0.3.1-4.el6       rhel6                    85 k
 policycoreutils-newrole x86_64 2.0.83-19.8.el6_0 rhel6                   106 k
 policycoreutils-python  x86_64 2.0.83-19.8.el6_0 rhel6                   334 k
 setools-libs            x86_64 3.3.7-4.el6       rhel6                   400 k
 setools-libs-python     x86_64 3.3.7-4.el6       rhel6                   222 k

Transaction Summary
================================================================================
Install      11 Package(s)
Upgrade       2 Package(s)

Total size: 30 M
Total download size: 1.5 M
Is this ok [y/N]: y
Downloading Packages:
(1/8): audit-libs-python-2.1-5.el6.x86_64.rpm            |  57 kB     00:00     
(2/8): libselinux-python-2.0.94-5.el6.x86_64.rpm         | 201 kB     00:00     
(3/8): libsemanage-python-2.0.43-4.el6.x86_64.rpm        |  81 kB     00:00     
(4/8): mcstrans-0.3.1-4.el6.x86_64.rpm                   |  85 kB     00:00     
(5/8): policycoreutils-newrole-2.0.83-19.8.el6_0.x86_64. | 106 kB     00:00     
(6/8): policycoreutils-python-2.0.83-19.8.el6_0.x86_64.r | 334 kB     00:00     
(7/8): setools-libs-3.3.7-4.el6.x86_64.rpm               | 400 kB     00:00     
(8/8): setools-libs-python-3.3.7-4.el6.x86_64.rpm        | 222 kB     00:00     
--------------------------------------------------------------------------------
Total                                           4.6 MB/s | 1.5 MB     00:00     
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating   : selinux-policy-3.7.19-114.el6.noarch                        1/15 
  Installing : setools-libs-3.3.7-4.el6.x86_64                             2/15 
  Installing : setools-libs-python-3.3.7-4.el6.x86_64                      3/15 
  Installing : libsemanage-python-2.0.43-4.el6.x86_64                      4/15 
  Installing : audit-libs-python-2.1-5.el6.x86_64                          5/15 
  Installing : mcstrans-0.3.1-4.el6.x86_64                                 6/15 
  Installing : libselinux-python-2.0.94-5.el6.x86_64                       7/15 
  Installing : policycoreutils-python-2.0.83-19.8.el6_0.x86_64             8/15 
  Installing : policycoreutils-newrole-2.0.83-19.8.el6_0.x86_64            9/15 
  Installing : selinux-policy-mls-3.7.19-114.el6.noarch                   10/15 
  Installing : selinux-policy-minimum-3.7.19-114.el6.noarch               11/15 
  Installing : selinux-policy-doc-3.7.19-114.el6.noarch                   12/15 
  Updating   : selinux-policy-targeted-3.7.19-114.el6.noarch              13/15 
  Cleanup    : selinux-policy-targeted-3.7.19-93.el6.noarch               14/15 
  Cleanup    : selinux-policy-3.7.19-93.el6.noarch                        15/15 
rhel6/productid                                          | 1.7 kB     00:00     
duration: 81(ms)
installing: 69.pem
Installed products updated.

Installed:
  selinux-policy-doc.noarch 0:3.7.19-114.el6                                    
  selinux-policy-minimum.noarch 0:3.7.19-114.el6                                
  selinux-policy-mls.noarch 0:3.7.19-114.el6                                    

Dependency Installed:
  audit-libs-python.x86_64 0:2.1-5.el6                                          
  libselinux-python.x86_64 0:2.0.94-5.el6                                       
  libsemanage-python.x86_64 0:2.0.43-4.el6                                      
  mcstrans.x86_64 0:0.3.1-4.el6                                                 
  policycoreutils-newrole.x86_64 0:2.0.83-19.8.el6_0                            
  policycoreutils-python.x86_64 0:2.0.83-19.8.el6_0                             
  setools-libs.x86_64 0:3.3.7-4.el6                                             
  setools-libs-python.x86_64 0:3.3.7-4.el6                                      

Updated:
  selinux-policy.noarch 0:3.7.19-114.el6                                        
  selinux-policy-targeted.noarch 0:3.7.19-114.el6                               

Complete!

[root@dhcp231-79 selinux]# ls
selinux-policy-3.7.19-114.el6.noarch.rpm
selinux-policy-doc-3.7.19-114.el6.noarch.rpm
selinux-policy-minimum-3.7.19-114.el6.noarch.rpm
selinux-policy-mls-3.7.19-114.el6.noarch.rpm
selinux-policy-targeted-3.7.19-114.el6.noarch.rpm
[root@dhcp231-79 selinux]# cd /root/
[root@dhcp231-79 ~]# ls
anaconda-ks.cfg  cloudform.tar  install.log  install.log.syslog  selinux
[root@dhcp231-79 ~]# mkdir cloudform
[root@dhcp231-79 ~]# mv cloudform.tar cloudform
[root@dhcp231-79 ~]# cd cloudform/
[root@dhcp231-79 cloudform]# ls
cloudform.tar
[root@dhcp231-79 cloudform]# tar -xvf cloudform.tar 
cloudform.te
cloudform.fc
cloudform.sh
cloudform.if
[root@dhcp231-79 cloudform]# ls
cloudform.fc  cloudform.if  cloudform.sh  cloudform.tar  cloudform.te
[root@dhcp231-79 cloudform]# getE
-bash: getE: command not found
[root@dhcp231-79 cloudform]# getenforce 
Enforcing
[root@dhcp231-79 cloudform]# sh cloudform.sh 
Building and Loading Policy
+ make -f /usr/share/selinux/devel/Makefile
Compiling targeted cloudform module
/usr/bin/checkmodule:  loading policy configuration from tmp/cloudform.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/cloudform.mod
Creating targeted cloudform.pp policy package
rm tmp/cloudform.mod.fc tmp/cloudform.mod
+ /usr/sbin/semodule -i cloudform.pp
+ /sbin/restorecon -F -R -v /usr/bin/iwhd
+ /sbin/restorecon -F -R -v /etc/rc.d/init.d/iwhd
+ /sbin/restorecon -F -R -v /var/run/iwhd.pid
+ /sbin/restorecon -F -R -v /var/lib/iwhd
+ /sbin/restorecon -F -R -v /usr/bin/deltacloudd
+ /sbin/restorecon -F -R -v /usr/bin/mongod
+ /sbin/restorecon -F -R -v /etc/rc.d/init.d/mongod
+ /sbin/restorecon -F -R -v /var/lib/mongodb
+ /sbin/restorecon -F -R -v /var/log/mongodb
+ /sbin/restorecon -F -R -v /var/run/mongodb
+ /sbin/restorecon -F -R -v /usr/bin/thin
[root@dhcp231-79 cloudform]# echo "-w /etc/shadow -p wa" >> /etc/audit/audit.rules
[root@dhcp231-79 cloudform]# service auditd restart
Stopping auditd:                                           [  OK  ]
Starting auditd:                                           [  OK  ]
[root@dhcp231-79 cloudform]# ps -eZ |grep initrc
system_u:system_r:initrc_t:s0    8052 ?        00:00:00 rhsmcertd
[root@dhcp231-79 cloudform]# 
[root@dhcp231-79 cloudform]# ausearch -m avc -ts recent
<no matches>
[root@dhcp231-79 cloudform]# ls /etc/yum.repos.d/
redhat.repo  rhel6-optional.repo  rhel6.repo  rhel-source.repo
[root@dhcp231-79 cloudform]# cd /etc/yum.repos.d/
[root@dhcp231-79 yum.repos.d]# wget http://repos.fedorapeople.org/repos/aeolus/conductor/rhel-aeolus.repo
--2011-10-19 12:31:43--  http://repos.fedorapeople.org/repos/aeolus/conductor/rhel-aeolus.repo
Resolving repos.fedorapeople.org... 85.236.55.7
Connecting to repos.fedorapeople.org|85.236.55.7|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 479 [text/plain]
Saving to: “rhel-aeolus.repo”

100%[======================================>] 479         --.-K/s   in 0s      

2011-10-19 12:31:44 (61.9 MB/s) - “rhel-aeolus.repo” saved [479/479]


[root@dhcp231-79 ~]# tail -f /var/log/audit/audit.log 
type=ADD_USER msg=audit(1319042196.869:63811): user pid=31155 uid=0 auid=0 ses=15 subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 msg='op=adding user to group acct="qemu" exe="/usr/sbin/useradd" hostname=? addr=? terminal=? res=success'
type=ADD_USER msg=audit(1319042196.869:63812): user pid=31155 uid=0 auid=0 ses=15 subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 msg='op=adding user to shadow group acct="qemu" exe="/usr/sbin/useradd" hostname=? addr=? terminal=? res=success'
type=CONFIG_CHANGE msg=audit(1319042196.987:63813): auid=0 ses=15 op="updated rules" path="/etc/shadow" key=(null) list=4 res=1
type=SYSCALL msg=audit(1319042196.987:63814): arch=c000003e syscall=82 success=yes exit=0 a0=7fffa3aada30 a1=6153c0 a2=7fffa3aad8f0 a3=fffffffe items=5 ppid=31143 pid=31155 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=15 comm="useradd" exe="/usr/sbin/useradd" subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 key=(null)
type=CWD msg=audit(1319042196.987:63814):  cwd="/"
type=PATH msg=audit(1319042196.987:63814): item=0 name="/etc/" inode=1835009 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0
type=PATH msg=audit(1319042196.987:63814): item=1 name="/etc/" inode=1835009 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0
type=PATH msg=audit(1319042196.987:63814): item=2 name="/etc/shadow+" inode=1836394 dev=fd:00 mode=0100000 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shadow_t:s0
type=PATH msg=audit(1319042196.987:63814): item=3 name="/etc/shadow" inode=1836350 dev=fd:00 mode=0100000 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shadow_t:s0
type=PATH msg=audit(1319042196.987:63814): item=4 name="/etc/shadow" inode=1836394 dev=fd:00 mode=0100000 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shadow_t:s0
^C
[root@dhcp231-79 ~]# tail -f /var/log/audit/audit.log | grep -i denied
type=AVC msg=audit(1319042396.373:63851): avc:  denied  { search } for  pid=31761 comm="deltacloudd" name="/" dev=autofs ino=18826 scontext=unconfined_u:system_r:deltacloudd_t:s0 tcontext=system_u:object_r:autofs_t:s0 tclass=dir
type=AVC msg=audit(1319042397.625:63854): avc:  denied  { read } for  pid=31787 comm="mongod" name="urandom" dev=devtmpfs ino=3976 scontext=unconfined_u:system_r:mongod_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
type=AVC msg=audit(1319042397.625:63854): avc:  denied  { open } for  pid=31787 comm="mongod" name="urandom" dev=devtmpfs ino=3976 scontext=unconfined_u:system_r:mongod_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
type=AVC msg=audit(1319042397.689:63857): avc:  denied  { execmem } for  pid=31790 comm="mongod" scontext=unconfined_u:system_r:mongod_t:s0 tcontext=unconfined_u:system_r:mongod_t:s0 tclass=process
type=AVC msg=audit(1319042397.876:63858): avc:  denied  { write } for  pid=31826 comm="iwhd" name="log" dev=dm-0 ino=2491191 scontext=unconfined_u:system_r:iwhd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
type=AVC msg=audit(1319042397.876:63858): avc:  denied  { add_name } for  pid=31826 comm="iwhd" name="iwhd.log" scontext=unconfined_u:system_r:iwhd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
type=AVC msg=audit(1319042397.876:63858): avc:  denied  { create } for  pid=31826 comm="iwhd" name="iwhd.log" scontext=unconfined_u:system_r:iwhd_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1319042397.877:63859): avc:  denied  { name_connect } for  pid=31829 comm="iwhd" dest=27017 scontext=unconfined_u:system_r:iwhd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1319042397.878:63860): avc:  denied  { name_bind } for  pid=31826 comm="iwhd" src=9090 scontext=unconfined_u:system_r:iwhd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1319042409.965:63879): avc:  denied  { write } for  pid=31761 comm="deltacloudd" name="tmp" dev=dm-0 ino=2490457 scontext=unconfined_u:system_r:deltacloudd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1319042409.965:63879): avc:  denied  { add_name } for  pid=31761 comm="deltacloudd" name="deltacloud-mock-nobody" scontext=unconfined_u:system_r:deltacloudd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1319042409.965:63879): avc:  denied  { create } for  pid=31761 comm="deltacloudd" name="deltacloud-mock-nobody" scontext=unconfined_u:system_r:deltacloudd_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1319042409.965:63880): avc:  denied  { write } for  pid=31761 comm="deltacloudd" name="deltacloud-mock-nobody" dev=dm-0 ino=2499218 scontext=unconfined_u:system_r:deltacloudd_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1319042409.965:63880): avc:  denied  { add_name } for  pid=31761 comm="deltacloudd" name="images" scontext=unconfined_u:system_r:deltacloudd_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1319042409.965:63881): avc:  denied  { create } for  pid=31761 comm="deltacloudd" name="img3.yml" scontext=unconfined_u:system_r:deltacloudd_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1319042409.965:63881): avc:  denied  { write open } for  pid=31761 comm="deltacloudd" name="img3.yml" dev=dm-0 ino=2499220 scontext=unconfined_u:system_r:deltacloudd_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1319042409.966:63882): avc:  denied  { getattr } for  pid=31761 comm="deltacloudd" path="/var/tmp/deltacloud-mock-nobody/images/img3.yml" dev=dm-0 ino=2499220 scontext=unconfined_u:system_r:deltacloudd_t:s0 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file

Comment 14 Miroslav Grepl 2011-10-20 11:52:01 UTC

Ok, I am fixing the policies and will attach for re-testing.

Wes,
could you redirect output of ausearch to a file and attach this file next time. Thanks.

# ausearch -m avc -ts recent > /tmp/cloudform.log

Comment 15 Miroslav Grepl 2011-10-20 12:03:45 UTC

Created attachment 529251 [details]
Updated cloudform policies

Updated policies.

I am adding these policies to Fedora.

Comment 17 wes hayutin 2011-10-21 16:54:08 UTC

Created attachment 529538 [details]
aeolus-configure -p mock

Comment 18 Miroslav Grepl 2011-10-24 06:16:03 UTC

  am fixing it in Fedora and RHEL6.

Comment 19 Miroslav Grepl 2011-10-25 16:20:16 UTC

Fixed in selinux-policy-3.7.19-119.el6

Comment 21 wes hayutin 2011-10-27 18:02:09 UTC

RHEL 6.2

[root@qeblade31 nodes]# ps -eZ|grep initrc
system_u:system_r:initrc_t:s0    5431 ?        00:00:00 beah-srv
system_u:system_r:initrc_t:s0    5452 ?        00:00:00 beah-beaker-bac
system_u:system_r:initrc_t:s0    5464 ?        00:00:00 beah-fwd-backen
system_u:system_r:initrc_t:s0    6072 ?        00:00:01 beah-rhts-task
unconfined_u:system_r:initrc_t:s0 7506 ?       00:00:07 dbomatic
unconfined_u:system_r:initrc_t:s0 7601 ?       00:01:40 imagefactory
[root@qeblade31 nodes]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 6.2 Beta (Santiago)
[root@qeblade31 nodes]# ausearch -m avc -ts recent
<no matches>
[root@qeblade31 nodes]# 


RHEL 6.1 w/ new policies

[root@unused ~]# ps -eZ|grep initrc
system_u:system_r:initrc_t:s0    8089 ?        00:00:00 rhsmcertd
unconfined_u:system_r:initrc_t:s0 10502 ?      00:01:34 imagefactory
unconfined_u:system_r:initrc_t:s0 10593 ?      00:00:09 dbomatic
[root@unused ~]#  ausearch -m avc -ts recent
<no matches>
[root@unused ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 6.1 (Santiago)
[root@unused ~]# 

[root@qeblade31 nodes]# rpm -qa | grep selinux
libselinux-devel-2.0.94-5.2.el6.x86_64
selinux-policy-3.7.19-120.el6.noarch
libselinux-ruby-2.0.94-5.2.el6.x86_64
libselinux-2.0.94-5.2.el6.x86_64
selinux-policy-targeted-3.7.19-120.el6.noarch
libselinux-utils-2.0.94-5.2.el6.x86_64
[root@qeblade31 nodes]#

Comment 22 wes hayutin 2011-10-27 18:05:41 UTC

imagefactory and dbomatic are running unconfined.. passing back to devel to look

Comment 23 Miroslav Grepl 2011-10-27 18:08:25 UTC

Francesco, 
I thought dbomatic is not needed??

imagefactory should be running as virtd_t.

Wes,
what does

# ps -efZ|grep initrc

Comment 25 wes hayutin 2011-10-28 15:04:22 UTC

[root@unused ~]# ps -efZ|grep initrc
system_u:system_r:initrc_t:s0   root      8089     1  0 Oct27 ?        00:00:00 /usr/bin/rhsmcertd 240
unconfined_u:system_r:initrc_t:s0 aeolus 14593     1  0 Oct27 ?        00:00:18 /usr/bin/ruby /usr/share/aeolus-conductor/dbomatic/dbomatic
unconfined_u:system_r:initrc_t:s0 root   14605     1  0 Oct27 ?        00:00:05 /usr/bin/python /usr/bin/imagefactory --rest --debug
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 23273 23253  0 11:03 pts/0 00:00:00 grep initrc

Comment 26 Miroslav Grepl 2011-10-28 17:38:57 UTC

Ok, the path was changed for imagefactory. We have

/usr/bin/imgfac\.py     --          gen_context(system_u:object_r:virtd_exec_t,s0)

So execute

chcon -t virtd_exec_t /usr/bin/imagefactory

and try to re-test imagefactory.

Also what does

# matchpathcon /usr/bin/rhsmcertd

Comment 27 wes hayutin 2011-10-28 19:31:17 UTC

ok.. I'll have do some more end to end testing..

we still need to get dbomatic fixed...


[root@unused ~]# ps -eZ |grep initrc
system_u:system_r:initrc_t:s0    8089 ?        00:00:00 rhsmcertd
unconfined_u:system_r:initrc_t:s0 25069 ?      00:00:08 dbomatic
[root@unused ~]# ps -efZ|grep initrc
system_u:system_r:initrc_t:s0   root      8089     1  0 Oct27 ?        00:00:00 /usr/bin/rhsmcertd 240
unconfined_u:system_r:initrc_t:s0 aeolus 25069     1 30 15:28 ?        00:00:08 /usr/bin/ruby /usr/share/aeolus-conductor/dbomatic/dbomatic
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 25114 24707  0 15:29 pts/1 00:00:00 grep initrc

Comment 28 wes hayutin 2011-10-28 19:35:47 UTC

<weshay_hm> morazi, dbomatic is staying long term for 1.0 right?
<hewbrocca> weshay_hm: OK, so once you have been able to verify
<hewbrocca> weshay_hm: (yes)

Comment 29 Miroslav Grepl 2011-10-30 19:56:28 UTC

# chcon -t mongod_exec_t /usr/share/aeolus-conductor/dbomatic/dbomatic

will fix the issue and I will update cloudform policy.

Comment 30 Miroslav Grepl 2011-10-31 15:54:21 UTC

Fixed in selinux-policy-3.7.19-121.el6

Comment 31 wes hayutin 2011-10-31 18:51:05 UTC

now that factory is confined... builds are failing...



[root@unused ~]# ausearch -m avc 
----
time->Mon Oct 31 14:32:28 2011
type=SYSCALL msg=audit(1320085948.859:63982): arch=c000003e syscall=59 success=yes exit=0 a0=8deaa0 a1=8ddf20 a2=8def30 a3=7ffff4771770 items=0 ppid=16968 pid=16969 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=11 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1320085948.859:63982): avc:  denied  { read write } for  pid=16969 comm="qemu-kvm" path=2F746D702F6666696E6D44664250202864656C6574656429 dev=dm-0 ino=1965153 scontext=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:virt_tmp_t:s0 tclass=file
----
time->Mon Oct 31 14:32:28 2011
type=SYSCALL msg=audit(1320085948.830:63981): arch=c000003e syscall=59 success=yes exit=0 a0=7ed960 a1=7ecf10 a2=7ede20 a3=7fff9e539150 items=0 ppid=13330 pid=16967 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=11 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1320085948.830:63981): avc:  denied  { read write } for  pid=16967 comm="qemu-kvm" path=2F746D702F6666696E6D44664250202864656C6574656429 dev=dm-0 ino=1965153 scontext=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:virt_tmp_t:s0 tclass=file
----
time->Mon Oct 31 14:32:28 2011
type=SYSCALL msg=audit(1320085948.875:63983): arch=c000003e syscall=59 success=yes exit=0 a0=7f137c13cce0 a1=7f137c13d060 a2=174e410 a3=20 items=0 ppid=13330 pid=16970 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=11 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1320085948.875:63983): avc:  denied  { read write } for  pid=16970 comm="qemu-kvm" path=2F746D702F6666696E6D44664250202864656C6574656429 dev=dm-0 ino=1965153 scontext=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:virt_tmp_t:s0 tclass=file
----
time->Mon Oct 31 14:32:28 2011
type=SYSCALL msg=audit(1320085948.886:63984): arch=c000003e syscall=42 success=no exit=-13 a0=9 a1=7fffd9a27820 a2=6e a3=7fffd9a275a0 items=0 ppid=13330 pid=16970 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=11 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1320085948.886:63984): avc:  denied  { write } for  pid=16970 comm="qemu-kvm" name="sock" dev=dm-0 ino=1970033 scontext=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:virt_tmp_t:s0 tclass=sock_file
[root@unused ~]#

Comment 32 wes hayutin 2011-10-31 18:52:02 UTC

[root@unused ~]# rpm -qa | grep aeolus
rubygem-ZenTest-4.3.3-2.aeolus.el6.noarch
aeolus-configure-2.2.0-1.el6.noarch
aeolus-conductor-doc-0.5.0-1.el6.noarch
rubygem-aeolus-image-0.1.0-4.el6.noarch
aeolus-conductor-0.5.0-1.el6.noarch
rubygem-arel-2.0.10-0.aeolus.el6.noarch
rubygem-aeolus-cli-0.1.0-3.el6.noarch
aeolus-conductor-daemons-0.5.0-1.el6.noarch
aeolus-all-0.5.0-1.el6.noarch
rubygem-rack-mount-0.7.1-3.aeolus.el6.noarch

[root@unused ~]# rpm -qa | grep selinux
libselinux-utils-2.0.94-5.el6.x86_64
selinux-policy-targeted-3.7.19-121.el6.noarch
selinux-policy-3.7.19-121.el6.noarch
libselinux-ruby-2.0.94-5.el6.x86_64
libselinux-2.0.94-5.el6.x86_64

[root@unused ~]# rpm -qa | grep libvirt
libvirt-python-0.8.7-18.el6.x86_64
libvirt-0.8.7-18.el6.x86_64
libvirt-client-0.8.7-18.el6.x86_64
[root@unused ~]# rpm -qa | grep imagefactory
imagefactory-jeosconf-ec2-rhel-0.8.0-1.el6.noarch
imagefactory-jeosconf-ec2-fedora-0.8.0-1.el6.noarch
imagefactory-0.8.0-1.el6.noarch
rubygem-imagefactory-console-0.5.0-4.20110824113238gitd9debef.el6.noarch
[root@unused ~]# rpm -qa | grep oz
python-repoze-who-friendlyform-1.0-0.3.b3.el6.noarch
python-repoze-who-1.0.13-2.el6.noarch
python-repoze-what-1.0.8-6.el6.noarch
python-repoze-tm2-1.0-0.5.a4.el6.noarch
oz-0.7.0-3.el6.noarch
python-repoze-what-pylons-1.0-4.el6.noarch
python-repoze-who-testutil-1.0-0.4.rc1.el6.noarch

Comment 33 Miroslav Grepl 2011-10-31 19:51:16 UTC

Wes,
are you up-to-date?

Francesco,
I thought it should be fixed?

Wes,
if you execute

# grep virt_tmp_t /var/log/audit/audit.log |audit2allow -M myvirt.te
# semodule -i myvirt.pp

does it work then?

Comment 34 wes hayutin 2011-11-01 00:04:37 UTC

[root@unused ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 6.1 (Santiago)
[root@unused ~]# grep virt_tmp_t /var/log/audit/audit.log |audit2allow -M myvirt
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i myvirt.pp

[root@unused ~]# semodule -i myvirt.pp
[root@unused ~]# getenforce 
Enforcing
[root@unused ~]# /etc/init.d/auditd restart
Stopping auditd:                                           [  OK  ]
Starting auditd:                                           [  OK  ]
[root@unused ~]# 





[root@unused ~]# ausearch -m avc 
----
time->Mon Oct 31 18:59:13 2011
type=SYSCALL msg=audit(1320101953.363:69368): arch=c000003e syscall=2 success=no exit=-13 a0=2709b80 a1=800 a2=0 a3=1 items=0 ppid=13330 pid=19450 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=11 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1320101953.363:69368): avc:  denied  { read } for  pid=19450 comm="qemu-kvm" name="base-image-0a4cabb4-6304-4ca2-bd42-3bc34da6606f.dsk" dev=dm-0 ino=1179881 scontext=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
----
time->Mon Oct 31 18:59:13 2011
type=SYSCALL msg=audit(1320101953.363:69369): arch=c000003e syscall=4 success=no exit=-13 a0=2709b80 a1=7fff7563c3e0 a2=7fff7563c3e0 a3=1 items=0 ppid=13330 pid=19450 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=11 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1320101953.363:69369): avc:  denied  { getattr } for  pid=19450 comm="qemu-kvm" path="/var/lib/imagefactory/images/base-image-0a4cabb4-6304-4ca2-bd42-3bc34da6606f.dsk" dev=dm-0 ino=1179881 scontext=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
----
time->Mon Oct 31 18:59:13 2011
type=SYSCALL msg=audit(1320101953.363:69370): arch=c000003e syscall=2 success=no exit=-13 a0=2709b80 a1=84002 a2=0 a3=48 items=0 ppid=13330 pid=19450 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=11 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1320101953.363:69370): avc:  denied  { read write } for  pid=19450 comm="qemu-kvm" name="base-image-0a4cabb4-6304-4ca2-bd42-3bc34da6606f.dsk" dev=dm-0 ino=1179881 scontext=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
[root@unused ~]#

Comment 35 Miroslav Grepl 2011-11-01 11:51:08 UTC

if you execute

# chcon -R -t virt_image_t /var/lib/imagefactory/image

does it work then?

Comment 36 wes hayutin 2011-11-01 14:06:54 UTC

no dice :(
contact me on irc if you want access to the server..

root@unused ~]#  ausearch -m avc
----
time->Mon Oct 31 18:59:13 2011
type=SYSCALL msg=audit(1320101953.363:69368): arch=c000003e syscall=2 success=no exit=-13 a0=2709b80 a1=800 a2=0 a3=1 items=0 ppid=13330 pid=19450 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=11 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1320101953.363:69368): avc:  denied  { read } for  pid=19450 comm="qemu-kvm" name="base-image-0a4cabb4-6304-4ca2-bd42-3bc34da6606f.dsk" dev=dm-0 ino=1179881 scontext=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
----
time->Mon Oct 31 18:59:13 2011
type=SYSCALL msg=audit(1320101953.363:69369): arch=c000003e syscall=4 success=no exit=-13 a0=2709b80 a1=7fff7563c3e0 a2=7fff7563c3e0 a3=1 items=0 ppid=13330 pid=19450 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=11 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1320101953.363:69369): avc:  denied  { getattr } for  pid=19450 comm="qemu-kvm" path="/var/lib/imagefactory/images/base-image-0a4cabb4-6304-4ca2-bd42-3bc34da6606f.dsk" dev=dm-0 ino=1179881 scontext=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
----
time->Mon Oct 31 18:59:13 2011
type=SYSCALL msg=audit(1320101953.363:69370): arch=c000003e syscall=2 success=no exit=-13 a0=2709b80 a1=84002 a2=0 a3=48 items=0 ppid=13330 pid=19450 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=11 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1320101953.363:69370): avc:  denied  { read write } for  pid=19450 comm="qemu-kvm" name="base-image-0a4cabb4-6304-4ca2-bd42-3bc34da6606f.dsk" dev=dm-0 ino=1179881 scontext=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
----
time->Tue Nov  1 09:46:24 2011
type=SYSCALL msg=audit(1320155184.222:70597): arch=c000003e syscall=2 success=no exit=-13 a0=1af9b80 a1=800 a2=0 a3=1 items=0 ppid=13330 pid=914 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=11 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1320155184.222:70597): avc:  denied  { read } for  pid=914 comm="qemu-kvm" name="base-image-0b23de22-7abe-4866-b89d-fe7c99f35e2c.dsk" dev=dm-0 ino=1179885 scontext=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
----
time->Tue Nov  1 09:46:24 2011
type=SYSCALL msg=audit(1320155184.223:70598): arch=c000003e syscall=4 success=no exit=-13 a0=1af9b80 a1=7fffcebb9ac0 a2=7fffcebb9ac0 a3=1 items=0 ppid=13330 pid=914 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=11 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1320155184.223:70598): avc:  denied  { getattr } for  pid=914 comm="qemu-kvm" path="/var/lib/imagefactory/images/base-image-0b23de22-7abe-4866-b89d-fe7c99f35e2c.dsk" dev=dm-0 ino=1179885 scontext=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
----
time->Tue Nov  1 09:46:24 2011
type=SYSCALL msg=audit(1320155184.223:70599): arch=c000003e syscall=2 success=no exit=-13 a0=1af9b80 a1=84002 a2=0 a3=48 items=0 ppid=13330 pid=914 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=11 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1320155184.223:70599): avc:  denied  { read write } for  pid=914 comm="qemu-kvm" name="base-image-0b23de22-7abe-4866-b89d-fe7c99f35e2c.dsk" dev=dm-0 ino=1179885 scontext=unconfined_u:system_r:qemu_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
[root@unused ~]#

Comment 37 Miroslav Grepl 2011-11-01 14:21:26 UTC

Well I have typo

# chcon -R -t virt_image_t /var/lib/imagefactory/images

Comment 38 wes hayutin 2011-11-01 14:30:09 UTC

yes.. I fixed that typo before executing.

Comment 39 Miroslav Grepl 2011-11-02 11:55:16 UTC

Fixed in selinux-policy-3.7.19-122.el6

I was able to create a new image using "aeolus-image" in enforcing mode.

Comment 40 wes hayutin 2011-11-02 18:28:53 UTC

[root@qeblade30 cron.d]# ausearch -m avc
<no matches>
[root@qeblade30 cron.d]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 6.2 Beta (Santiago)
[root@qeblade30 cron.d]# rpm -qa | grep selinux
libselinux-devel-2.0.94-5.2.el6.x86_64
libselinux-ruby-2.0.94-5.2.el6.x86_64
selinux-policy-targeted-3.7.19-122.el6.noarch
libselinux-2.0.94-5.2.el6.x86_64
selinux-policy-3.7.19-122.el6.noarch
libselinux-utils-2.0.94-5.2.el6.x86_64
[root@qeblade30 cron.d]#

Comment 41 wes hayutin 2011-11-02 18:30:38 UTC

Created attachment 531420 [details]
automation log

Comment 42 errata-xmlrpc 2011-12-06 10:19:55 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html

Note You need to log in before you can comment on or make changes to this bug.