Hide Forgot
Description of problem: Version-Release number of selected component (if applicable): selinux-policy-mls-3.7.19-123.el6.noarch selinux-policy-3.7.19-123.el6.noarch selinux-policy-minimum-3.7.19-123.el6.noarch selinux-policy-targeted-3.7.19-123.el6.noarch selinux-policy-doc-3.7.19-123.el6.noarch vhostmd-0.4-2.4.el6.x86_64 How reproducible: always Steps to Reproduce: # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted # service vhostmd start Starting vhostmd: [ OK ] # service vhostmd status vhostmd dead but subsys locked # service vhostmd stop # ausearch -m avc -m user_avc -ts recent Actual results: ---- time->Wed Nov 9 05:49:15 2011 type=SYSCALL msg=audit(1320835755.978:445728): arch=c000003e syscall=21 success=no exit=-13 a0=3c4c6665e8 a1=4 a2=0 a3=0 items=0 ppid=1 pid=2852 auid=0 uid=112 gid=112 euid=112 suid=112 fsuid=112 egid=112 sgid=112 fsgid=112 tty=(none) ses=115 comm="vhostmd" exe="/usr/sbin/vhostmd" subj=unconfined_u:system_r:vhostmd_t:s0 key=(null) type=AVC msg=audit(1320835755.978:445728): avc: denied { read } for pid=2852 comm="vhostmd" name="random" dev=devtmpfs ino=3656 scontext=unconfined_u:system_r:vhostmd_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file ---- time->Wed Nov 9 05:49:15 2011 type=SYSCALL msg=audit(1320835755.978:445729): arch=c000003e syscall=234 success=no exit=-13 a0=b24 a1=b24 a2=6 a3=8 items=0 ppid=1 pid=2852 auid=0 uid=112 gid=112 euid=112 suid=112 fsuid=112 egid=112 sgid=112 fsgid=112 tty=(none) ses=115 comm="vhostmd" exe="/usr/sbin/vhostmd" subj=unconfined_u:system_r:vhostmd_t:s0 key=(null) type=AVC msg=audit(1320835755.978:445729): avc: denied { signal } for pid=2852 comm="vhostmd" scontext=unconfined_u:system_r:vhostmd_t:s0 tcontext=unconfined_u:system_r:vhostmd_t:s0 tclass=process ---- time->Wed Nov 9 05:49:15 2011 type=SYSCALL msg=audit(1320835755.978:445730): arch=c000003e syscall=234 success=no exit=-13 a0=b24 a1=b24 a2=6 a3=8 items=0 ppid=1 pid=2852 auid=0 uid=112 gid=112 euid=112 suid=112 fsuid=112 egid=112 sgid=112 fsgid=112 tty=(none) ses=115 comm="vhostmd" exe="/usr/sbin/vhostmd" subj=unconfined_u:system_r:vhostmd_t:s0 key=(null) type=AVC msg=audit(1320835755.978:445730): avc: denied { signal } for pid=2852 comm="vhostmd" scontext=unconfined_u:system_r:vhostmd_t:s0 tcontext=unconfined_u:system_r:vhostmd_t:s0 tclass=process ---- Expected results: * no AVCs
Does it work with these AVC msgs?
It works in permissive mode. In enforcing mode the daemon simply dies.
I mean if you create a local policy from these AVC msgs.
Following policy module solved the problem. The daemon is running and AVCs do not appear any more. module mypolicy 1.0; require { type vhostmd_t; type random_device_t; class process signal; class chr_file read; } #============= vhostmd_t ============== allow vhostmd_t random_device_t:chr_file read; allow vhostmd_t self:process signal;
Fixed in selinux-policy-3.7.19-125.el6
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1511.html