Bug 752376 - vhostmd service dies in enforcing mode
Summary: vhostmd service dies in enforcing mode
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.2
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-11-09 10:57 UTC by Milos Malik
Modified: 2012-10-15 14:36 UTC (History)
2 users (show)

Fixed In Version: selinux-policy-3.7.19-125.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-12-06 10:20:57 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1511 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-12-06 00:39:17 UTC

Description Milos Malik 2011-11-09 10:57:22 UTC
Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-mls-3.7.19-123.el6.noarch
selinux-policy-3.7.19-123.el6.noarch
selinux-policy-minimum-3.7.19-123.el6.noarch
selinux-policy-targeted-3.7.19-123.el6.noarch
selinux-policy-doc-3.7.19-123.el6.noarch
vhostmd-0.4-2.4.el6.x86_64

How reproducible:
always

Steps to Reproduce:
# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted
# service vhostmd start
Starting vhostmd: [  OK  ]
# service vhostmd status
vhostmd dead but subsys locked
# service vhostmd stop
# ausearch -m avc -m user_avc -ts recent

Actual results:
----
time->Wed Nov  9 05:49:15 2011
type=SYSCALL msg=audit(1320835755.978:445728): arch=c000003e syscall=21 success=no exit=-13 a0=3c4c6665e8 a1=4 a2=0 a3=0 items=0 ppid=1 pid=2852 auid=0 uid=112 gid=112 euid=112 suid=112 fsuid=112 egid=112 sgid=112 fsgid=112 tty=(none) ses=115 comm="vhostmd" exe="/usr/sbin/vhostmd" subj=unconfined_u:system_r:vhostmd_t:s0 key=(null)
type=AVC msg=audit(1320835755.978:445728): avc:  denied  { read } for  pid=2852 comm="vhostmd" name="random" dev=devtmpfs ino=3656 scontext=unconfined_u:system_r:vhostmd_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file
----
time->Wed Nov  9 05:49:15 2011
type=SYSCALL msg=audit(1320835755.978:445729): arch=c000003e syscall=234 success=no exit=-13 a0=b24 a1=b24 a2=6 a3=8 items=0 ppid=1 pid=2852 auid=0 uid=112 gid=112 euid=112 suid=112 fsuid=112 egid=112 sgid=112 fsgid=112 tty=(none) ses=115 comm="vhostmd" exe="/usr/sbin/vhostmd" subj=unconfined_u:system_r:vhostmd_t:s0 key=(null)
type=AVC msg=audit(1320835755.978:445729): avc:  denied  { signal } for  pid=2852 comm="vhostmd" scontext=unconfined_u:system_r:vhostmd_t:s0 tcontext=unconfined_u:system_r:vhostmd_t:s0 tclass=process
----
time->Wed Nov  9 05:49:15 2011
type=SYSCALL msg=audit(1320835755.978:445730): arch=c000003e syscall=234 success=no exit=-13 a0=b24 a1=b24 a2=6 a3=8 items=0 ppid=1 pid=2852 auid=0 uid=112 gid=112 euid=112 suid=112 fsuid=112 egid=112 sgid=112 fsgid=112 tty=(none) ses=115 comm="vhostmd" exe="/usr/sbin/vhostmd" subj=unconfined_u:system_r:vhostmd_t:s0 key=(null)
type=AVC msg=audit(1320835755.978:445730): avc:  denied  { signal } for  pid=2852 comm="vhostmd" scontext=unconfined_u:system_r:vhostmd_t:s0 tcontext=unconfined_u:system_r:vhostmd_t:s0 tclass=process
----

Expected results:
* no AVCs

Comment 1 Miroslav Grepl 2011-11-09 11:39:44 UTC
Does it work with these AVC msgs?

Comment 3 Milos Malik 2011-11-09 12:30:24 UTC
It works in permissive mode. In enforcing mode the daemon simply dies.

Comment 4 Miroslav Grepl 2011-11-09 12:41:05 UTC
I mean if you create a local policy from these AVC msgs.

Comment 5 Milos Malik 2011-11-09 12:58:56 UTC
Following policy module solved the problem. The daemon is running and AVCs do not appear any more.

module mypolicy 1.0;

require {
        type vhostmd_t;
        type random_device_t;
        class process signal;
        class chr_file read;
}

#============= vhostmd_t ==============
allow vhostmd_t random_device_t:chr_file read;
allow vhostmd_t self:process signal;

Comment 6 Miroslav Grepl 2011-11-09 15:17:17 UTC
Fixed in selinux-policy-3.7.19-125.el6

Comment 9 errata-xmlrpc 2011-12-06 10:20:57 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html


Note You need to log in before you can comment on or make changes to this bug.