Hide Forgot
Description of problem: Failing cvs login causes avc denial on /var/run/utmp Version-Release number of selected component (if applicable): # rpm -qa | grep cvs cvs-1.11.22-10.el5 cvs-debuginfo-1.11.22-10.el5 cvs-inetd-1.11.22-10.el5 # rpm -qa | grep selinux selinux-policy-targeted-2.4.6-317.el5 libselinux-devel-1.33.4-5.7.el5 libselinux-utils-1.33.4-5.7.el5 libselinux-python-1.33.4-5.7.el5 selinux-policy-2.4.6-317.el5 libselinux-1.33.4-5.7.el5 How reproducible: deterministic Steps to Reproduce: 1, Install `cvs-inetd' and `cvs' packages. 2, Enable cvs service in xinetd configuration (/etc/xinetd.d/cvs: disable = no) 3, service xinetd restart 4, Try logging into CVS service on this machine as existing user (e.g. `root') with bad password: 5, cvs -d ":pserver:root:fooWrongPassword@localhost:/var/cvs" login Logging in to :pserver:root@localhost:2401/var/cvs PAM authenticate error: Authentication failure cvs login: authorization failed: server localhost rejected access to /var/cvs for user root # cvs failure is correct but not avc denial: Actual results: type=AVC msg=audit(1321976733.640:1688): avc: denied { read } for pid=22606 comm="cvs" name="utmp" dev=dm-0 ino=33914887 scontext=root:system_r:cvs_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file type=AVC msg=audit(1321976733.640:1689): avc: denied { lock } for pid=22606 comm="cvs" path="/var/run/utmp" dev=dm-0 ino=33914887 scontext=root:system_r:cvs_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file # find / -mount -inum 33914887 /var/run/utmp # ls -laZ /var/run/utmp -rw-rw-r-- root utmp system_u:object_r:initrc_var_run_t /var/run/utmp # restorecon /var/run/utmp # ls -laZ /var/run/utmp -rw-rw-r-- root utmp system_u:object_r:initrc_var_run_t /var/run/utmp Expected results: no avc denial Additional info: Avc denial appears occasionally on file /var/run/utmp. But there is always on the first try of command in step 5. After that you need to wait random time to reproduce it again.
I think this is triggered by PAM module after I applied patch to /usr/bin/cvs setting dummy PAM_TTY value (https://bugzilla.redhat.com/attachment.cgi?id=484179).
Enforcing mode reveals the read operation only. Permissive mode reveals both operations: read and lock. ---- type=SYSCALL msg=audit(11/23/2011 07:16:30.921:80099) : arch=x86_64 syscall=open success=yes exit=3 a0=364e122686 a1=0 a2=2 a3=cc8d5a0d items=0 ppid=20118 pid=20192 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=7901 comm=cvs exe=/usr/bin/cvs subj=root:system_r:cvs_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(11/23/2011 07:16:30.921:80099) : avc: denied { read } for pid=20192 comm=cvs name=utmp dev=dm-0 ino=16859047 scontext=root:system_r:cvs_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file ---- type=SYSCALL msg=audit(11/23/2011 07:16:30.921:80100) : arch=x86_64 syscall=fcntl success=yes exit=0 a0=3 a1=7 a2=7fff7f5edab0 a3=8 items=0 ppid=20118 pid=20192 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=7901 comm=cvs exe=/usr/bin/cvs subj=root:system_r:cvs_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(11/23/2011 07:16:30.921:80100) : avc: denied { lock } for pid=20192 comm=cvs path=/var/run/utmp dev=dm-0 ino=16859047 scontext=root:system_r:cvs_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file ----
We should dontaudit this.
Dontaudited in the selinux-policy-2.4.6-320.el5
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0158.html