772717 – selinux-policy in rhel-6.2 doesn't allow mcelogd to create pid file causing it not to start

Bug 772717 - selinux-policy in rhel-6.2 doesn't allow mcelogd to create pid file causing it not to start

Summary: selinux-policy in rhel-6.2 doesn't allow mcelogd to create pid file causing i...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.2
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-01-09 18:29 UTC by Tuomo Soini
Modified:	2018-11-28 21:25 UTC (History)
CC List:	6 users (show)
Fixed In Version:	selinux-policy-3.7.19-135.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-06-20 12:30:17 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Patch for selinux policy for the issue - mostly backport from rawhide (3.85 KB, patch) 2012-01-09 18:29 UTC, Tuomo Soini	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2012:0780	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2012-06-19 20:34:59 UTC

Description Tuomo Soini 2012-01-09 18:29:15 UTC

Created attachment 551633 [details]
Patch for selinux policy for the issue - mostly backport from rawhide

Description of problem:

selinux-policy in rhel-6.2 prevents mcelogd mandatory access to pid file and log file. These problems cause mcelogd not being able to startup.

Version-Release number of selected component (if applicable):

3.7.19-126.el6_2.4

How reproducible:

always when selinux is Enforcing

Steps to Reproduce:
1. boot system
2. mcelogd not running after boot

Comment 1 Tuomo Soini 2012-01-09 18:31:07 UTC

Patch file includes original avc messages

Comment 4 Milos Malik 2012-01-11 17:51:35 UTC

Seen in enforcing mode:
----
time->Wed Jan 11 12:45:48 2012
type=SYSCALL msg=audit(1326303948.956:84270): arch=c000003e syscall=42 success=no exit=-13 a0=6 a1=7fff45eea640 a2=6e a3=8 items=0 ppid=15459 pid=15460 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=16 comm="mcelog" exe="/usr/sbin/mcelog" subj=system_u:system_r:mcelog_t:s0 key=(null)
type=AVC msg=audit(1326303948.956:84270): avc:  denied  { write } for  pid=15460 comm="mcelog" name="mcelog-client" dev=dm-0 ino=1704219 scontext=system_u:system_r:mcelog_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
----
time->Wed Jan 11 12:45:48 2012
type=SYSCALL msg=audit(1326303948.956:84271): arch=c000003e syscall=87 success=no exit=-13 a0=411085 a1=7fff45eea400 a2=0 a3=8 items=0 ppid=15459 pid=15460 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=16 comm="mcelog" exe="/usr/sbin/mcelog" subj=system_u:system_r:mcelog_t:s0 key=(null)
type=AVC msg=audit(1326303948.956:84271): avc:  denied  { write } for  pid=15460 comm="mcelog" name="run" dev=dm-0 ino=1704702 scontext=system_u:system_r:mcelog_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
----

Comment 5 Milos Malik 2012-01-11 17:54:35 UTC

Seen in permissive mode:
----
time->Wed Jan 11 12:52:34 2012
type=SYSCALL msg=audit(1326304354.626:84295): arch=c000003e syscall=2 success=yes exit=4 a0=615160 a1=441 a2=1b6 a3=0 items=0 ppid=16075 pid=16076 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=16 comm="mcelog" exe="/usr/sbin/mcelog" subj=system_u:system_r:mcelog_t:s0 key=(null)
type=AVC msg=audit(1326304354.626:84295): avc:  denied  { open } for  pid=16076 comm="mcelog" name="mcelog" dev=dm-0 ino=1704220 scontext=system_u:system_r:mcelog_t:s0 tcontext=system_u:object_r:cron_log_t:s0 tclass=file
----
time->Wed Jan 11 12:52:34 2012
type=SYSCALL msg=audit(1326304354.628:84296): arch=c000003e syscall=42 success=no exit=-111 a0=7 a1=7fffca1942f0 a2=6e a3=8 items=0 ppid=16075 pid=16076 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=16 comm="mcelog" exe="/usr/sbin/mcelog" subj=system_u:system_r:mcelog_t:s0 key=(null)
type=AVC msg=audit(1326304354.628:84296): avc:  denied  { write } for  pid=16076 comm="mcelog" name="mcelog-client" dev=dm-0 ino=1704219 scontext=system_u:system_r:mcelog_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
----
time->Wed Jan 11 12:52:34 2012
type=SYSCALL msg=audit(1326304354.629:84297): arch=c000003e syscall=87 success=yes exit=0 a0=411085 a1=7fffca1940b0 a2=0 a3=8 items=0 ppid=16075 pid=16076 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=16 comm="mcelog" exe="/usr/sbin/mcelog" subj=system_u:system_r:mcelog_t:s0 key=(null)
type=AVC msg=audit(1326304354.629:84297): avc:  denied  { unlink } for  pid=16076 comm="mcelog" name="mcelog-client" dev=dm-0 ino=1704219 scontext=system_u:system_r:mcelog_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1326304354.629:84297): avc:  denied  { remove_name } for  pid=16076 comm="mcelog" name="mcelog-client" dev=dm-0 ino=1704219 scontext=system_u:system_r:mcelog_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
type=AVC msg=audit(1326304354.629:84297): avc:  denied  { write } for  pid=16076 comm="mcelog" name="run" dev=dm-0 ino=1704702 scontext=system_u:system_r:mcelog_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
----
time->Wed Jan 11 12:52:34 2012
type=SYSCALL msg=audit(1326304354.629:84298): arch=c000003e syscall=49 success=yes exit=0 a0=7 a1=7fffca1942f0 a2=6e a3=8 items=0 ppid=16075 pid=16076 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=16 comm="mcelog" exe="/usr/sbin/mcelog" subj=system_u:system_r:mcelog_t:s0 key=(null)
type=AVC msg=audit(1326304354.629:84298): avc:  denied  { create } for  pid=16076 comm="mcelog" name="mcelog-client" scontext=system_u:system_r:mcelog_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1326304354.629:84298): avc:  denied  { add_name } for  pid=16076 comm="mcelog" name="mcelog-client" scontext=system_u:system_r:mcelog_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
----
time->Wed Jan 11 12:52:34 2012
type=SYSCALL msg=audit(1326304354.629:84299): arch=c000003e syscall=2 success=yes exit=8 a0=615140 a1=241 a2=1b6 a3=0 items=0 ppid=1 pid=16077 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=16 comm="mcelog" exe="/usr/sbin/mcelog" subj=system_u:system_r:mcelog_t:s0 key=(null)
type=AVC msg=audit(1326304354.629:84299): avc:  denied  { write open } for  pid=16077 comm="mcelog" name="mcelog.pid" dev=dm-0 ino=1704225 scontext=system_u:system_r:mcelog_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1326304354.629:84299): avc:  denied  { create } for  pid=16077 comm="mcelog" name="mcelog.pid" scontext=system_u:system_r:mcelog_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
----
time->Wed Jan 11 12:52:34 2012
type=SYSCALL msg=audit(1326304354.630:84300): arch=c000003e syscall=5 success=yes exit=0 a0=8 a1=7fffca193ac0 a2=7fffca193ac0 a3=0 items=0 ppid=1 pid=16077 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=16 comm="mcelog" exe="/usr/sbin/mcelog" subj=system_u:system_r:mcelog_t:s0 key=(null)
type=AVC msg=audit(1326304354.630:84300): avc:  denied  { getattr } for  pid=16077 comm="mcelog" path="/var/run/mcelog.pid" dev=dm-0 ino=1704225 scontext=system_u:system_r:mcelog_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
----
time->Wed Jan 11 12:52:36 2012
type=SYSCALL msg=audit(1326304356.049:84305): arch=c000003e syscall=87 success=yes exit=0 a0=615140 a1=7fffca193f70 a2=7fffca193e40 a3=617520 items=0 ppid=1 pid=16077 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=16 comm="mcelog" exe="/usr/sbin/mcelog" subj=system_u:system_r:mcelog_t:s0 key=(null)
type=AVC msg=audit(1326304356.049:84305): avc:  denied  { unlink } for  pid=16077 comm="mcelog" name="mcelog.pid" dev=dm-0 ino=1704225 scontext=system_u:system_r:mcelog_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
----

Comment 6 Miroslav Grepl 2012-01-12 08:23:55 UTC

Milos,
could you add output of

# ls -lZ /var/run/mcelog*

Comment 7 Milos Malik 2012-01-12 09:25:10 UTC

# ls -Z /var/run/mcelog*
srwxr-xr-x. root root unconfined_u:object_r:var_run_t:s0 /var/run/mcelog-client
-rw-r--r--. root root unconfined_u:object_r:var_run_t:s0 /var/run/mcelog.pid
#

Comment 8 Miroslav Grepl 2012-01-25 16:56:34 UTC

Fixed in selinux-policy-3.7.19-135.el6

Comment 11 errata-xmlrpc 2012-06-20 12:30:17 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0780.html

Note You need to log in before you can comment on or make changes to this bug.