Bug 784197 - targeted: cannot stop tog-pegasus service
targeted: cannot stop tog-pegasus service
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.8
All Linux
low Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-01-24 03:47 EST by Milos Malik
Modified: 2013-01-07 22:31 EST (History)
1 user (show)

See Also:
Fixed In Version: selinux-policy-2.4.6-330.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-01-07 22:31:34 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
all AVCs produced by the automated test in permissive mode (5.37 KB, text/plain)
2012-01-24 05:03 EST, Milos Malik
no flags Details

  None (edit)
Description Milos Malik 2012-01-24 03:47:33 EST
Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.4.6-326.el5
selinux-policy-minimum-2.4.6-326.el5
selinux-policy-strict-2.4.6-326.el5
selinux-policy-devel-2.4.6-326.el5
selinux-policy-2.4.6-326.el5
selinux-policy-mls-2.4.6-326.el5

How reproducible:
always

Steps to Reproduce:
# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        mls
# id -Z
root:sysadm_r:sysadm_t:SystemLow-SystemHigh
# ps -efZ | grep pegasus
system_u:system_r:pegasus_t:SystemLow-SystemHigh cimsrvr 2650 1  0 09:13 ? 00:00:00 cimservermain --executor-socket 3
root:sysadm_r:sysadm_t:SystemLow-SystemHigh root 3336 2990  0 09:44 pts/0 00:00:00 grep pegasus
# run_init service tog-pegasus stop
Authenticating root.
Password: 
Shutting down CIM server:                                  [  OK  ]
# ps -efZ | grep pegasus
system_u:system_r:pegasus_t:SystemLow-SystemHigh cimsrvr 2650 1  0 09:13 ? 00:00:00 cimservermain --executor-socket 3
root:sysadm_r:sysadm_t:SystemLow-SystemHigh root 3359 2990  0 09:44 pts/0 00:00:00 grep cim
#
  
Actual results:
----
time->Tue Jan 24 09:39:24 2012
type=SYSCALL msg=audit(1327394364.929:86): arch=40000003 syscall=37 success=no exit=-1 a0=c4f a1=f a2=bd4e80 a3=bd5020 items=0 ppid=1 pid=3150 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="cimserver" exe="/usr/sbin/cimserver" subj=system_u:system_r:pegasus_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1327394364.929:86): avc:  denied  { kill } for  pid=3150 comm="cimserver" capability=5 scontext=system_u:system_r:pegasus_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pegasus_t:s0-s15:c0.c1023 tclass=capability
----

Expected results:
* no AVCs
Comment 2 Milos Malik 2012-01-24 04:15:30 EST
The automated test discovered 2 more AVCs. Could you fix them too?
----
time->Tue Jan 24 10:12:22 2012
type=SYSCALL msg=audit(1327396342.272:48): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfb52120 a2=31edac a3=bfb52516 items=0 ppid=3733 pid=3743 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="cimmof" exe="/usr/bin/cimmof" subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1327396342.272:48): avc:  denied  { connectto } for  pid=3743 comm="cimmof" path="/var/run/tog-pegasus/cimxml.socket" scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pegasus_t:s0-s15:c0.c1023 tclass=unix_stream_socket
----
time->Tue Jan 24 10:12:22 2012
type=SYSCALL msg=audit(1327396342.564:49): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfc21740 a2=4bbdac a3=bfc21b36 items=0 ppid=3775 pid=3783 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="EnumInstances" exe="/usr/share/Pegasus/samples/bin/EnumInstances" subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1327396342.564:49): avc:  denied  { connectto } for  pid=3783 comm="EnumInstances" path="/var/run/tog-pegasus/cimxml.socket" scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pegasus_t:s0-s15:c0.c1023 tclass=unix_stream_socket
----
Comment 3 Miroslav Grepl 2012-01-24 04:19:19 EST
What were you testing when this happened?
Comment 5 Milos Malik 2012-01-24 05:03:50 EST
Created attachment 557178 [details]
all AVCs produced by the automated test in permissive mode
Comment 6 Miroslav Grepl 2012-01-24 08:15:42 EST
I think some of these are test issues. Could you re-test it without the automatic test?
Comment 7 Milos Malik 2012-01-24 08:31:46 EST
Following AVCs appeared in permissive mode when I re-tested the scenario manually:
----
time->Tue Jan 24 14:27:35 2012
type=SYSCALL msg=audit(1327411655.655:45): arch=40000003 syscall=37 success=yes exit=0 a0=a5d a1=f a2=986e80 a3=987020 items=0 ppid=1 pid=2652 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimserver" exe="/usr/sbin/cimserver" subj=system_u:system_r:pegasus_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1327411655.655:45): avc:  denied  { kill } for  pid=2652 comm="cimserver" capability=5 scontext=system_u:system_r:pegasus_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pegasus_t:s0-s15:c0.c1023 tclass=capability
----
time->Tue Jan 24 14:28:34 2012
type=SYSCALL msg=audit(1327411714.292:48): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bfb07140 a2=514dac a3=bfb07536 items=0 ppid=3521 pid=3531 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="cimmof" exe="/usr/bin/cimmof" subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1327411714.292:48): avc:  denied  { connectto } for  pid=3531 comm="cimmof" path="/var/run/tog-pegasus/cimxml.socket" scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pegasus_t:s0-s15:c0.c1023 tclass=unix_stream_socket
----
time->Tue Jan 24 14:28:45 2012
type=SYSCALL msg=audit(1327411725.335:49): arch=40000003 syscall=192 success=yes exit=11616256 a0=0 a1=66a0 a2=5 a3=802 items=0 ppid=2985 pid=3591 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="cimprovagt" exe="/usr/sbin/cimprovagt" subj=system_u:system_r:pegasus_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1327411725.335:49): avc:  denied  { execute } for  pid=3591 comm="cimprovagt" path="/usr/share/Pegasus/samples/lib/libSDKInstanceProvider.so" dev=hda3 ino=494737 scontext=system_u:system_r:pegasus_t:s0-s15:c0.c1023 tcontext=root:object_r:lib_t:s0 tclass=file
----
time->Tue Jan 24 14:29:22 2012
type=SYSCALL msg=audit(1327411762.085:52): arch=40000003 syscall=37 success=yes exit=0 a0=baa a1=f a2=599e80 a3=59a020 items=0 ppid=1 pid=2985 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="cimserver" exe="/usr/sbin/cimserver" subj=system_u:system_r:pegasus_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1327411762.085:52): avc:  denied  { kill } for  pid=2985 comm="cimserver" capability=5 scontext=system_u:system_r:pegasus_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pegasus_t:s0-s15:c0.c1023 tclass=capability
----
Comment 8 Miroslav Grepl 2012-01-24 08:36:01 EST
Yes, these are need to be fixed. We have them in RHEL6/Fedora.
Comment 9 Miroslav Grepl 2012-01-24 09:08:15 EST
Let's move it to 5.9. This happens only on MLS machines where pegasus is not so important.
Comment 11 RHEL Product and Program Management 2012-04-02 07:20:47 EDT
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 16 Miroslav Grepl 2012-07-30 02:46:03 EDT
Fixed in selinux-policy-2.4.6-330.el5
Comment 17 Milos Malik 2012-08-03 04:30:06 EDT
# rpm -qa selinux-policy\*
selinux-policy-2.4.6-330.el5
selinux-policy-minimum-2.4.6-330.el5
selinux-policy-strict-2.4.6-330.el5
selinux-policy-targeted-2.4.6-330.el5
selinux-policy-mls-2.4.6-330.el5
selinux-policy-devel-2.4.6-330.el5
#

The automated test produced following AVC on MLS machine in enforcing mode:

----
type=PATH msg=audit(08/03/2012 10:24:01.419:181) : item=0 name=(null) inode=100451 dev=03:03 mode=socket,777 ouid=cimsrvr ogid=cimsrvr rdev=00:00 obj=system_u:object_r:pegasus_var_run_t:s0 
type=SOCKETCALL msg=audit(08/03/2012 10:24:01.419:181) : nargs=3 a0=5 a1=bfb2ddc6 a2=6e 
type=SOCKADDR msg=audit(08/03/2012 10:24:01.419:181) : saddr=local /var/run/tog-pegasus/cimxml.socket 
type=SYSCALL msg=audit(08/03/2012 10:24:01.419:181) : arch=i386 syscall=socketcall(connect) success=no exit=-13(Permission denied) a0=3 a1=bfb2d9d0 a2=316dac a3=bfb2ddc6 items=1 ppid=6130 pid=6138 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=5 comm=EnumInstances exe=/usr/share/Pegasus/samples/bin/EnumInstances subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null) 
type=AVC msg=audit(08/03/2012 10:24:01.419:181) : avc:  denied  { connectto } for  pid=6138 comm=EnumInstances path=/var/run/tog-pegasus/cimxml.socket scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pegasus_t:s0-s15:c0.c1023 tclass=unix_stream_socket 
----
Comment 18 Milos Malik 2012-08-03 04:37:22 EDT
The automated test produced the same AVC on MLS machine in permissive mode:

----
type=PATH msg=audit(08/03/2012 10:31:22.598:217) : item=0 name=(null) inode=100451 dev=03:03 mode=socket,777 ouid=cimsrvr ogid=cimsrvr rdev=00:00 obj=system_u:object_r:pegasus_var_run_t:s0 
type=SOCKETCALL msg=audit(08/03/2012 10:31:22.598:217) : nargs=3 a0=5 a1=bfc70ca6 a2=6e 
type=SOCKADDR msg=audit(08/03/2012 10:31:22.598:217) : saddr=local /var/run/tog-pegasus/cimxml.socket 
type=SYSCALL msg=audit(08/03/2012 10:31:22.598:217) : arch=i386 syscall=socketcall(connect) success=yes exit=0 a0=3 a1=bfc708b0 a2=43bdac a3=bfc70ca6 items=1 ppid=8068 pid=8078 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=5 comm=cimmof exe=/usr/bin/cimmof subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null) 
type=AVC msg=audit(08/03/2012 10:31:22.598:217) : avc:  denied  { connectto } for  pid=8078 comm=cimmof path=/var/run/tog-pegasus/cimxml.socket scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pegasus_t:s0-s15:c0.c1023 tclass=unix_stream_socket 
----

Other AVCs are probably leaked file descriptors:

----
type=PATH msg=audit(08/03/2012 10:31:29.947:224) : item=1 name=(null) inode=559593 dev=03:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 
type=PATH msg=audit(08/03/2012 10:31:29.947:224) : item=0 name=/usr/sbin/open_init_pty inode=605144 dev=03:03 mode=file,555 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:initrc_exec_t:s0 
type=CWD msg=audit(08/03/2012 10:31:29.947:224) :  cwd=/ 
type=EXECVE msg=audit(08/03/2012 10:31:29.947:224) : argc=4 a0=run_init a1=service a2=tog-pegasus a3=status 
type=SYSCALL msg=audit(08/03/2012 10:31:29.947:224) : arch=i386 syscall=execve success=yes exit=0 a0=fc93f5 a1=bf84ca34 a2=bf84ca48 a3=fc93c5 items=2 ppid=8654 pid=8656 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=5 comm=open_init_pty exe=/usr/sbin/open_init_pty subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) 
type=AVC msg=audit(08/03/2012 10:31:29.947:224) : avc:  denied  { write } for  pid=8656 comm=open_init_pty path=pipe:[22399] dev=pipefs ino=22399 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tclass=fifo_file 
type=AVC msg=audit(08/03/2012 10:31:29.947:224) : avc:  denied  { read } for  pid=8656 comm=open_init_pty path=pipe:[22399] dev=pipefs ino=22399 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tclass=fifo_file 
----
type=PATH msg=audit(08/03/2012 10:31:30.643:227) : item=1 name=(null) inode=559593 dev=03:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 
type=PATH msg=audit(08/03/2012 10:31:30.643:227) : item=0 name=/usr/sbin/cimserver inode=66117 dev=03:03 mode=file,755 ouid=root ogid=pegasus rdev=00:00 obj=system_u:object_r:pegasus_exec_t:s0 
type=CWD msg=audit(08/03/2012 10:31:30.643:227) :  cwd=/ 
type=EXECVE msg=audit(08/03/2012 10:31:30.643:227) : argc=1 a0=/usr/sbin/cimserver 
type=SYSCALL msg=audit(08/03/2012 10:31:30.643:227) : arch=i386 syscall=execve success=yes exit=0 a0=97ffdd0 a1=97ffd30 a2=98001e8 a3=0 items=2 ppid=8698 pid=8704 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts2 ses=5 comm=cimserver exe=/usr/sbin/cimserver subj=system_u:system_r:pegasus_t:s0-s15:c0.c1023 key=(null) 
type=AVC msg=audit(08/03/2012 10:31:30.643:227) : avc:  denied  { write } for  pid=8704 comm=cimserver path=pipe:[22468] dev=pipefs ino=22468 scontext=system_u:system_r:pegasus_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tclass=fifo_file 
type=AVC msg=audit(08/03/2012 10:31:30.643:227) : avc:  denied  { read } for  pid=8704 comm=cimserver path=pipe:[22468] dev=pipefs ino=22468 scontext=system_u:system_r:pegasus_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tclass=fifo_file 
----
Comment 19 Daniel Walsh 2012-08-03 07:39:51 EDT
I don't believe cimserver would ever be allowed to run on an MLS box.  So this is pretty much not a bug.  I would like to know what fifo_file is being communicated between sysadm_t and cimserver?
Comment 20 Milos Malik 2012-08-03 07:51:16 EDT
Could we change the bug summary to address targeted policy instead of MLS ? Because I see the /var/run/tog-pegasus/cimxml.socket issue in targeted policy too.
Comment 21 Milos Malik 2012-08-03 07:55:29 EDT
I saw the issue. It is fixed in selinux-policy-2.4.6-330.el5.
Comment 22 Daniel Walsh 2012-08-03 07:58:40 EDT
Ok, I was going to mention that this could be broken in targeted also.
Comment 25 errata-xmlrpc 2013-01-07 22:31:34 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0060.html

Note You need to log in before you can comment on or make changes to this bug.