Bug 784197 - targeted: cannot stop tog-pegasus service
Summary: targeted: cannot stop tog-pegasus service
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.8
Hardware: All
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-01-24 08:47 UTC by Milos Malik
Modified: 2013-01-08 03:31 UTC (History)
1 user (show)

Fixed In Version: selinux-policy-2.4.6-330.el5
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-01-08 03:31:34 UTC


Attachments (Terms of Use)
all AVCs produced by the automated test in permissive mode (5.37 KB, text/plain)
2012-01-24 10:03 UTC, Milos Malik
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:0060 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2013-01-08 08:27:19 UTC

Description Milos Malik 2012-01-24 08:47:33 UTC
Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.4.6-326.el5
selinux-policy-minimum-2.4.6-326.el5
selinux-policy-strict-2.4.6-326.el5
selinux-policy-devel-2.4.6-326.el5
selinux-policy-2.4.6-326.el5
selinux-policy-mls-2.4.6-326.el5

How reproducible:
always

Steps to Reproduce:
# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        mls
# id -Z
root:sysadm_r:sysadm_t:SystemLow-SystemHigh
# ps -efZ | grep pegasus
system_u:system_r:pegasus_t:SystemLow-SystemHigh cimsrvr 2650 1  0 09:13 ? 00:00:00 cimservermain --executor-socket 3
root:sysadm_r:sysadm_t:SystemLow-SystemHigh root 3336 2990  0 09:44 pts/0 00:00:00 grep pegasus
# run_init service tog-pegasus stop
Authenticating root.
Password: 
Shutting down CIM server:                                  [  OK  ]
# ps -efZ | grep pegasus
system_u:system_r:pegasus_t:SystemLow-SystemHigh cimsrvr 2650 1  0 09:13 ? 00:00:00 cimservermain --executor-socket 3
root:sysadm_r:sysadm_t:SystemLow-SystemHigh root 3359 2990  0 09:44 pts/0 00:00:00 grep cim
#
  
Actual results:
----
time->Tue Jan 24 09:39:24 2012
type=SYSCALL msg=audit(1327394364.929:86): arch=40000003 syscall=37 success=no exit=-1 a0=c4f a1=f a2=bd4e80 a3=bd5020 items=0 ppid=1 pid=3150 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="cimserver" exe="/usr/sbin/cimserver" subj=system_u:system_r:pegasus_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1327394364.929:86): avc:  denied  { kill } for  pid=3150 comm="cimserver" capability=5 scontext=system_u:system_r:pegasus_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pegasus_t:s0-s15:c0.c1023 tclass=capability
----

Expected results:
* no AVCs

Comment 2 Milos Malik 2012-01-24 09:15:30 UTC
The automated test discovered 2 more AVCs. Could you fix them too?
----
time->Tue Jan 24 10:12:22 2012
type=SYSCALL msg=audit(1327396342.272:48): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfb52120 a2=31edac a3=bfb52516 items=0 ppid=3733 pid=3743 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="cimmof" exe="/usr/bin/cimmof" subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1327396342.272:48): avc:  denied  { connectto } for  pid=3743 comm="cimmof" path="/var/run/tog-pegasus/cimxml.socket" scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pegasus_t:s0-s15:c0.c1023 tclass=unix_stream_socket
----
time->Tue Jan 24 10:12:22 2012
type=SYSCALL msg=audit(1327396342.564:49): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfc21740 a2=4bbdac a3=bfc21b36 items=0 ppid=3775 pid=3783 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="EnumInstances" exe="/usr/share/Pegasus/samples/bin/EnumInstances" subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1327396342.564:49): avc:  denied  { connectto } for  pid=3783 comm="EnumInstances" path="/var/run/tog-pegasus/cimxml.socket" scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pegasus_t:s0-s15:c0.c1023 tclass=unix_stream_socket
----

Comment 3 Miroslav Grepl 2012-01-24 09:19:19 UTC
What were you testing when this happened?

Comment 5 Milos Malik 2012-01-24 10:03:50 UTC
Created attachment 557178 [details]
all AVCs produced by the automated test in permissive mode

Comment 6 Miroslav Grepl 2012-01-24 13:15:42 UTC
I think some of these are test issues. Could you re-test it without the automatic test?

Comment 7 Milos Malik 2012-01-24 13:31:46 UTC
Following AVCs appeared in permissive mode when I re-tested the scenario manually:
----
time->Tue Jan 24 14:27:35 2012
type=SYSCALL msg=audit(1327411655.655:45): arch=40000003 syscall=37 success=yes exit=0 a0=a5d a1=f a2=986e80 a3=987020 items=0 ppid=1 pid=2652 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimserver" exe="/usr/sbin/cimserver" subj=system_u:system_r:pegasus_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1327411655.655:45): avc:  denied  { kill } for  pid=2652 comm="cimserver" capability=5 scontext=system_u:system_r:pegasus_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pegasus_t:s0-s15:c0.c1023 tclass=capability
----
time->Tue Jan 24 14:28:34 2012
type=SYSCALL msg=audit(1327411714.292:48): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bfb07140 a2=514dac a3=bfb07536 items=0 ppid=3521 pid=3531 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="cimmof" exe="/usr/bin/cimmof" subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1327411714.292:48): avc:  denied  { connectto } for  pid=3531 comm="cimmof" path="/var/run/tog-pegasus/cimxml.socket" scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pegasus_t:s0-s15:c0.c1023 tclass=unix_stream_socket
----
time->Tue Jan 24 14:28:45 2012
type=SYSCALL msg=audit(1327411725.335:49): arch=40000003 syscall=192 success=yes exit=11616256 a0=0 a1=66a0 a2=5 a3=802 items=0 ppid=2985 pid=3591 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="cimprovagt" exe="/usr/sbin/cimprovagt" subj=system_u:system_r:pegasus_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1327411725.335:49): avc:  denied  { execute } for  pid=3591 comm="cimprovagt" path="/usr/share/Pegasus/samples/lib/libSDKInstanceProvider.so" dev=hda3 ino=494737 scontext=system_u:system_r:pegasus_t:s0-s15:c0.c1023 tcontext=root:object_r:lib_t:s0 tclass=file
----
time->Tue Jan 24 14:29:22 2012
type=SYSCALL msg=audit(1327411762.085:52): arch=40000003 syscall=37 success=yes exit=0 a0=baa a1=f a2=599e80 a3=59a020 items=0 ppid=1 pid=2985 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="cimserver" exe="/usr/sbin/cimserver" subj=system_u:system_r:pegasus_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1327411762.085:52): avc:  denied  { kill } for  pid=2985 comm="cimserver" capability=5 scontext=system_u:system_r:pegasus_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pegasus_t:s0-s15:c0.c1023 tclass=capability
----

Comment 8 Miroslav Grepl 2012-01-24 13:36:01 UTC
Yes, these are need to be fixed. We have them in RHEL6/Fedora.

Comment 9 Miroslav Grepl 2012-01-24 14:08:15 UTC
Let's move it to 5.9. This happens only on MLS machines where pegasus is not so important.

Comment 11 RHEL Product and Program Management 2012-04-02 11:20:47 UTC
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.

Comment 16 Miroslav Grepl 2012-07-30 06:46:03 UTC
Fixed in selinux-policy-2.4.6-330.el5

Comment 17 Milos Malik 2012-08-03 08:30:06 UTC
# rpm -qa selinux-policy\*
selinux-policy-2.4.6-330.el5
selinux-policy-minimum-2.4.6-330.el5
selinux-policy-strict-2.4.6-330.el5
selinux-policy-targeted-2.4.6-330.el5
selinux-policy-mls-2.4.6-330.el5
selinux-policy-devel-2.4.6-330.el5
#

The automated test produced following AVC on MLS machine in enforcing mode:

----
type=PATH msg=audit(08/03/2012 10:24:01.419:181) : item=0 name=(null) inode=100451 dev=03:03 mode=socket,777 ouid=cimsrvr ogid=cimsrvr rdev=00:00 obj=system_u:object_r:pegasus_var_run_t:s0 
type=SOCKETCALL msg=audit(08/03/2012 10:24:01.419:181) : nargs=3 a0=5 a1=bfb2ddc6 a2=6e 
type=SOCKADDR msg=audit(08/03/2012 10:24:01.419:181) : saddr=local /var/run/tog-pegasus/cimxml.socket 
type=SYSCALL msg=audit(08/03/2012 10:24:01.419:181) : arch=i386 syscall=socketcall(connect) success=no exit=-13(Permission denied) a0=3 a1=bfb2d9d0 a2=316dac a3=bfb2ddc6 items=1 ppid=6130 pid=6138 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=5 comm=EnumInstances exe=/usr/share/Pegasus/samples/bin/EnumInstances subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null) 
type=AVC msg=audit(08/03/2012 10:24:01.419:181) : avc:  denied  { connectto } for  pid=6138 comm=EnumInstances path=/var/run/tog-pegasus/cimxml.socket scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pegasus_t:s0-s15:c0.c1023 tclass=unix_stream_socket 
----

Comment 18 Milos Malik 2012-08-03 08:37:22 UTC
The automated test produced the same AVC on MLS machine in permissive mode:

----
type=PATH msg=audit(08/03/2012 10:31:22.598:217) : item=0 name=(null) inode=100451 dev=03:03 mode=socket,777 ouid=cimsrvr ogid=cimsrvr rdev=00:00 obj=system_u:object_r:pegasus_var_run_t:s0 
type=SOCKETCALL msg=audit(08/03/2012 10:31:22.598:217) : nargs=3 a0=5 a1=bfc70ca6 a2=6e 
type=SOCKADDR msg=audit(08/03/2012 10:31:22.598:217) : saddr=local /var/run/tog-pegasus/cimxml.socket 
type=SYSCALL msg=audit(08/03/2012 10:31:22.598:217) : arch=i386 syscall=socketcall(connect) success=yes exit=0 a0=3 a1=bfc708b0 a2=43bdac a3=bfc70ca6 items=1 ppid=8068 pid=8078 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=5 comm=cimmof exe=/usr/bin/cimmof subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null) 
type=AVC msg=audit(08/03/2012 10:31:22.598:217) : avc:  denied  { connectto } for  pid=8078 comm=cimmof path=/var/run/tog-pegasus/cimxml.socket scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pegasus_t:s0-s15:c0.c1023 tclass=unix_stream_socket 
----

Other AVCs are probably leaked file descriptors:

----
type=PATH msg=audit(08/03/2012 10:31:29.947:224) : item=1 name=(null) inode=559593 dev=03:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 
type=PATH msg=audit(08/03/2012 10:31:29.947:224) : item=0 name=/usr/sbin/open_init_pty inode=605144 dev=03:03 mode=file,555 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:initrc_exec_t:s0 
type=CWD msg=audit(08/03/2012 10:31:29.947:224) :  cwd=/ 
type=EXECVE msg=audit(08/03/2012 10:31:29.947:224) : argc=4 a0=run_init a1=service a2=tog-pegasus a3=status 
type=SYSCALL msg=audit(08/03/2012 10:31:29.947:224) : arch=i386 syscall=execve success=yes exit=0 a0=fc93f5 a1=bf84ca34 a2=bf84ca48 a3=fc93c5 items=2 ppid=8654 pid=8656 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=5 comm=open_init_pty exe=/usr/sbin/open_init_pty subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) 
type=AVC msg=audit(08/03/2012 10:31:29.947:224) : avc:  denied  { write } for  pid=8656 comm=open_init_pty path=pipe:[22399] dev=pipefs ino=22399 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tclass=fifo_file 
type=AVC msg=audit(08/03/2012 10:31:29.947:224) : avc:  denied  { read } for  pid=8656 comm=open_init_pty path=pipe:[22399] dev=pipefs ino=22399 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tclass=fifo_file 
----
type=PATH msg=audit(08/03/2012 10:31:30.643:227) : item=1 name=(null) inode=559593 dev=03:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 
type=PATH msg=audit(08/03/2012 10:31:30.643:227) : item=0 name=/usr/sbin/cimserver inode=66117 dev=03:03 mode=file,755 ouid=root ogid=pegasus rdev=00:00 obj=system_u:object_r:pegasus_exec_t:s0 
type=CWD msg=audit(08/03/2012 10:31:30.643:227) :  cwd=/ 
type=EXECVE msg=audit(08/03/2012 10:31:30.643:227) : argc=1 a0=/usr/sbin/cimserver 
type=SYSCALL msg=audit(08/03/2012 10:31:30.643:227) : arch=i386 syscall=execve success=yes exit=0 a0=97ffdd0 a1=97ffd30 a2=98001e8 a3=0 items=2 ppid=8698 pid=8704 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts2 ses=5 comm=cimserver exe=/usr/sbin/cimserver subj=system_u:system_r:pegasus_t:s0-s15:c0.c1023 key=(null) 
type=AVC msg=audit(08/03/2012 10:31:30.643:227) : avc:  denied  { write } for  pid=8704 comm=cimserver path=pipe:[22468] dev=pipefs ino=22468 scontext=system_u:system_r:pegasus_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tclass=fifo_file 
type=AVC msg=audit(08/03/2012 10:31:30.643:227) : avc:  denied  { read } for  pid=8704 comm=cimserver path=pipe:[22468] dev=pipefs ino=22468 scontext=system_u:system_r:pegasus_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tclass=fifo_file 
----

Comment 19 Daniel Walsh 2012-08-03 11:39:51 UTC
I don't believe cimserver would ever be allowed to run on an MLS box.  So this is pretty much not a bug.  I would like to know what fifo_file is being communicated between sysadm_t and cimserver?

Comment 20 Milos Malik 2012-08-03 11:51:16 UTC
Could we change the bug summary to address targeted policy instead of MLS ? Because I see the /var/run/tog-pegasus/cimxml.socket issue in targeted policy too.

Comment 21 Milos Malik 2012-08-03 11:55:29 UTC
I saw the issue. It is fixed in selinux-policy-2.4.6-330.el5.

Comment 22 Daniel Walsh 2012-08-03 11:58:40 UTC
Ok, I was going to mention that this could be broken in targeted also.

Comment 25 errata-xmlrpc 2013-01-08 03:31:34 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0060.html


Note You need to log in before you can comment on or make changes to this bug.