Hide Forgot
Description of problem: Version-Release number of selected component (if applicable): selinux-policy-doc-3.7.19-143.el6.noarch selinux-policy-3.7.19-143.el6.noarch selinux-policy-mls-3.7.19-143.el6.noarch selinux-policy-minimum-3.7.19-143.el6.noarch selinux-policy-targeted-3.7.19-143.el6.noarch How reproducible: always Steps to Reproduce: # run_init service bcfg2-server status Authenticating root. Password: bcfg2-server is not running [FAILED] # run_init service bcfg2-server start Authenticating root. Password: Starting Configuration Management Server: bcfg2-server [ OK ] # run_init service bcfg2-server status Authenticating root. Password: bcfg2-server (pid 5647) is running... # ps -efZ | grep bcfg2-server system_u:system_r:initrc_t:s0 root 5647 1 0 14:38 ? 00:00:00 /usr/bin/python /usr/sbin/bcfg2-server -D /var/run/bcfg2-server.pid unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 5667 5574 0 14:38 pts/0 00:00:00 grep bcfg2-server # Actual results: * bcfg2-server runs as initrc_t Expected results: * bcfg2-server runs in its own SELinux domain
Created attachment 573381 [details] Initial policy developed on Fedora Please untar and run shell script, then test the policy and attach avc's. I have no idea how to set this up.
# rpm -qa selinux-policy\* selinux-policy-doc-3.7.19-143.el6.noarch selinux-policy-3.7.19-143.el6.noarch selinux-policy-mls-3.7.19-143.el6.noarch selinux-policy-minimum-3.7.19-143.el6.noarch selinux-policy-targeted-3.7.19-143.el6.noarch # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted # service bcfg2-server start Starting Configuration Management Server: bcfg2-server [ OK ] # service bcfg2-server status bcfg2-server (pid 21355) is running... # service bcfg2-server stop Stopping Configuration Management Server: bcfg2-server [ OK ] # ausearch -m avc -m user_avc -m selinux_err -ts recent ---- time->Thu Mar 29 08:55:51 2012 type=SYSCALL msg=audit(1333004151.522:2212): arch=c000003e syscall=2 success=yes exit=5 a0=13be560 a1=241 a2=1b6 a3=0 items=0 ppid=1 pid=21355 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=32 comm="bcfg2-server" exe="/usr/bin/python" subj=unconfined_u:system_r:bcfg2_t:s0 key=(null) type=AVC msg=audit(1333004151.522:2212): avc: denied { write open } for pid=21355 comm="bcfg2-server" name="bcfg2-server.pid" dev=sda3 ino=5244626 scontext=unconfined_u:system_r:bcfg2_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file type=AVC msg=audit(1333004151.522:2212): avc: denied { create } for pid=21355 comm="bcfg2-server" name="bcfg2-server.pid" scontext=unconfined_u:system_r:bcfg2_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file type=AVC msg=audit(1333004151.522:2212): avc: denied { add_name } for pid=21355 comm="bcfg2-server" name="bcfg2-server.pid" scontext=unconfined_u:system_r:bcfg2_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir type=AVC msg=audit(1333004151.522:2212): avc: denied { write } for pid=21355 comm="bcfg2-server" name="run" dev=sda3 ino=5243215 scontext=unconfined_u:system_r:bcfg2_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir ---- time->Thu Mar 29 08:55:51 2012 type=SYSCALL msg=audit(1333004151.522:2213): arch=c000003e syscall=5 success=yes exit=0 a0=5 a1=7fff3c448620 a2=7fff3c448620 a3=0 items=0 ppid=1 pid=21355 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=32 comm="bcfg2-server" exe="/usr/bin/python" subj=unconfined_u:system_r:bcfg2_t:s0 key=(null) type=AVC msg=audit(1333004151.522:2213): avc: denied { getattr } for pid=21355 comm="bcfg2-server" path="/var/run/bcfg2-server.pid" dev=sda3 ino=5244626 scontext=unconfined_u:system_r:bcfg2_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file ---- time->Thu Mar 29 08:55:51 2012 type=SYSCALL msg=audit(1333004151.526:2214): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7ffff36777a0 a2=7ffff36777a0 a3=6 items=0 ppid=1 pid=21357 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=32 comm="gam_server" exe="/usr/libexec/gam_server" subj=unconfined_u:system_r:bcfg2_t:s0 key=(null) type=AVC msg=audit(1333004151.526:2214): avc: denied { getattr } for pid=21357 comm="gam_server" path="inotify" dev=inotifyfs ino=1 scontext=unconfined_u:system_r:bcfg2_t:s0 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir ---- time->Thu Mar 29 08:55:51 2012 type=SYSCALL msg=audit(1333004151.660:2215): arch=c000003e syscall=49 success=yes exit=0 a0=6 a1=7fff3c4472e0 a2=10 a3=7fff3c447168 items=0 ppid=1 pid=21355 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=32 comm="bcfg2-server" exe="/usr/bin/python" subj=unconfined_u:system_r:bcfg2_t:s0 key=(null) type=AVC msg=audit(1333004151.660:2215): avc: denied { name_bind } for pid=21355 comm="bcfg2-server" src=6789 scontext=unconfined_u:system_r:bcfg2_t:s0 tcontext=system_u:object_r:cyphesis_port_t:s0 tclass=tcp_socket ---- time->Thu Mar 29 08:55:51 2012 type=SYSCALL msg=audit(1333004151.661:2216): arch=c000003e syscall=50 success=yes exit=0 a0=6 a1=5 a2=7f85199f5dc8 a3=10 items=0 ppid=1 pid=21355 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=32 comm="bcfg2-server" exe="/usr/bin/python" subj=unconfined_u:system_r:bcfg2_t:s0 key=(null) type=AVC msg=audit(1333004151.661:2216): avc: denied { listen } for pid=21355 comm="bcfg2-server" laddr=10.34.1.190 lport=6789 scontext=unconfined_u:system_r:bcfg2_t:s0 tcontext=unconfined_u:system_r:bcfg2_t:s0 tclass=tcp_socket ---- time->Thu Mar 29 08:56:19 2012 type=SYSCALL msg=audit(1333004179.210:2218): arch=c000003e syscall=0 success=yes exit=96 a0=3 a1=247d000 a2=400 a3=800 items=0 ppid=1 pid=21357 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=32 comm="gam_server" exe="/usr/libexec/gam_server" subj=unconfined_u:system_r:bcfg2_t:s0 key=(null) type=AVC msg=audit(1333004179.210:2218): avc: denied { read } for pid=21357 comm="gam_server" path="inotify" dev=inotifyfs ino=1 scontext=unconfined_u:system_r:bcfg2_t:s0 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir ---- time->Thu Mar 29 08:56:19 2012 type=SYSCALL msg=audit(1333004179.200:2217): arch=c000003e syscall=16 success=yes exit=0 a0=3 a1=541b a2=7ffff367776c a3=7ffff36774e0 items=0 ppid=1 pid=21357 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=32 comm="gam_server" exe="/usr/libexec/gam_server" subj=unconfined_u:system_r:bcfg2_t:s0 key=(null) type=AVC msg=audit(1333004179.200:2217): avc: denied { ioctl } for pid=21357 comm="gam_server" path="inotify" dev=inotifyfs ino=1 scontext=unconfined_u:system_r:bcfg2_t:s0 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir #
It seems that bcfg2-server or some library that is used by bcfg2-server starts gam_server. # ps -efZ | grep -e gam -e bcfg2 unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 21878 21173 0 09:38 pts/0 00:00:00 grep -e gam -e bcfg2 # run_init service bcfg2-server start Authenticating root. Password: Starting Configuration Management Server: bcfg2-server [ OK ] # ps -efZ | grep -e gam -e bcfg2 system_u:system_r:bcfg2_t:s0 root 21900 1 1 09:38 ? 00:00:00 /usr/bin/python /usr/sbin/bcfg2-server -D /var/run/bcfg2-server.pid system_u:system_r:bcfg2_t:s0 root 21902 1 0 09:38 ? 00:00:00 /usr/libexec/gam_server unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 21910 21173 0 09:38 pts/0 00:00:00 grep -e gam -e bcfg2 # That's why gam_server is mentioned in AVCs in previous comment.
Could you look if there is an option to not use gam_server for bcfg2-server?
I adde some fixes which don't relate with gam_server. We need to look at it.
I didn't found any bcfg2-server option that would disable the use of gam_server. After issuing "mv /usr/libexec/gam_server /usr/libexec/gam_server.do_not_use" command bcfg2-server refuses to start.
Can you open a bug with bcfg2-server to use inotify and not gam_server. It will be very difficult to write policy to confine an app that uses gam_server, since any app can start it, and gam_server watched files everywhere.
Don't know who triggered it but here is another AVC: ---- time->Thu Mar 29 15:01:01 2012 type=SYSCALL msg=audit(1333026061.779:2361): arch=c000003e syscall=43 success=yes exit=7 a0=6 a1=7fff0956b950 a2=7fff0956b94c a3=1449c30 items=0 ppid=1 pid=22597 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=36 comm="bcfg2-server" exe="/usr/bin/python" subj=system_u:system_r:bcfg2_t:s0 key=(null) type=AVC msg=audit(1333026061.779:2361): avc: denied { accept } for pid=22597 comm="bcfg2-server" laddr=10.34.1.190 lport=6789 scontext=system_u:system_r:bcfg2_t:s0 tcontext=system_u:system_r:bcfg2_t:s0 tclass=tcp_socket ----
Previous AVC appears each hour, which means that it's triggered by bcfg2 cron job, which is in my setup executed each hour. If bcfg2-server is running you can use following command as reproducer: nc <hostname> 6789
I believe we will need to move it to RHEL6.4 and leave it as initrc_t for now. Milos did you open a bug?
*** Bug 805818 has been marked as a duplicate of this bug. ***
Here is the bug opened with bcfg2: https://bugzilla.redhat.com/show_bug.cgi?id=808045
This request was not resolved in time for the current release. Red Hat invites you to ask your support representative to propose this request, if still desired, for consideration in the next release of Red Hat Enterprise Linux.
This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development. This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.
Added to selinux-policy-3.7.19-160.el6. Also as unconfined policy.
*** Bug 854615 has been marked as a duplicate of this bug. ***
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0314.html