Bug 830822 - AVCs when running kdump (AVCs caused by ldconfig)
AVCs when running kdump (AVCs caused by ldconfig)
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.0
All Linux
unspecified Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Michal Trunecka
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-06-11 09:27 EDT by Michal Trunecka
Modified: 2014-09-30 19:33 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-13 08:54:33 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Michal Trunecka 2012-06-11 09:27:03 EDT
Description of problem:
When running test /CoreOS/selinux-policy/Regression/bz533007-unable-to-start-kdump-service several AVCs showed up. Following AVCs showed up in permissive mode:

----
time->Mon Jun 11 09:08:16 2012
type=SYSCALL msg=audit(1339420096.504:1018): arch=c000003e syscall=257 success=yes exit=4 a0=ffffffffffffff9c a1=7fff49ad41b0 a2=90800 a3=0 items=0 ppid=8250 pid=11748 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ldconfig" exe="/usr/sbin/ldconfig" subj=system_u:system_r:ldconfig_t:s0 key=(null)
type=AVC msg=audit(1339420096.504:1018): avc:  denied  { read } for  pid=11748 comm="ldconfig" name="ld.so.conf.d" dev="dm-1" ino=159183 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
----
time->Mon Jun 11 09:08:16 2012
type=SYSCALL msg=audit(1339420096.505:1019): arch=c000003e syscall=4 success=yes exit=0 a0=1085df0 a1=7fff49ad4520 a2=7fff49ad4520 a3=5 items=0 ppid=8250 pid=11748 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ldconfig" exe="/usr/sbin/ldconfig" subj=system_u:system_r:ldconfig_t:s0 key=(null)
type=AVC msg=audit(1339420096.505:1019): avc:  denied  { read } for  pid=11748 comm="ldconfig" name="lib" dev="dm-1" ino=158635 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=lnk_file
----
time->Mon Jun 11 09:08:16 2012
type=SYSCALL msg=audit(1339420096.517:1020): arch=c000003e syscall=2 success=yes exit=3 a0=107cb60 a1=20241 a2=180 a3=4b9f5c items=0 ppid=8250 pid=11748 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ldconfig" exe="/usr/sbin/ldconfig" subj=system_u:system_r:ldconfig_t:s0 key=(null)
type=AVC msg=audit(1339420096.517:1020): avc:  denied  { create } for  pid=11748 comm="ldconfig" name="ld.so.cache~" scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
type=AVC msg=audit(1339420096.517:1020): avc:  denied  { add_name } for  pid=11748 comm="ldconfig" name="ld.so.cache~" scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
type=AVC msg=audit(1339420096.517:1020): avc:  denied  { write } for  pid=11748 comm="ldconfig" name="etc" dev="dm-1" ino=158633 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
----
time->Mon Jun 11 09:08:16 2012
type=SYSCALL msg=audit(1339420096.518:1021): arch=c000003e syscall=90 success=yes exit=0 a0=107cb60 a1=1a4 a2=91f a3=4b9f5c items=0 ppid=8250 pid=11748 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ldconfig" exe="/usr/sbin/ldconfig" subj=system_u:system_r:ldconfig_t:s0 key=(null)
type=AVC msg=audit(1339420096.518:1021): avc:  denied  { setattr } for  pid=11748 comm="ldconfig" name="ld.so.cache~" dev="dm-1" ino=159189 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
----
time->Mon Jun 11 09:08:16 2012
type=SYSCALL msg=audit(1339420096.519:1022): arch=c000003e syscall=82 success=yes exit=0 a0=107cb60 a1=7fff49ad45e0 a2=91f a3=4b9f5c items=0 ppid=8250 pid=11748 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ldconfig" exe="/usr/sbin/ldconfig" subj=system_u:system_r:ldconfig_t:s0 key=(null)
type=AVC msg=audit(1339420096.519:1022): avc:  denied  { rename } for  pid=11748 comm="ldconfig" name="ld.so.cache~" dev="dm-1" ino=159189 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
type=AVC msg=audit(1339420096.519:1022): avc:  denied  { remove_name } for  pid=11748 comm="ldconfig" name="ld.so.cache~" dev="dm-1" ino=159189 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir



Version-Release number of selected component (if applicable):
kexec-tools-2.0.3-47.el7.x86_64
selinux-policy-3.10.0-128.el7.noarch

How reproducible:
run the test
/CoreOS/selinux-policy/Regression/bz533007-unable-to-start-kdump-service
  
Actual results:
AVCs

Expected results:
No AVCs

Additional info:

There are two related, but closed bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=819496
https://bugzilla.redhat.com/show_bug.cgi?id=800770
Comment 1 Daniel Walsh 2012-06-11 10:21:18 EDT
This looks like either a labeling issue or a test issue.  You have ldconfig_t trying to write to a directory created by an initrc script?
Comment 2 Michal Trunecka 2012-06-11 11:21:12 EDT
This AVCs are caused just by running "service kdump start" with no special settings. All the target files and directories from AVCs are temporary and don't exist afterwards.
Comment 3 Miroslav Grepl 2012-06-28 10:14:03 EDT
It has been fixed in the latest F17/F18 policy.

Fixed in selinux-policy-3.10.0-133.el7.noarch
Comment 5 Ludek Smid 2014-06-13 08:54:33 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.