Bug 840786 - tog-pegasus cannot be started; avc: denied { create } for pid=2520 comm="cimserver" name="cimxml.socket"
tog-pegasus cannot be started; avc: denied { create } for pid=2520 comm="c...
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: tog-pegasus (Show other bugs)
7.0
All Linux
high Severity high
: rc
: ---
Assigned To: Vitezslav Crhonek
qe-baseos-daemons
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-07-17 04:18 EDT by Petr Sklenar
Modified: 2012-10-16 04:17 EDT (History)
3 users (show)

See Also:
Fixed In Version: tog-pegasus-2.11.1-9.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-07-31 08:55:38 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Petr Sklenar 2012-07-17 04:18:43 EDT
Description of problem:
tog-pegasus cannot be started

Version-Release number of selected component (if applicable):
tog-pegasus-2.11.1-6.el7.x86_64
selinux-policy-3.10.0-137.el7.noarc

How reproducible:
deterministic

Steps to Reproduce:
1. service tog-pegasus start

  
Actual results:

# ausearch -m avc -ts recent
----
time->Tue Jul 17 08:05:19 2012
type=SYSCALL msg=audit(1342526719.558:585): arch=c000003e syscall=49 success=no exit=-13 a0=8 a1=7fcd988026c0 a2=6e a3=7fff8ea8dd68 items=0 ppid=2321 pid=2322 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimserver" exe="/usr/sbin/cimserver" subj=system_u:system_r:pegasus_t:s0 key=(null)
type=AVC msg=audit(1342526719.558:585): avc:  denied  { create } for  pid=2322 comm="cimserver" name="cimxml.socket" scontext=system_u:system_r:pegasus_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
----
time->Tue Jul 17 08:08:22 2012
type=SYSCALL msg=audit(1342526902.438:587): arch=c000003e syscall=49 success=no exit=-13 a0=8 a1=7f75abf53ea0 a2=6e a3=7fffc7eb1f68 items=0 ppid=2500 pid=2501 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimserver" exe="/usr/sbin/cimserver" subj=system_u:system_r:pegasus_t:s0 key=(null)
type=AVC msg=audit(1342526902.438:587): avc:  denied  { create } for  pid=2501 comm="cimserver" name="cimxml.socket" scontext=system_u:system_r:pegasus_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
----
time->Tue Jul 17 08:08:33 2012
type=SYSCALL msg=audit(1342526913.073:590): arch=c000003e syscall=49 success=yes exit=0 a0=8 a1=7f3fffc60ec0 a2=6e a3=7fff9f1f03c8 items=0 ppid=2519 pid=2520 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimserver" exe="/usr/sbin/cimserver" subj=system_u:system_r:pegasus_t:s0 key=(null)
type=AVC msg=audit(1342526913.073:590): avc:  denied  { create } for  pid=2520 comm="cimserver" name="cimxml.socket" scontext=system_u:system_r:pegasus_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
----
time->Tue Jul 17 08:08:33 2012
type=SYSCALL msg=audit(1342526913.074:591): arch=c000003e syscall=90 success=yes exit=0 a0=7f3ffafe1568 a1=1ff a2=7fff9f1f03cc a3=7fff9f1f0150 items=0 ppid=2519 pid=2520 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimserver" exe="/usr/sbin/cimserver" subj=system_u:system_r:pegasus_t:s0 key=(null)
type=AVC msg=audit(1342526913.074:591): avc:  denied  { setattr } for  pid=2520 comm="cimserver" name="cimxml.socket" dev="dm-1" ino=1576667 scontext=system_u:system_r:pegasus_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file

# find / -mount -inum 1576667
/var/run/tog-pegasus/cimxml.socket

# ls -laZ /var/run/tog-pegasus/cimxml.socket
srwxrwxrwx. root root system_u:object_r:var_run_t:s0   /var/run/tog-pegasus/cimxml.socket

# rpm -q tog-pegasus selinux-policy
tog-pegasus-2.11.1-6.el7.x86_64
selinux-policy-3.10.0-137.el7.noarch

Expected results:
I can start tog-pegasus

Additional info:
Comment 1 Milos Malik 2012-07-17 16:59:01 EDT
Have you tried "restorecon -Rv /var/run/tog-pegasus" ?

# matchpathcon /var/run/tog-pegasus/cimxml.socket
/var/run/tog-pegasus/cimxml.socket	system_u:object_r:pegasus_var_run_t:s0

I believe that /var/run/tog-pegasus/cimxml.socket on your machine is mislabelled.
Comment 2 Petr Sklenar 2012-07-18 02:38:36 EDT
(In reply to comment #1)
> Have you tried "restorecon -Rv /var/run/tog-pegasus" ?
hm right you are

but see what happens when I have fresh machine, right after tog-pegasus installation. Then /var/run/tog-pegasus is empty.


[root@unused-4-205 ~]# ll /var/run/tog-pegasus
total 0

[root@unused-4-205 ~]# ls -laZ /var/run/tog-pegasus
drwxr-x--T. root pegasus unconfined_u:object_r:var_run_t:s0 .
drwxr-xr-x. root root    system_u:object_r:var_run_t:s0   ..

[root@unused-4-205 ~]# service tog-pegasus start
Redirecting to /bin/systemctl start  tog-pegasus.service
Job failed. See system journal and 'systemctl status' for details.

[root@unused-4-205 ~]# ls -laZ /var/run/tog-pegasus
drwxr-x--T. root pegasus unconfined_u:object_r:var_run_t:s0 .
drwxr-xr-x. root root    system_u:object_r:var_run_t:s0   ..
-rw-------. root root    system_u:object_r:pegasus_var_run_t:s0 cimserver_start.lock

[root@unused-4-205 ~]# setenforce 0

[root@unused-4-205 ~]# service tog-pegasus start
Redirecting to /bin/systemctl start  tog-pegasus.service

[root@unused-4-205 ~]# service tog-pegasus stop
Redirecting to /bin/systemctl stop  tog-pegasus.service

[root@unused-4-205 ~]# ls -laZ /var/run/tog-pegasus
drwxr-x--T. root pegasus unconfined_u:object_r:var_run_t:s0 .
drwxr-xr-x. root root    system_u:object_r:var_run_t:s0   ..
-rw-------. root root    system_u:object_r:pegasus_var_run_t:s0 cimserver_start.lock

[root@unused-4-205 ~]# restorecon -Rv /var/run/tog-pegasus
restorecon reset /run/tog-pegasus context unconfined_u:object_r:var_run_t:s0->unconfined_u:object_r:pegasus_var_run_t:s0

[root@unused-4-205 ~]# setenforce 1

[root@unused-4-205 ~]# service tog-pegasus start
Redirecting to /bin/systemctl start  tog-pegasus.service

--------------denials during ^this procedure:
[root@unused-4-205 ~]# ausearch -m avc -ts recent
----
time->Wed Jul 18 07:31:35 2012
type=SYSCALL msg=audit(1342589495.843:346): arch=c000003e syscall=49 success=no exit=-13 a0=7 a1=7f9fec34b9b0 a2=6e a3=7fff3d8072a8 items=0 ppid=1719 pid=1720 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimserver" exe="/usr/sbin/cimserver" subj=system_u:system_r:pegasus_t:s0 key=(null)
type=AVC msg=audit(1342589495.843:346): avc:  denied  { create } for  pid=1720 comm="cimserver" name="cimxml.socket" scontext=system_u:system_r:pegasus_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
----
time->Wed Jul 18 07:31:57 2012
type=SYSCALL msg=audit(1342589517.730:349): arch=c000003e syscall=49 success=yes exit=0 a0=7 a1=7f55fec83140 a2=6e a3=7fff091b08c8 items=0 ppid=1737 pid=1738 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimserver" exe="/usr/sbin/cimserver" subj=system_u:system_r:pegasus_t:s0 key=(null)
type=AVC msg=audit(1342589517.730:349): avc:  denied  { create } for  pid=1738 comm="cimserver" name="cimxml.socket" scontext=system_u:system_r:pegasus_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
----
time->Wed Jul 18 07:31:57 2012
type=SYSCALL msg=audit(1342589517.733:350): arch=c000003e syscall=90 success=yes exit=0 a0=7f55f999e568 a1=1ff a2=7fff091b08cc a3=7fff091b0650 items=0 ppid=1737 pid=1738 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimserver" exe="/usr/sbin/cimserver" subj=system_u:system_r:pegasus_t:s0 key=(null)
type=AVC msg=audit(1342589517.733:350): avc:  denied  { setattr } for  pid=1738 comm="cimserver" name="cimxml.socket" dev="tmpfs" ino=20768 scontext=system_u:system_r:pegasus_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
----
time->Wed Jul 18 07:32:00 2012
type=SYSCALL msg=audit(1342589520.163:352): arch=c000003e syscall=87 success=yes exit=0 a0=7f55fec83142 a1=1 a2=0 a3=7fff091b10b0 items=0 ppid=1 pid=1738 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimserver" exe="/usr/sbin/cimserver" subj=system_u:system_r:pegasus_t:s0 key=(null)
type=AVC msg=audit(1342589520.163:352): avc:  denied  { unlink } for  pid=1738 comm="cimserver" name="cimxml.socket" dev="tmpfs" ino=20768 scontext=system_u:system_r:pegasus_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
Comment 3 Milos Malik 2012-07-18 03:03:23 EDT
You're right. If you run "service tog-pegasus start" immediately after installation of tog-pegasus package, the job fails and AVCs appear.

Now the question is who to blame for the AVCs:
1) post-install script of tog-pegasus package does not call restorecon on /var/run/tog-pegasus directory
2) selinux-policy does not contain a type_transition which labels the /var/run/tog-pegasus directory correctly when it is created

Hi Dan or Miroslav, what do you think about it?
Comment 4 Daniel Walsh 2012-07-19 11:47:22 EDT
Any idea who is creating the /var/run/tog-pegusus directory?
Comment 5 Daniel Walsh 2012-07-19 11:53:48 EDT
In post install script you need to add

install -d -m 1750 -o root -g pegasus /var/run/tog-pegasus
restorecon /var/run/tog-pegasus

Note You need to log in before you can comment on or make changes to this bug.