840786 – tog-pegasus cannot be started; avc: denied { create } for pid=2520 comm="cimserver" name="cimxml.socket"

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 840786 - tog-pegasus cannot be started; avc: denied { create } for pid=2520 comm="cimserver" name="cimxml.socket"

Summary: tog-pegasus cannot be started; avc: denied { create } for pid=2520 comm="c...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	tog-pegasus
Sub Component:
Version:	7.0
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Vitezslav Crhonek
QA Contact:	qe-baseos-daemons
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-07-17 08:18 UTC by Petr Sklenar
Modified:	2012-10-16 08:17 UTC (History)
CC List:	3 users (show)
Fixed In Version:	tog-pegasus-2.11.1-9.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-07-31 12:55:38 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Petr Sklenar 2012-07-17 08:18:43 UTC

Description of problem:
tog-pegasus cannot be started

Version-Release number of selected component (if applicable):
tog-pegasus-2.11.1-6.el7.x86_64
selinux-policy-3.10.0-137.el7.noarc

How reproducible:
deterministic

Steps to Reproduce:
1. service tog-pegasus start

  
Actual results:

# ausearch -m avc -ts recent
----
time->Tue Jul 17 08:05:19 2012
type=SYSCALL msg=audit(1342526719.558:585): arch=c000003e syscall=49 success=no exit=-13 a0=8 a1=7fcd988026c0 a2=6e a3=7fff8ea8dd68 items=0 ppid=2321 pid=2322 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimserver" exe="/usr/sbin/cimserver" subj=system_u:system_r:pegasus_t:s0 key=(null)
type=AVC msg=audit(1342526719.558:585): avc:  denied  { create } for  pid=2322 comm="cimserver" name="cimxml.socket" scontext=system_u:system_r:pegasus_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
----
time->Tue Jul 17 08:08:22 2012
type=SYSCALL msg=audit(1342526902.438:587): arch=c000003e syscall=49 success=no exit=-13 a0=8 a1=7f75abf53ea0 a2=6e a3=7fffc7eb1f68 items=0 ppid=2500 pid=2501 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimserver" exe="/usr/sbin/cimserver" subj=system_u:system_r:pegasus_t:s0 key=(null)
type=AVC msg=audit(1342526902.438:587): avc:  denied  { create } for  pid=2501 comm="cimserver" name="cimxml.socket" scontext=system_u:system_r:pegasus_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
----
time->Tue Jul 17 08:08:33 2012
type=SYSCALL msg=audit(1342526913.073:590): arch=c000003e syscall=49 success=yes exit=0 a0=8 a1=7f3fffc60ec0 a2=6e a3=7fff9f1f03c8 items=0 ppid=2519 pid=2520 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimserver" exe="/usr/sbin/cimserver" subj=system_u:system_r:pegasus_t:s0 key=(null)
type=AVC msg=audit(1342526913.073:590): avc:  denied  { create } for  pid=2520 comm="cimserver" name="cimxml.socket" scontext=system_u:system_r:pegasus_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
----
time->Tue Jul 17 08:08:33 2012
type=SYSCALL msg=audit(1342526913.074:591): arch=c000003e syscall=90 success=yes exit=0 a0=7f3ffafe1568 a1=1ff a2=7fff9f1f03cc a3=7fff9f1f0150 items=0 ppid=2519 pid=2520 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimserver" exe="/usr/sbin/cimserver" subj=system_u:system_r:pegasus_t:s0 key=(null)
type=AVC msg=audit(1342526913.074:591): avc:  denied  { setattr } for  pid=2520 comm="cimserver" name="cimxml.socket" dev="dm-1" ino=1576667 scontext=system_u:system_r:pegasus_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file

# find / -mount -inum 1576667
/var/run/tog-pegasus/cimxml.socket

# ls -laZ /var/run/tog-pegasus/cimxml.socket
srwxrwxrwx. root root system_u:object_r:var_run_t:s0   /var/run/tog-pegasus/cimxml.socket

# rpm -q tog-pegasus selinux-policy
tog-pegasus-2.11.1-6.el7.x86_64
selinux-policy-3.10.0-137.el7.noarch

Expected results:
I can start tog-pegasus

Additional info:

Comment 1 Milos Malik 2012-07-17 20:59:01 UTC

Have you tried "restorecon -Rv /var/run/tog-pegasus" ?

# matchpathcon /var/run/tog-pegasus/cimxml.socket
/var/run/tog-pegasus/cimxml.socket	system_u:object_r:pegasus_var_run_t:s0

I believe that /var/run/tog-pegasus/cimxml.socket on your machine is mislabelled.

Comment 2 Petr Sklenar 2012-07-18 06:38:36 UTC

(In reply to comment #1)
> Have you tried "restorecon -Rv /var/run/tog-pegasus" ?
hm right you are

but see what happens when I have fresh machine, right after tog-pegasus installation. Then /var/run/tog-pegasus is empty.


[root@unused-4-205 ~]# ll /var/run/tog-pegasus
total 0

[root@unused-4-205 ~]# ls -laZ /var/run/tog-pegasus
drwxr-x--T. root pegasus unconfined_u:object_r:var_run_t:s0 .
drwxr-xr-x. root root    system_u:object_r:var_run_t:s0   ..

[root@unused-4-205 ~]# service tog-pegasus start
Redirecting to /bin/systemctl start  tog-pegasus.service
Job failed. See system journal and 'systemctl status' for details.

[root@unused-4-205 ~]# ls -laZ /var/run/tog-pegasus
drwxr-x--T. root pegasus unconfined_u:object_r:var_run_t:s0 .
drwxr-xr-x. root root    system_u:object_r:var_run_t:s0   ..
-rw-------. root root    system_u:object_r:pegasus_var_run_t:s0 cimserver_start.lock

[root@unused-4-205 ~]# setenforce 0

[root@unused-4-205 ~]# service tog-pegasus start
Redirecting to /bin/systemctl start  tog-pegasus.service

[root@unused-4-205 ~]# service tog-pegasus stop
Redirecting to /bin/systemctl stop  tog-pegasus.service

[root@unused-4-205 ~]# ls -laZ /var/run/tog-pegasus
drwxr-x--T. root pegasus unconfined_u:object_r:var_run_t:s0 .
drwxr-xr-x. root root    system_u:object_r:var_run_t:s0   ..
-rw-------. root root    system_u:object_r:pegasus_var_run_t:s0 cimserver_start.lock

[root@unused-4-205 ~]# restorecon -Rv /var/run/tog-pegasus
restorecon reset /run/tog-pegasus context unconfined_u:object_r:var_run_t:s0->unconfined_u:object_r:pegasus_var_run_t:s0

[root@unused-4-205 ~]# setenforce 1

[root@unused-4-205 ~]# service tog-pegasus start
Redirecting to /bin/systemctl start  tog-pegasus.service

--------------denials during ^this procedure:
[root@unused-4-205 ~]# ausearch -m avc -ts recent
----
time->Wed Jul 18 07:31:35 2012
type=SYSCALL msg=audit(1342589495.843:346): arch=c000003e syscall=49 success=no exit=-13 a0=7 a1=7f9fec34b9b0 a2=6e a3=7fff3d8072a8 items=0 ppid=1719 pid=1720 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimserver" exe="/usr/sbin/cimserver" subj=system_u:system_r:pegasus_t:s0 key=(null)
type=AVC msg=audit(1342589495.843:346): avc:  denied  { create } for  pid=1720 comm="cimserver" name="cimxml.socket" scontext=system_u:system_r:pegasus_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
----
time->Wed Jul 18 07:31:57 2012
type=SYSCALL msg=audit(1342589517.730:349): arch=c000003e syscall=49 success=yes exit=0 a0=7 a1=7f55fec83140 a2=6e a3=7fff091b08c8 items=0 ppid=1737 pid=1738 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimserver" exe="/usr/sbin/cimserver" subj=system_u:system_r:pegasus_t:s0 key=(null)
type=AVC msg=audit(1342589517.730:349): avc:  denied  { create } for  pid=1738 comm="cimserver" name="cimxml.socket" scontext=system_u:system_r:pegasus_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
----
time->Wed Jul 18 07:31:57 2012
type=SYSCALL msg=audit(1342589517.733:350): arch=c000003e syscall=90 success=yes exit=0 a0=7f55f999e568 a1=1ff a2=7fff091b08cc a3=7fff091b0650 items=0 ppid=1737 pid=1738 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimserver" exe="/usr/sbin/cimserver" subj=system_u:system_r:pegasus_t:s0 key=(null)
type=AVC msg=audit(1342589517.733:350): avc:  denied  { setattr } for  pid=1738 comm="cimserver" name="cimxml.socket" dev="tmpfs" ino=20768 scontext=system_u:system_r:pegasus_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
----
time->Wed Jul 18 07:32:00 2012
type=SYSCALL msg=audit(1342589520.163:352): arch=c000003e syscall=87 success=yes exit=0 a0=7f55fec83142 a1=1 a2=0 a3=7fff091b10b0 items=0 ppid=1 pid=1738 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimserver" exe="/usr/sbin/cimserver" subj=system_u:system_r:pegasus_t:s0 key=(null)
type=AVC msg=audit(1342589520.163:352): avc:  denied  { unlink } for  pid=1738 comm="cimserver" name="cimxml.socket" dev="tmpfs" ino=20768 scontext=system_u:system_r:pegasus_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file

Comment 3 Milos Malik 2012-07-18 07:03:23 UTC

You're right. If you run "service tog-pegasus start" immediately after installation of tog-pegasus package, the job fails and AVCs appear.

Now the question is who to blame for the AVCs:
1) post-install script of tog-pegasus package does not call restorecon on /var/run/tog-pegasus directory
2) selinux-policy does not contain a type_transition which labels the /var/run/tog-pegasus directory correctly when it is created

Hi Dan or Miroslav, what do you think about it?

Comment 4 Daniel Walsh 2012-07-19 15:47:22 UTC

Any idea who is creating the /var/run/tog-pegusus directory?

Comment 5 Daniel Walsh 2012-07-19 15:53:48 UTC

In post install script you need to add

install -d -m 1750 -o root -g pegasus /var/run/tog-pegasus
restorecon /var/run/tog-pegasus

Note You need to log in before you can comment on or make changes to this bug.