Bug 855311 - AVCs when running tgtd test with disabled unconfined and unlabelednet
AVCs when running tgtd test with disabled unconfined and unlabelednet
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.4
All Linux
unspecified Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Michal Trunecka
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-09-07 07:19 EDT by Michal Trunecka
Modified: 2014-09-30 19:33 EDT (History)
3 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-162.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-21 03:28:54 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Michal Trunecka 2012-09-07 07:19:59 EDT
Description of problem:
Running tgtd daemon involves running tgtadm, which causes AVCs listed below with disabled unconfined and unlabeled modules. The test PASSed with no AVCs with both mentioned modules enabled.

----
time->Fri Sep  7 13:03:33 2012
type=SYSCALL msg=audit(1347015813.527:1115): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fff4dc15e40 a2=6e a3=7fff4dc15ac0 items=0 ppid=1237 pid=1238 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="tgtadm" exe="/usr/sbin/tgtadm" subj=unconfined_u:system_r:initrc_t:s0 key=(null)
type=AVC msg=audit(1347015813.527:1115): avc:  denied  { write } for  pid=1238 comm="tgtadm" name="tgtd.ipc_abstract_namespace.0" dev=sda3 ino=27288 scontext=unconfined_u:system_r:initrc_t:s0 tcontext=unconfined_u:object_r:tgtd_var_run_t:s0 tclass=sock_file
----
time->Fri Sep  7 13:03:33 2012
type=SYSCALL msg=audit(1347015813.531:1116): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fffa64810a0 a2=6e a3=7fffa6480d20 items=0 ppid=1237 pid=1240 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="tgtadm" exe="/usr/sbin/tgtadm" subj=unconfined_u:system_r:initrc_t:s0 key=(null)
type=AVC msg=audit(1347015813.531:1116): avc:  denied  { write } for  pid=1240 comm="tgtadm" name="tgtd.ipc_abstract_namespace.0" dev=sda3 ino=27288 scontext=unconfined_u:system_r:initrc_t:s0 tcontext=unconfined_u:object_r:tgtd_var_run_t:s0 tclass=sock_file
----
time->Fri Sep  7 13:03:33 2012
type=SYSCALL msg=audit(1347015813.535:1117): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fffe49483b0 a2=6e a3=7fffe4948030 items=0 ppid=1231 pid=1242 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="tgtadm" exe="/usr/sbin/tgtadm" subj=unconfined_u:system_r:initrc_t:s0 key=(null)
type=AVC msg=audit(1347015813.535:1117): avc:  denied  { write } for  pid=1242 comm="tgtadm" name="tgtd.ipc_abstract_namespace.0" dev=sda3 ino=27288 scontext=unconfined_u:system_r:initrc_t:s0 tcontext=unconfined_u:object_r:tgtd_var_run_t:s0 tclass=sock_file
----
time->Fri Sep  7 13:03:42 2012
type=SYSCALL msg=audit(1347015822.748:1119): arch=c000003e syscall=42 success=yes exit=0 a0=3 a1=7fff27b8fb00 a2=6e a3=7fff27b8f780 items=0 ppid=1539 pid=1540 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="tgtadm" exe="/usr/sbin/tgtadm" subj=unconfined_u:system_r:initrc_t:s0 key=(null)
type=AVC msg=audit(1347015822.748:1119): avc:  denied  { connectto } for  pid=1540 comm="tgtadm" path="/var/run/tgtd.ipc_abstract_namespace.0" scontext=unconfined_u:system_r:initrc_t:s0 tcontext=unconfined_u:system_r:tgtd_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1347015822.748:1119): avc:  denied  { write } for  pid=1540 comm="tgtadm" name="tgtd.ipc_abstract_namespace.0" dev=sda3 ino=27288 scontext=unconfined_u:system_r:initrc_t:s0 tcontext=unconfined_u:object_r:tgtd_var_run_t:s0 tclass=sock_file
----
time->Fri Sep  7 13:03:45 2012
type=SYSCALL msg=audit(1347015825.861:1120): arch=c000003e syscall=42 success=yes exit=0 a0=3 a1=7fff5ed4c760 a2=6e a3=7fff5ed4c3e0 items=0 ppid=1635 pid=1636 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="tgtadm" exe="/usr/sbin/tgtadm" subj=unconfined_u:system_r:initrc_t:s0 key=(null)
type=AVC msg=audit(1347015825.861:1120): avc:  denied  { connectto } for  pid=1636 comm="tgtadm" path="/var/run/tgtd.ipc_abstract_namespace.0" scontext=unconfined_u:system_r:initrc_t:s0 tcontext=unconfined_u:system_r:tgtd_t:s0 tclass=unix_stream_socket


Version-Release number of selected component (if applicable):
scsi-target-utils-1.0.24-2.el6.x86_64
selinux-policy-3.7.19-155.el6_3.noarch
selinux-policy-targeted-3.7.19-155.el6_3.noarch
selinux-policy-mls-3.7.19-155.el6_3.noarch


How reproducible:
always

Steps to Reproduce:
1. semodule -d unconfined; semodule -d unlabelednet
2. service tgtd start; service tgtd restart; service tgtd stop
  
Actual results:
AVCs and tgtd is not running

Expected results:
No AVCs and tgtd started.
Comment 5 errata-xmlrpc 2013-02-21 03:28:54 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0314.html

Note You need to log in before you can comment on or make changes to this bug.