Description of problem: After a fresh boot when openswan is started and suddenly stopped an avc denial appears. If openswan was already started the issue cannot be reproduced. It appears also with automated test, when run manually after a fresh reboot. /CoreOS/openswan/Regression/bz587669-selinux-read-access-on-home-dir When planned in beaker the issue appears only sometimes. Version-Release number of selected component (if applicable): selinux-policy-targeted-2.4.6-327.el5 selinux-policy-2.4.6-327.el5 openswan-2.6.32-4.el5 How reproducible: always Steps to Reproduce: 1. Reboot the test system 2. Start and suddenly stop openswan: # _TEST_ST=`date "+%m/%d/%Y %T"` # ausearch -m avc -ts $_TEST_ST -i 3. Check AVCs # ausearch -m avc -ts $_TEST_ST -i ---- type=SYSCALL msg=audit(09/07/2012 13:44:32.327:16) : arch=x86_64 syscall=stat success=no exit=-13(Permission denied) a0=2b87b2b9a338 a1=7fffa3c6aaf0 a2=7fffa3c6aaf0 a3=4000 items=0 ppid=2693 pid=2705 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=pluto exe=/usr/libexec/ipsec/pluto subj=root:system_r:ipsec_t:s0 key=(null) type=AVC msg=audit(09/07/2012 13:44:32.327:16) : avc: denied { search } for pid=2705 comm=pluto name=net dev=proc ino=4026531985 scontext=root:system_r:ipsec_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir Actual results: avc denial Expected results: no avc denial
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release.
If the automated test is executed in beaker environment then 2 AVCs appear. First of them is already mentioned in comment#0: ---- time->Fri Sep 7 05:43:27 2012 type=SYSCALL msg=audit(1347011007.242:20): arch=c0000032 syscall=1210 success=no exit=-13 a0=200000080018ddd0 a1=60000fffffc5a470 a2=0 a3=0 items=0 ppid=7289 pid=7290 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=root:system_r:ipsec_t:s0 key=(null) type=AVC msg=audit(1347011007.242:20): avc: denied { search } for pid=7290 comm="pluto" name="net" dev=proc ino=4026531979 scontext=root:system_r:ipsec_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir ---- time->Fri Sep 7 05:43:27 2012 type=SYSCALL msg=audit(1347011007.891:21): arch=c0000032 syscall=1026 success=yes exit=176 a0=6 a1=200000000007b0b8 a2=3ff a3=2000000000065180 items=0 ppid=7542 pid=7546 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ps" exe="/bin/ps" subj=root:system_r:ipsec_mgmt_t:s0 key=(null) type=AVC msg=audit(1347011007.891:21): avc: denied { ptrace } for pid=7546 comm="ps" scontext=root:system_r:ipsec_mgmt_t:s0 tcontext=root:system_r:ipsec_t:s0 tclass=process ----
Yes, "ps" causes "ptrace" on RHEL5.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0060.html