Bug 855324 - AVC denials for openswan when it is started and stopped quickly on freshly booted system
Summary: AVC denials for openswan when it is started and stopped quickly on freshly bo...
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.8
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
Depends On:
TreeView+ depends on / blocked
Reported: 2012-09-07 11:50 UTC by Patrik Kis
Modified: 2013-01-08 03:34 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-2.4.6-334.el5
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2013-01-08 03:34:35 UTC

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:0060 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2013-01-08 08:27:19 UTC

Description Patrik Kis 2012-09-07 11:50:06 UTC
Description of problem:
After a fresh boot when openswan is started and suddenly stopped an avc denial appears. If openswan was already started the issue cannot be reproduced.
It appears also with automated test, when run manually after a fresh reboot.
When planned in beaker the issue appears only sometimes.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Reboot the test system
2. Start and suddenly stop openswan:
# _TEST_ST=`date "+%m/%d/%Y %T"`
# ausearch -m avc -ts $_TEST_ST -i
3. Check AVCs
# ausearch -m avc -ts $_TEST_ST -i
type=SYSCALL msg=audit(09/07/2012 13:44:32.327:16) : arch=x86_64 syscall=stat success=no exit=-13(Permission denied) a0=2b87b2b9a338 a1=7fffa3c6aaf0 a2=7fffa3c6aaf0 a3=4000 items=0 ppid=2693 pid=2705 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=pluto exe=/usr/libexec/ipsec/pluto subj=root:system_r:ipsec_t:s0 key=(null) 
type=AVC msg=audit(09/07/2012 13:44:32.327:16) : avc:  denied  { search } for  pid=2705 comm=pluto name=net dev=proc ino=4026531985 scontext=root:system_r:ipsec_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir 

Actual results:
avc denial

Expected results:
no avc denial

Comment 1 RHEL Product and Program Management 2012-09-07 11:57:04 UTC
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.

Comment 2 Milos Malik 2012-09-07 12:38:03 UTC
If the automated test is executed in beaker environment then 2 AVCs appear. First of them is already mentioned in comment#0:
time->Fri Sep  7 05:43:27 2012
type=SYSCALL msg=audit(1347011007.242:20): arch=c0000032 syscall=1210 success=no exit=-13 a0=200000080018ddd0 a1=60000fffffc5a470 a2=0 a3=0 items=0 ppid=7289 pid=7290 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=root:system_r:ipsec_t:s0 key=(null)
type=AVC msg=audit(1347011007.242:20): avc:  denied  { search } for  pid=7290 comm="pluto" name="net" dev=proc ino=4026531979 scontext=root:system_r:ipsec_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir
time->Fri Sep  7 05:43:27 2012
type=SYSCALL msg=audit(1347011007.891:21): arch=c0000032 syscall=1026 success=yes exit=176 a0=6 a1=200000000007b0b8 a2=3ff a3=2000000000065180 items=0 ppid=7542 pid=7546 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ps" exe="/bin/ps" subj=root:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1347011007.891:21): avc:  denied  { ptrace } for  pid=7546 comm="ps" scontext=root:system_r:ipsec_mgmt_t:s0 tcontext=root:system_r:ipsec_t:s0 tclass=process

Comment 3 Miroslav Grepl 2012-09-11 08:25:35 UTC
Yes, "ps" causes "ptrace" on RHEL5.

Comment 8 errata-xmlrpc 2013-01-08 03:34:35 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.