Bug 855324 - AVC denials for openswan when it is started and stopped quickly on freshly booted system
AVC denials for openswan when it is started and stopped quickly on freshly bo...
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
All Linux
high Severity high
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
Depends On:
  Show dependency treegraph
Reported: 2012-09-07 07:50 EDT by Patrik Kis
Modified: 2013-01-07 22:34 EST (History)
3 users (show)

See Also:
Fixed In Version: selinux-policy-2.4.6-334.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-01-07 22:34:35 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Patrik Kis 2012-09-07 07:50:06 EDT
Description of problem:
After a fresh boot when openswan is started and suddenly stopped an avc denial appears. If openswan was already started the issue cannot be reproduced.
It appears also with automated test, when run manually after a fresh reboot.
When planned in beaker the issue appears only sometimes.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Reboot the test system
2. Start and suddenly stop openswan:
# _TEST_ST=`date "+%m/%d/%Y %T"`
# ausearch -m avc -ts $_TEST_ST -i
3. Check AVCs
# ausearch -m avc -ts $_TEST_ST -i
type=SYSCALL msg=audit(09/07/2012 13:44:32.327:16) : arch=x86_64 syscall=stat success=no exit=-13(Permission denied) a0=2b87b2b9a338 a1=7fffa3c6aaf0 a2=7fffa3c6aaf0 a3=4000 items=0 ppid=2693 pid=2705 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=pluto exe=/usr/libexec/ipsec/pluto subj=root:system_r:ipsec_t:s0 key=(null) 
type=AVC msg=audit(09/07/2012 13:44:32.327:16) : avc:  denied  { search } for  pid=2705 comm=pluto name=net dev=proc ino=4026531985 scontext=root:system_r:ipsec_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir 

Actual results:
avc denial

Expected results:
no avc denial
Comment 1 RHEL Product and Program Management 2012-09-07 07:57:04 EDT
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 2 Milos Malik 2012-09-07 08:38:03 EDT
If the automated test is executed in beaker environment then 2 AVCs appear. First of them is already mentioned in comment#0:
time->Fri Sep  7 05:43:27 2012
type=SYSCALL msg=audit(1347011007.242:20): arch=c0000032 syscall=1210 success=no exit=-13 a0=200000080018ddd0 a1=60000fffffc5a470 a2=0 a3=0 items=0 ppid=7289 pid=7290 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=root:system_r:ipsec_t:s0 key=(null)
type=AVC msg=audit(1347011007.242:20): avc:  denied  { search } for  pid=7290 comm="pluto" name="net" dev=proc ino=4026531979 scontext=root:system_r:ipsec_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir
time->Fri Sep  7 05:43:27 2012
type=SYSCALL msg=audit(1347011007.891:21): arch=c0000032 syscall=1026 success=yes exit=176 a0=6 a1=200000000007b0b8 a2=3ff a3=2000000000065180 items=0 ppid=7542 pid=7546 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ps" exe="/bin/ps" subj=root:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1347011007.891:21): avc:  denied  { ptrace } for  pid=7546 comm="ps" scontext=root:system_r:ipsec_mgmt_t:s0 tcontext=root:system_r:ipsec_t:s0 tclass=process
Comment 3 Miroslav Grepl 2012-09-11 04:25:35 EDT
Yes, "ps" causes "ptrace" on RHEL5.
Comment 8 errata-xmlrpc 2013-01-07 22:34:35 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.