Bug 856095 - AVCs when running postgres test with disabled unconfined and unlabelednet
AVCs when running postgres test with disabled unconfined and unlabelednet
Status: CLOSED NEXTRELEASE
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.4
All Linux
unspecified Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Michal Trunecka
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-09-11 04:11 EDT by Michal Trunecka
Modified: 2014-09-30 19:33 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-01-04 02:47:59 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Michal Trunecka 2012-09-11 04:11:15 EDT
Description of problem:
selinux blocked postgres during automated test when unconfined and unlabelednet selinux modules were disabled. The test passes with no AVCs with both moduels enabled. AVCs reported in permissive mode are listed below. All the AVCs are probably caused by commands in init.d/postgres script in initdb function.

----
time->Tue Sep 11 09:47:54 2012
type=PATH msg=audit(1347349674.074:3754): item=0 name="/var/lib/pgsql/data" inode=399673 dev=08:03 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:var_lib_t:s0
type=CWD msg=audit(1347349674.074:3754):  cwd="/"
type=SYSCALL msg=audit(1347349674.074:3754): arch=c000003e syscall=260 success=yes exit=0 a0=ffffffffffffff9c a1=23786e0 a2=1a a3=1a items=1 ppid=31088 pid=31096 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="chown" exe="/bin/chown" subj=unconfined_u:system_r:initrc_t:s0 key=(null)
type=AVC msg=audit(1347349674.074:3754): avc:  denied  { setattr } for  pid=31096 comm="chown" name="data" dev=sda3 ino=399673 scontext=unconfined_u:system_r:initrc_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir
----
time->Tue Sep 11 09:47:54 2012
type=PATH msg=audit(1347349674.072:3753): item=1 name="data" inode=399673 dev=08:03 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:var_lib_t:s0
type=PATH msg=audit(1347349674.072:3753): item=0 name="/var/lib/pgsql" inode=399647 dev=08:03 mode=040700 ouid=26 ogid=26 rdev=00:00 obj=system_u:object_r:var_lib_t:s0
type=CWD msg=audit(1347349674.072:3753):  cwd="/var/lib/pgsql"
type=SYSCALL msg=audit(1347349674.072:3753): arch=c000003e syscall=83 success=yes exit=0 a0=7fff22efbf67 a1=1ed a2=7fff22efbf67 a3=a items=2 ppid=31088 pid=31095 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="mkdir" exe="/bin/mkdir" subj=unconfined_u:system_r:initrc_t:s0 key=(null)
type=AVC msg=audit(1347349674.072:3753): avc:  denied  { create } for  pid=31095 comm="mkdir" name="data" scontext=unconfined_u:system_r:initrc_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir
----
time->Tue Sep 11 09:48:05 2012
type=PATH msg=audit(1347349685.552:3759): item=1 name="/var/lib/pgsql/data/pg_log" inode=405609 dev=08:03 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:postgresql_db_t:s0
type=PATH msg=audit(1347349685.552:3759): item=0 name="/var/lib/pgsql/data/" inode=399673 dev=08:03 mode=040700 ouid=26 ogid=26 rdev=00:00 obj=unconfined_u:object_r:postgresql_db_t:s0
type=CWD msg=audit(1347349685.552:3759):  cwd="/"
type=SYSCALL msg=audit(1347349685.552:3759): arch=c000003e syscall=83 success=yes exit=0 a0=7ffffbfd7f51 a1=1ff a2=7ffffbfd7f51 a3=a items=2 ppid=31088 pid=31171 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="mkdir" exe="/bin/mkdir" subj=unconfined_u:system_r:initrc_t:s0 key=(null)
type=AVC msg=audit(1347349685.552:3759): avc:  denied  { create } for  pid=31171 comm="mkdir" name="pg_log" scontext=unconfined_u:system_r:initrc_t:s0 tcontext=unconfined_u:object_r:postgresql_db_t:s0 tclass=dir
----
time->Tue Sep 11 09:48:05 2012
type=PATH msg=audit(1347349685.563:3760): item=0 name="/var/lib/pgsql/data/pg_log" inode=405609 dev=08:03 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:postgresql_db_t:s0
type=CWD msg=audit(1347349685.563:3760):  cwd="/"
type=SYSCALL msg=audit(1347349685.563:3760): arch=c000003e syscall=260 success=yes exit=0 a0=ffffffffffffff9c a1=1c466e0 a2=1a a3=1a items=1 ppid=31088 pid=31172 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="chown" exe="/bin/chown" subj=unconfined_u:system_r:initrc_t:s0 key=(null)
type=AVC msg=audit(1347349685.563:3760): avc:  denied  { setattr } for  pid=31172 comm="chown" name="pg_log" dev=sda3 ino=405609 scontext=unconfined_u:system_r:initrc_t:s0 tcontext=unconfined_u:object_r:postgresql_db_t:s0 tclass=dir


Version-Release number of selected component (if applicable):
postgresql-contrib-8.4.12-1.el6_2.x86_64
postgresql-libs-8.4.12-1.el6_2.x86_64
postgresql-server-8.4.12-1.el6_2.x86_64
postgresql-8.4.12-1.el6_2.x86_64
selinux-policy-3.7.19-161.el6.noarch
selinux-policy-minimum-3.7.19-161.el6.noarch
selinux-policy-targeted-3.7.19-161.el6.noarch
selinux-policy-mls-3.7.19-161.el6.noarch
selinux-policy-doc-3.7.19-161.el6.noarch


How reproducible:
always

Steps to Reproduce:
1. semodule -d unconfined; semodule -d unlabelednet
2. service postgres initdb

  
Actual results:
postgresql is blocked

Expected results:
postgresql running with no AVCs
Comment 2 Daniel Walsh 2012-09-18 11:57:11 EDT
Is /var/lib/pgsql/data and /var/lib/pgsql in the postgresql rpm payload?  If not that is where the bug belongs.

What does

matchpathcon /var/lib/pgsql/data/
and 

matchpathcon /var/lib/pgsql

Show?
Comment 3 Michal Trunecka 2012-09-19 02:31:20 EDT
# matchpathcon /var/lib/pgsql/data/
/var/lib/pgsql/data	system_u:object_r:postgresql_db_t:s0
# matchpathcon /var/lib/pgsql
/var/lib/pgsql	system_u:object_r:var_lib_t:s0

Both are from the postgresql-server rpm, which I believe is correct.
Comment 4 Miroslav Grepl 2012-10-09 08:32:14 EDT
Are you still getting this one?
Comment 5 RHEL Product and Program Management 2012-12-14 03:17:41 EST
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.

Note You need to log in before you can comment on or make changes to this bug.