Bug 913673 – cgrulesengd has "AVC" record in /var/log/audit/audit.log

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 913673 - cgrulesengd has "AVC" record in /var/log/audit/audit.log

Summary:	cgrulesengd has "AVC" record in /var/log/audit/audit.log

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy (Show other bugs)
Sub Component:
Version:	6.4
Hardware:	All Linux

Priority	high Severity medium
Target Milestone:	rc
Target Release:	---
Assigned To:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:

URL:
Whiteboard:
Keywords:	Triaged, ZStream

Depends On:
Blocks:	913537 915519 917966
	Show dependency tree / graph

Reported:	2013-02-21 13:52 EST by Brenton Leanhardt
Modified:	2013-11-21 05:16 EST (History)
CC List:	12 users (show)

See Also:
Fixed In Version:	selinux-policy-3.7.19-196.el6
Doc Type:	Bug Fix
Doc Text:	Previously, the cgrulesengd daemon attempted to use inotifyfs scripts for monitoring filesystem changes. Due to a missing rule, the SELinux subsystem denied access to inotifyfs. This update adds an allow rule to selinux-policy and cgrulesengd can now use inotifyfs.
Story Points:	---
Clone Of:	906684
Environment:
Last Closed:	2013-11-21 05:16:29 EST
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2013:1598	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2013-11-20 16:39:24 EST

Groups: None (edit)

Comment 2 Mark Wielaard 2013-02-21 17:28:07 EST

I just upgraded to 6.4 and I am seeing a lot of audit messages:

$ sudo ls -lah /var/log/audit
total 25M
drwxr-x---.  2 root root 4.0K Feb 21 23:16 .
drwxr-xr-x. 18 root root 4.0K Feb 21 22:55 ..
-rw-------.  1 root root 549K Feb 21 23:16 audit.log
-r--------.  1 root root 6.1M Feb 21 23:16 audit.log.1
-r--------.  1 root root 6.1M Feb 21 23:16 audit.log.2
-r--------.  1 root root 6.1M Feb 21 23:15 audit.log.3
-r--------.  1 root root 6.1M Feb 21 23:14 audit.log.4

They all look similar:

type=AVC msg=audit(1361485377.617:6769463): avc:  denied  { read } for  pid=2405 comm="cgrulesengd" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:cgred_t:s0 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1361485377.617:6769463): arch=c000003e syscall=0 success=no exit=-13 a0=3 a1=7fffef90a3f0 a2=400 a3=0 items=0 ppid=1 pid=2405 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=system_u:system_r:cgred_t:s0 key=(null)

Comment 3 Miroslav Grepl 2013-02-22 03:23:12 EST

I added a fix to RHEL6.5. I guess we need to get it to RHEL6.4, rght?

Comment 4 Mark Wielaard 2013-02-22 05:49:06 EST

BTW. As a quick workaround you can feed the log messages to audit2allow -R -M cgrulesengd. This will generate a cgrulesengd.pp that can be added with semodule -i cgrulesengd.pp. The cgrulesengd.te file will show the policy generated:

policy_module(cgrulesengd, 1.0)

require {
	type cgred_t;
}

#============= cgred_t ==============
fs_list_inotifyfs(cgred_t)

Comment 5 Milos Malik 2013-02-22 06:03:20 EST

I know that cgrulesengd can use inotifyfs,

# strings `which cgrulesengd` | grep inotify
Error intializing inotify subsystem
inotify_init
inotify_add_watch
#

but I'm unable to persuade cgrulesengd to actually use it, therefore no AVCs appeared on my machine. Could you help me?

Comment 6 Brenton Leanhardt 2013-02-22 09:00:21 EST

(In reply to comment #3)
> I added a fix to RHEL6.5. I guess we need to get it to RHEL6.4, rght?

Yes, we would like this bug Z-Streamed for RHEL 6.4.

Comment 7 Milos Malik 2013-02-26 10:23:20 EST

I don't see any AVCs when the policy module (comment#4) is loaded.

Comment 11 errata-xmlrpc 2013-11-21 05:16:29 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html

Note You need to log in before you can comment on or make changes to this bug.