Bug 913673 - cgrulesengd has "AVC" record in /var/log/audit/audit.log
Summary: cgrulesengd has "AVC" record in /var/log/audit/audit.log
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.4
Hardware: All
OS: Linux
high
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks: 913537 915519 917966
TreeView+ depends on / blocked
 
Reported: 2013-02-21 18:52 UTC by Brenton Leanhardt
Modified: 2013-11-21 10:16 UTC (History)
12 users (show)

Fixed In Version: selinux-policy-3.7.19-196.el6
Doc Type: Bug Fix
Doc Text:
Previously, the cgrulesengd daemon attempted to use inotifyfs scripts for monitoring filesystem changes. Due to a missing rule, the SELinux subsystem denied access to inotifyfs. This update adds an allow rule to selinux-policy and cgrulesengd can now use inotifyfs.
Clone Of: 906684
Environment:
Last Closed: 2013-11-21 10:16:29 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:1598 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2013-11-20 21:39:24 UTC

Comment 2 Mark Wielaard 2013-02-21 22:28:07 UTC 
I just upgraded to 6.4 and I am seeing a lot of audit messages:

$ sudo ls -lah /var/log/audit
total 25M
drwxr-x---.  2 root root 4.0K Feb 21 23:16 .
drwxr-xr-x. 18 root root 4.0K Feb 21 22:55 ..
-rw-------.  1 root root 549K Feb 21 23:16 audit.log
-r--------.  1 root root 6.1M Feb 21 23:16 audit.log.1
-r--------.  1 root root 6.1M Feb 21 23:16 audit.log.2
-r--------.  1 root root 6.1M Feb 21 23:15 audit.log.3
-r--------.  1 root root 6.1M Feb 21 23:14 audit.log.4

They all look similar:

type=AVC msg=audit(1361485377.617:6769463): avc:  denied  { read } for  pid=2405 comm="cgrulesengd" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:cgred_t:s0 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1361485377.617:6769463): arch=c000003e syscall=0 success=no exit=-13 a0=3 a1=7fffef90a3f0 a2=400 a3=0 items=0 ppid=1 pid=2405 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cgrulesengd" exe="/sbin/cgrulesengd" subj=system_u:system_r:cgred_t:s0 key=(null)
Comment 3 Miroslav Grepl 2013-02-22 08:23:12 UTC 
I added a fix to RHEL6.5. I guess we need to get it to RHEL6.4, rght?
Comment 4 Mark Wielaard 2013-02-22 10:49:06 UTC 
BTW. As a quick workaround you can feed the log messages to audit2allow -R -M cgrulesengd. This will generate a cgrulesengd.pp that can be added with semodule -i cgrulesengd.pp. The cgrulesengd.te file will show the policy generated:

policy_module(cgrulesengd, 1.0)

require {
	type cgred_t;
}

#============= cgred_t ==============
fs_list_inotifyfs(cgred_t)
Comment 5 Milos Malik 2013-02-22 11:03:20 UTC 
I know that cgrulesengd can use inotifyfs,

# strings `which cgrulesengd` | grep inotify
Error intializing inotify subsystem
inotify_init
inotify_add_watch
#

but I'm unable to persuade cgrulesengd to actually use it, therefore no AVCs appeared on my machine. Could you help me?
Comment 6 Brenton Leanhardt 2013-02-22 14:00:21 UTC 
(In reply to comment #3)
> I added a fix to RHEL6.5. I guess we need to get it to RHEL6.4, rght?

Yes, we would like this bug Z-Streamed for RHEL 6.4.
Comment 7 Milos Malik 2013-02-26 15:23:20 UTC 
I don't see any AVCs when the policy module (comment#4) is loaded.
Comment 11 errata-xmlrpc 2013-11-21 10:16:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html
Note You need to log in before you can comment on or make changes to this bug.