Fixed
Created: Sep 27, 2013
Updated: Mar 11, 2016
Resolved Date: Oct 29, 2013
Found In Version: 5.0.1
Fix Version: 5.0.1.9
Severity: Severe
Applicable for: Wind River Linux 5
Component/s: Kernel
Problem Description
======================
[selinux] mount works well with 'avc: denied { mounton } for pid=1956 comm="mount"'
Expected Behavior
======================
it works well
Observed Behavior
======================
comm="rsyslogd" , comm="mount" and comm="mingetty", caught the same behaving.
Logs
======================
root@localhost:~# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: wr-targeted-ovp-host-isolation
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 26
root@localhost:~#
root@localhost:~# cat /var/log/audit/audit.log
type=DAEMON_START msg=audit(1380264247.603:5644): auditd start, ver=2.2.1 format=raw kernel=3.4.62-ovp-ga-rt77-WR5.0.1.0_preempt-rt auid=4294967295 pid=1917 subj=system_u:system_r:auditd_t:s0 res=success
type=AVC msg=audit(1380264247.798:4): avc: denied { mounton } for pid=1950 comm="mount" path="/var/volatile/run/named-chroot/etc/localtime" dev="tmpfs" ino=14922 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1380264247.798:4): arch=c000003e syscall=165 success=no exit=-13 a0=817320 a1=817350 a2=410b49 a3=ffffffffc0ed1000 items=0 ppid=1922 pid=1950 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mount" exe="/bin/mount.util-linux" subj=system_u:system_r:mount_t:s0 key=(null)
type=AVC msg=audit(1380264247.798:5): avc: denied { mounton } for pid=1950 comm="mount" path="/var/volatile/run/named-chroot/etc/localtime" dev="tmpfs" ino=14922 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1380264247.798:5): arch=c000003e syscall=165 success=no exit=-13 a0=817380 a1=8173b0 a2=410b49 a3=ffffffffc0ed1001 items=0 ppid=1922 pid=1950 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mount" exe="/bin/mount.util-linux" subj=system_u:system_r:mount_t:s0 key=(null)
type=AVC msg=audit(1380264247.801:6): avc: denied { mounton } for pid=1952 comm="mount" path="/var/volatile/run/named-chroot/dev/random" dev="tmpfs" ino=14925 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1380264247.801:6): arch=c000003e syscall=165 success=no exit=-13 a0=817310 a1=817330 a2=410b49 a3=ffffffffc0ed1000 items=0 ppid=1922 pid=1952 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mount" exe="/bin/mount.util-linux" subj=system_u:system_r:mount_t:s0 key=(null)
type=AVC msg=audit(1380264247.801:7): avc: denied { mounton } for pid=1952 comm="mount" path="/var/volatile/run/named-chroot/dev/random" dev="tmpfs" ino=14925 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1380264247.801:7): arch=c000003e syscall=165 success=no exit=-13 a0=817360 a1=817380 a2=410b49 a3=ffffffffc0ed1001 items=0 ppid=1922 pid=1952 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mount" exe="/bin/mount.util-linux" subj=system_u:system_r:mount_t:s0 key=(null)
type=AVC msg=audit(1380264247.804:8): avc: denied { mounton } for pid=1954 comm="mount" path="/var/volatile/run/named-chroot/dev/zero" dev="tmpfs" ino=14928 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1380264247.804:8): arch=c000003e syscall=165 success=no exit=-13 a0=817310 a1=817330 a2=410b49 a3=ffffffffc0ed1000 items=0 ppid=1922 pid=1954 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mount" exe="/bin/mount.util-linux" subj=system_u:system_r:mount_t:s0 key=(null)
type=AVC msg=audit(1380264247.804:9): avc: denied { mounton } for pid=1954 comm="mount" path="/var/volatile/run/named-chroot/dev/zero" dev="tmpfs" ino=14928 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1380264247.804:9): arch=c000003e syscall=165 success=no exit=-13 a0=817360 a1=817380 a2=410b49 a3=ffffffffc0ed1001 items=0 ppid=1922 pid=1954 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mount" exe="/bin/mount.util-linux" subj=system_u:system_r:mount_t:s0 key=(null)
type=AVC msg=audit(1380264247.806:10): avc: denied { mounton } for pid=1956 comm="mount" path="/var/volatile/run/named-chroot/dev/null" dev="tmpfs" ino=14931 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1380264247.806:10): arch=c000003e syscall=165 success=no exit=-13 a0=817310 a1=817330 a2=410b49 a3=ffffffffc0ed1000 items=0 ppid=1922 pid=1956 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mount" exe="/bin/mount.util-linux" subj=system_u:system_r:mount_t:s0 key=(null)
type=AVC msg=audit(1380264247.806:11): avc: denied { mounton } for pid=1956 comm="mount" path="/var/volatile/run/named-chroot/dev/null" dev="tmpfs" ino=14931 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1380264247.806:11): arch=c000003e syscall=165 success=no exit=-13 a0=817360 a1=817380 a2=410b49 a3=ffffffffc0ed1001 items=0 ppid=1922 pid=1956 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mount" exe="/bin/mount.util-linux" subj=system_u:system_r:mount_t:s0 key=(null)
type=AVC msg=audit(1380264251.029:12): avc: denied { getattr } for pid=2026 comm="rsyslogd" path="/sys/fs/cgroup" dev="tmpfs" ino=14793 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1380264251.029:12): arch=c000003e syscall=6 success=no exit=-13 a0=4607c5 a1=7fff87438ba0 a2=7fff87438ba0 a3=8 items=0 ppid=2024 pid=2026 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rsyslogd" exe="/usr/sbin/rsyslogd" subj=system_u:system_r:syslogd_t:s0 key=(null)
type=NETFILTER_CFG msg=audit(1380264253.067:13): table=filter family=2 entries=0
type=SYSCALL msg=audit(1380264253.067:13): arch=c000003e syscall=175 success=yes exit=0 a0=7f9993c14000 a1=1ac8 a2=60e120 a3=0 items=0 ppid=2249 pid=2250 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/sbin/modprobe.26" subj=system_u:system_r:insmod_t:s0 key=(null)
type=NETFILTER_CFG msg=audit(1380264253.100:14): table=filter family=2 entries=4
type=SYSCALL msg=audit(1380264253.100:14): arch=c000003e syscall=54 success=yes exit=0 a0=3 a1=0 a2=40 a3=817f80 items=0 ppid=2215 pid=2253 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/usr/sbin/xtables-multi" subj=system_u:system_r:initrc_t:s0 key=(null)
type=NETFILTER_CFG msg=audit(1380264254.113:15): table=filter family=10 entries=0
type=SYSCALL msg=audit(1380264254.113:15): arch=c000003e syscall=175 success=yes exit=0 a0=7f7c8c2f9000 a1=1a90 a2=60e120 a3=0 items=0 ppid=2345 pid=2346 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/sbin/modprobe.26" subj=system_u:system_r:insmod_t:s0 key=(null)
type=NETFILTER_CFG msg=audit(1380264512.653:16): table=filter family=2 entries=0
type=NETFILTER_CFG msg=audit(1380264512.653:16): table=filter family=10 entries=0
type=SYSCALL msg=audit(1380264512.653:16): arch=c000003e syscall=56 success=yes exit=2523 a0=6c020011 a1=7fc6700f5380 a2=8 a3=7fc67542a3b0 items=0 ppid=1 pid=2270 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="libvirtd" exe="/usr/sbin/libvirtd" subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null)
type=NETFILTER_CFG msg=audit(1380264612.803:17): table=filter family=2 entries=0
type=NETFILTER_CFG msg=audit(1380264612.803:17): table=filter family=10 entries=0
type=SYSCALL msg=audit(1380264612.803:17): arch=c000003e syscall=56 success=yes exit=2638 a0=6c020011 a1=7f19300fcf00 a2=8 a3=7f19357943b0 items=0 ppid=1 pid=2562 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="libvirtd" exe="/usr/sbin/libvirtd" subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1380264616.769:18): avc: denied { sys_nice } for pid=2748 comm="mingetty" capability=23 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:getty_t:s0 tclass=capability
type=SYSCALL msg=audit(1380264616.769:18): arch=c000003e syscall=2 success=yes exit=0 a0=7fff96727d90 a1=2 a2=0 a3=8 items=0 ppid=1 pid=2748 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mingetty" exe="/sbin/mingetty" subj=system_u:system_r:getty_t:s0 key=(null)
type=USER_LOGIN msg=audit(1380264631.879:19): pid=2748 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=login acct="root" exe="/bin/login.shadow" hostname=? addr=? terminal=/dev/console res=success'
type=AVC msg=audit(1380264651.073:20): avc: denied { link } for pid=2839 comm="sshd" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=key
type=SYSCALL msg=audit(1380264651.073:20): arch=c000003e syscall=250 success=no exit=-13 a0=8 a1=fffffffc a2=fffffffd a3=0 items=0 ppid=1870 pid=2839 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=LOGIN msg=audit(1380264651.073:21): login pid=2839 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 new ses=1
root@localhost:~#
1) /lpg-build/cdc/fast_prod/wrlinuxovp/wrlinux-x/wrlinux/configure --enable-jobs=36 --enable-parallel-pkgbuilds=36 --enable-kernel=preempt-rt --enable-addons=wr-ovp --enable-rootfs=ovp-ovirt-node --enable-board=intel_xeon_core --with-rcpl-version=0
2) make fs
3) deploy
4) startup board with selinux as enforcing.
Check the behaving and logs.
