View Issue Details

IDProjectCategoryView StatusLast Update
0005580CentOS-6selinux-policypublic2012-05-10 11:45
Reporterbobhoffman 
PrioritynormalSeveritymajorReproducibilityalways
Status newResolutionopen 
PlatformOScentos OS Version6.x
Product Version6.2 
Target VersionFixed in Version 
Summary0005580: Selinux blocking read/write/etc to mcelog
DescriptionPermissive setting, these errors in log.

type=AVC msg=audit(1331186048.284:8): avc: denied { open } for pid=7518 comm="mcelog" name="mcelog" dev=dm-0 ino=10923 scontext=system_u:system_r:mcelog_t:s0 tcontext=system_u:object_r:cron_log_t:s0 tclass=file
type=AVC msg=audit(1331186048.287:9): avc: denied { write } for pid=7518 comm="mcelog" name="run" dev=dm-0 ino=653 scontext=system_u:system_r:mcelog_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
type=AVC msg=audit(1331186048.287:9): avc: denied { add_name } for pid=7518 comm="mcelog" name="mcelog-client" scontext=system_u:system_r:mcelog_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
type=AVC msg=audit(1331186048.287:9): avc: denied { create } for pid=7518 comm="mcelog" name="mcelog-client" scontext=system_u:system_r:mcelog_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1331186048.288:10): avc: denied { create } for pid=7519 comm="mcelog" name="mcelog.pid" scontext=system_u:system_r:mcelog_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1331186048.288:10): avc: denied { write open } for pid=7519 comm="mcelog" name="mcelog.pid" dev=dm-0 ino=9849 scontext=system_u:system_r:mcelog_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1331186048.288:10): arch=c000003e syscall=2 success=yes exit=7 a0=615140 a1=241 a2=1b6 a3=0 items=0 ppid=1 pid=7519 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mcelog" exe="/usr/sbin/mcelog" subj=system_u:system_r:mcelog_t:s0 key=(null)
type=AVC msg=audit(1331186048.288:11): avc: denied { getattr } for pid=7519 comm="mcelog" path="/var/run/mcelog.pid" dev=dm-0 ino=9849 scontext=system_u:system_r:mcelog_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
Steps To ReproduceI was running permissive mode since built a few months ago. It is a host machine for virtual machines using lvm storage.
I switched from permissive to enforce and back again via setenforce. I did this to reset the error logging for selinux since they only come up once in permissive mode.
After reboot/relabel these errors appeared.
Additional InformationLooking at fedora bug list I see this crops up every year and is 'fixed' with some policy update.

Apparently not fixed for all.

Could be because of virtual machine storage in lvm? Do not know enough to tell.

No other sellinux errors appeared, but afraid to turn it on due to this issue.

Some say
restorecon -R -v /var/run/mcelog.pid
may be the solution.
Since this is my only production server and hosting lots of sites, afraid to just try it out.
TagsNo tags attached.

Activities

chrroessner

chrroessner

2012-05-10 11:45

reporter   ~0015059

I can confirm this bug. mcelog is not starting on my server as well, if selinux is in enforcing mode.

I fixed it the following way:

create file local.te with:

---begin---

module local 1.0;

require {
    type mcelog_t;
    type var_run_t;
    class sock_file create;
    class dir { write add_name };
}

allow mcelog_t var_run_t:dir { write add_name };
allow mcelog_t var_run_t:sock_file create;
---end---

checkmodule -M -m -o local.mod local.te
semodule_package -o local.pp -m local.mod
semodule -i local.pp

service mcelogd stop
service mcelogd start

ps auxc | grep mce
root 16704 0.0 0.0 6228 356 ? Ss 13:40 0:00 mcelog

Seems to run. I am not a SELinux expert. Just read the steps from the manage audit2allow

Issue History

Date Modified Username Field Change
2012-03-08 13:41 bobhoffman New Issue
2012-05-10 11:45 chrroessner Note Added: 0015059