Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 512676

Summary: run_init fails with "avc.c:74: avc_context_to_sid_raw: Assertion `avc_running' failed."
Product: Gentoo Linux Reporter: Sven Vermeulen (RETIRED) <swift>
Component: SELinuxAssignee: Sven Vermeulen (RETIRED) <swift>
Status: RESOLVED FIXED    
Severity: normal CC: selinux
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: sec-policy r4
Package list:
Runtime testing required: ---

Description Sven Vermeulen (RETIRED) gentoo-dev 2014-06-07 17:45:27 UTC 
When calling run_init, the following failure occurs:

~# run_init rc-service nfs status
Authenticating swift.
run_init: avc.c:74: avc_context_to_sid_raw: Assertion `avc_running' failed.
Segmentation fault

The following denials are shown:

----
time->Sat Jun  7 19:40:54 2014
type=SYSCALL msg=audit(1402162854.342:1050): arch=c000003e syscall=41 success=no exit=-13 a0=10 a1=80003 a2=7 a3=0 items=0 ppid=4148 pid=5225 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=3 comm="run_init" exe="/usr/sbin/run_init" subj=staff_u:sysadm_r:run_init_t key=(null)
type=AVC msg=audit(1402162854.342:1050): avc:  denied  { create } for  pid=5225 comm="run_init" scontext=staff_u:sysadm_r:run_init_t tcontext=staff_u:sysadm_r:run_init_t tclass=netlink_selinux_socket
----
time->Sat Jun  7 19:40:54 2014
type=SYSCALL msg=audit(1402162854.342:1053): arch=c000003e syscall=234 success=no exit=-13 a0=1469 a1=1469 a2=6 a3=8 items=0 ppid=4148 pid=5225 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=3 comm="run_init" exe="/usr/sbin/run_init" subj=staff_u:sysadm_r:run_init_t key=(null)
type=AVC msg=audit(1402162854.342:1053): avc:  denied  { signal } for  pid=5225 comm="run_init" scontext=staff_u:sysadm_r:run_init_t tcontext=staff_u:sysadm_r:run_init_t tclass=process

Allowing the create also reveals that a bind is needed:

----
time->Sat Jun  7 19:37:57 2014
type=SOCKADDR msg=audit(1402162677.883:1032): saddr=100000000000000001000000
type=SYSCALL msg=audit(1402162677.883:1032): arch=c000003e syscall=49 success=no exit=-13 a0=3 a1=3b912cd72e0 a2=c a3=0 items=0 ppid=29318 pid=3962 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty3 ses=5 comm="run_init" exe="/usr/sbin/run_init" subj=staff_u:sysadm_r:run_init_t key=(null)
type=AVC msg=audit(1402162677.883:1032): avc:  denied  { bind } for  pid=3962 comm="run_init" scontext=staff_u:sysadm_r:run_init_t tcontext=staff_u:sysadm_r:run_init_t tclass=netlink_selinux_socket

This seems to be effective with more recent kernels (3.14.5-hardened-r2 here)

Reproducible: Always




This is resolved with the following policy additions:

allow run_init_t self:process signal; # failure handling
allow run_init_t self:netlink_selinux_socket { bind create };

There does not seem to be a need for a read or write on this socket - could be that the utilities use it to see if SELinux AVC is available?
Comment 1 Sven Vermeulen (RETIRED) gentoo-dev 2014-06-07 17:50:28 UTC 
Updated in policy (live ebuilds), will be in rev 4.
Comment 2 Sven Vermeulen (RETIRED) gentoo-dev 2014-08-01 21:14:19 UTC 
r4 is in the tree
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2014-08-22 17:51:11 UTC 
r5 is stable