From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Tue, 25 Mar 2014 21:30:05 +0100
Subject: [refpolicy] [PATCH 2/5] Fix avc_context_to_raw assertion
	(avc_running) failure upon running groupadd or useradd
In-Reply-To: <1395779408-29213-1-git-send-email-sven.vermeulen@siphos.be>
References: <1395779408-29213-1-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <1395779408-29213-3-git-send-email-sven.vermeulen@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

When trying to create a group, the following error occurs:

~# groupadd test
groupadd: avc.c:74: avc_context_to_sid_raw: Assertion `avc_running'
failed.
zsh: abort      groupadd test

In the denial logs, the following AVC denial is shown:

Jan 23 13:57:17 maelstrom kernel: [11395.396588] type=1400
audit(1390481837.876:989): avc:  denied  { create } for  pid=14296
comm="groupadd" scontext=staff_u:sysadm_r:groupadd_t
tcontext=staff_u:sysadm_r:groupadd_t tclass=netlink_selinux_socket

In permissive mode, we notice that it both creates and binds to the
netlink_selinux_socket.

Same with useradd.

Allowing the create/bind fixes the problem.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/admin/usermanage.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 74be7ef..8e1308c 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -199,6 +199,7 @@ allow groupadd_t self:shm create_shm_perms;
 allow groupadd_t self:sem create_sem_perms;
 allow groupadd_t self:msgq create_msgq_perms;
 allow groupadd_t self:msg { send receive };
+allow groupadd_t self:netlink_selinux_socket { bind create };
 allow groupadd_t self:unix_dgram_socket create_socket_perms;
 allow groupadd_t self:unix_stream_socket create_stream_socket_perms;
 allow groupadd_t self:unix_dgram_socket sendto;
@@ -459,6 +460,7 @@ allow useradd_t self:shm create_shm_perms;
 allow useradd_t self:sem create_sem_perms;
 allow useradd_t self:msgq create_msgq_perms;
 allow useradd_t self:msg { send receive };
+allow useradd_t self:netlink_selinux_socket { bind create };
 allow useradd_t self:unix_dgram_socket create_socket_perms;
 allow useradd_t self:unix_stream_socket create_stream_socket_perms;
 allow useradd_t self:unix_dgram_socket sendto;
-- 
1.8.3.2