Bug 1003289

Summary: switching to root from a confined user generates a lot of AVC
Product: [Fedora] Fedora Reporter: Alphonse Steiner <alphsteiner>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: low Docs Contact:
Priority: unspecified    
Version: 19CC: dwalsh, lvrabec
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.12.1-74.3.fc19 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-09-14 02:31:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Alphonse Steiner 2013-09-01 17:34:08 UTC 
Description of problem:
I am currently logged on my system as seuser staff_u. When I need root privileges, I change the role to sysadm_r and use the classic command "su -".
This last command takes a while and generate a lot of denials (I have counted 3089 AVC). I have used audit2allow to generate dontaudit rules:

#============= sysadm_su_t ==============
dontaudit sysadm_su_t admin_home_t:dir write;
dontaudit sysadm_su_t apm_bios_t:chr_file getattr;
dontaudit sysadm_su_t autofs_device_t:chr_file getattr;
dontaudit sysadm_su_t clock_device_t:chr_file getattr;
dontaudit sysadm_su_t event_device_t:chr_file getattr;
dontaudit sysadm_su_t fixed_disk_device_t:blk_file getattr;
dontaudit sysadm_su_t framebuf_device_t:chr_file getattr;
dontaudit sysadm_su_t fuse_device_t:chr_file getattr;
dontaudit sysadm_su_t gpmctl_t:sock_file getattr;
dontaudit sysadm_su_t init_t:dir search;
dontaudit sysadm_su_t initctl_t:fifo_file getattr;
dontaudit sysadm_su_t kmsg_device_t:chr_file getattr;
dontaudit sysadm_su_t kvm_device_t:chr_file getattr;
dontaudit sysadm_su_t loop_control_device_t:chr_file getattr;
dontaudit sysadm_su_t lvm_control_t:chr_file getattr;
dontaudit sysadm_su_t mei_device_t:chr_file getattr;
dontaudit sysadm_su_t memory_device_t:chr_file getattr;
dontaudit sysadm_su_t netcontrol_device_t:chr_file getattr;
dontaudit sysadm_su_t nvram_device_t:chr_file getattr;
dontaudit sysadm_su_t ppp_device_t:chr_file getattr;
dontaudit sysadm_su_t printer_device_t:chr_file getattr;
dontaudit sysadm_su_t proc_kcore_t:file getattr;
dontaudit sysadm_su_t ptmx_t:chr_file getattr;
dontaudit sysadm_su_t removable_device_t:blk_file getattr;
dontaudit sysadm_su_t scsi_generic_device_t:chr_file getattr;
dontaudit sysadm_su_t tty_device_t:chr_file getattr;
dontaudit sysadm_su_t usbmon_device_t:chr_file getattr;
dontaudit sysadm_su_t v4l_device_t:chr_file getattr;
dontaudit sysadm_su_t vhost_device_t:chr_file getattr;
dontaudit sysadm_su_t watchdog_device_t:chr_file getattr;
dontaudit sysadm_su_t wireless_device_t:chr_file getattr;
dontaudit sysadm_su_t xserver_misc_device_t:chr_file getattr;


It works fine with them.

Version in use: selinux-policy-targeted-3.12.1-73.fc19.noarch
Comment 1 Daniel Walsh 2013-09-04 18:43:50 UTC 
5bf08c2d0bc4ce026376ee96b2a5e6bc2f214a39 fixes this in git.
Comment 2 Miroslav Grepl 2013-09-09 18:10:01 UTC 
Has been back ported.

Lukas,
is this a part of the latest update?
Comment 3 Alphonse Steiner 2013-09-12 07:17:31 UTC 
selinux-policy-targeted-3.12.1-74.2.fc19.noarch fixes almost all the denials.
Here the remaining ones:

#============= sysadm_su_t ==============
dontaudit sysadm_su_t admin_home_t:dir write;
dontaudit sysadm_su_t gpmctl_t:sock_file getattr;
dontaudit sysadm_su_t init_t:dir search;
dontaudit sysadm_su_t initctl_t:fifo_file getattr;
dontaudit sysadm_su_t proc_kcore_t:file getattr;
Comment 4 Lukas Vrabec 2013-09-12 08:11:55 UTC 
Miroslav, 

Fix was included in 3.12.1-74.2.fc19
Comment 5 Fedora Update System 2013-09-12 09:09:48 UTC 
selinux-policy-3.12.1-74.3.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.3.fc19
Comment 6 Fedora Update System 2013-09-13 00:58:58 UTC 
Package selinux-policy-3.12.1-74.3.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.3.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-16580/selinux-policy-3.12.1-74.3.fc19
then log in and leave karma (feedback).
Comment 7 Alphonse Steiner 2013-09-13 17:36:31 UTC 
Too late to give a good karma, but comment #3 is still valid.
Comment 8 Fedora Update System 2013-09-14 02:31:00 UTC 
selinux-policy-3.12.1-74.3.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Alphonse Steiner 2013-09-14 06:37:14 UTC 
It is too early to close, there are still some denials:

#============= sysadm_su_t ==============
dontaudit sysadm_su_t admin_home_t:dir write;
dontaudit sysadm_su_t gpmctl_t:sock_file getattr;
dontaudit sysadm_su_t init_t:dir search;
dontaudit sysadm_su_t initctl_t:fifo_file getattr;
dontaudit sysadm_su_t proc_kcore_t:file getattr;