Bug 1026077

Summary: SELinux prevents tor from searching in /sys/devices/system/cpu directory
Product: Red Hat Enterprise Linux 6 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.5CC: dwalsh
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-05 13:14:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Milos Malik 2013-11-03 12:53:58 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-231.el6.noarch
selinux-policy-doc-3.7.19-231.el6.noarch
selinux-policy-minimum-3.7.19-231.el6.noarch
selinux-policy-mls-3.7.19-231.el6.noarch
selinux-policy-targeted-3.7.19-231.el6.noarch
tor-0.2.3.25-6.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. get a RHEL-6.5 machine where targeted policy is active
2. service tor start
3. search for AVCs

Actual results (enforcing mode):
----
type=PATH msg=audit(11/03/2013 13:50:13.204:634) : item=0 name=/sys/devices/system/cpu inode=1 dev=00:00 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=NORMAL 
type=CWD msg=audit(11/03/2013 13:50:13.204:634) :  cwd=/ 
type=SYSCALL msg=audit(11/03/2013 13:50:13.204:634) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=7fd3ccf58351 a1=90800 a2=fffffffffff5c454 a3=7fd3ccdfc240 items=1 ppid=1 pid=7505 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=9 comm=tor exe=/usr/bin/tor subj=unconfined_u:system_r:tor_t:s0 key=(null) 
type=AVC msg=audit(11/03/2013 13:50:13.204:634) : avc:  denied  { search } for  pid=7505 comm=tor name=/ dev=sysfs ino=1 scontext=unconfined_u:system_r:tor_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir 
----

Expected results:
 * no AVCs
Comment 1 Milos Malik 2013-11-03 12:55:46 UTC 
Actual results (permissive mode):
----
type=PATH msg=audit(11/03/2013 13:54:37.470:637) : item=0 name=/sys/devices/system/cpu inode=22 dev=00:00 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=NORMAL 
type=CWD msg=audit(11/03/2013 13:54:37.470:637) :  cwd=/ 
type=SYSCALL msg=audit(11/03/2013 13:54:37.470:637) : arch=x86_64 syscall=open success=yes exit=3 a0=7f3576206351 a1=90800 a2=fffffffffff5c454 a3=7f35760aa240 items=1 ppid=1 pid=7579 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=9 comm=tor exe=/usr/bin/tor subj=unconfined_u:system_r:tor_t:s0 key=(null) 
type=AVC msg=audit(11/03/2013 13:54:37.470:637) : avc:  denied  { open } for  pid=7579 comm=tor name=cpu dev=sysfs ino=22 scontext=unconfined_u:system_r:tor_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir 
type=AVC msg=audit(11/03/2013 13:54:37.470:637) : avc:  denied  { read } for  pid=7579 comm=tor name=cpu dev=sysfs ino=22 scontext=unconfined_u:system_r:tor_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir 
type=AVC msg=audit(11/03/2013 13:54:37.470:637) : avc:  denied  { search } for  pid=7579 comm=tor name=/ dev=sysfs ino=1 scontext=unconfined_u:system_r:tor_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir 
----
Comment 2 Daniel Walsh 2013-11-04 17:05:16 UTC 
Strange I just saw a bugzilla like this for httpd_sys_script_t which was using perl.
Comment 3 Miroslav Grepl 2013-11-05 13:14:26 UTC 

*** This bug has been marked as a duplicate of bug 1026078 ***