Bug 1026078
Summary: | SELinux prevents varnishd from searching in /sys/devices/system/cpu directory | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Milos Malik <mmalik> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 6.5 | CC: | adruch2002, dwalsh, semberal |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-10-14 07:57:47 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Milos Malik
2013-11-03 12:59:38 UTC
Actual results (permissive mode): ---- type=PATH msg=audit(11/03/2013 13:59:52.622:653) : item=0 name=/sys/devices/system/cpu/online inode=23 dev=00:00 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=NORMAL type=CWD msg=audit(11/03/2013 13:59:52.622:653) : cwd=/ type=SYSCALL msg=audit(11/03/2013 13:59:52.622:653) : arch=x86_64 syscall=open success=yes exit=3 a0=3f1b1592b8 a1=80000 a2=1fffe51561af a3=1 items=1 ppid=7761 pid=7762 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=9 comm=varnishd exe=/usr/sbin/varnishd subj=unconfined_u:system_r:varnishd_t:s0 key=(null) type=AVC msg=audit(11/03/2013 13:59:52.622:653) : avc: denied { open } for pid=7762 comm=varnishd name=online dev=sysfs ino=23 scontext=unconfined_u:system_r:varnishd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file type=AVC msg=audit(11/03/2013 13:59:52.622:653) : avc: denied { read } for pid=7762 comm=varnishd name=online dev=sysfs ino=23 scontext=unconfined_u:system_r:varnishd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file type=AVC msg=audit(11/03/2013 13:59:52.622:653) : avc: denied { search } for pid=7762 comm=varnishd name=/ dev=sysfs ino=1 scontext=unconfined_u:system_r:varnishd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir ---- I think there is a new glibc? Causing all confiend apps to read the cpu file. Maybe we should dontaudit it. Not sure if what valuable information might be under /sys. *** Bug 1026077 has been marked as a duplicate of this bug. *** *** Bug 1025315 has been marked as a duplicate of this bug. *** I know the status is still NEW but has this been considered any further? Is dontaudit the right answer? I'm seeing it on other apps besides varnishd. Could you attach the AVC's you are seeing? Below is one of the AVC's. The subject 'scmonitor_t' if from a custom domain I have monitoring the state of some other processes. This is why I was generically asking if you planned to allow or dontaudit. I'll need to implement something for my own policy and was hoping to learn from what you decide here. ---- type=PATH msg=audit(02/22/2014 01:40:00.280:470) : item=0 name=/sys/devices/system/cpu/online inode=1 dev=00:00 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=NORMAL type=CWD msg=audit(02/22/2014 01:40:00.280:470) : cwd=/ type=SYSCALL msg=audit(02/22/2014 01:40:00.280:470) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=7f09d7ba22b8 a1=80000 a2=ffffffffffffffff a3=7fff2e1c25d0 items=1 ppid=1906 pid=2428 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=pgrep exe=/usr/bin/pgrep subj=system_u:system_r:scmonitor_t:s0 key=(null) type=AVC msg=audit(02/22/2014 01:40:00.280:470) : avc: denied { search } for pid=2428 comm=pgrep name=/ dev=sysfs ino=1 scontext=system_u:system_r:scmonitor_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir Most likely the app needs to read something in /sys so I would probably allow, it depends on if there is a piece of information that you believe this process should not be allowed to sys. Basically this allows the app to search through /sys. Not very dangerous. *** Bug 1083105 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1568.html |