Bug 1028460

Summary: avc: denied { read } for pid=23836 comm="cimprovagt"
Product: Red Hat Enterprise Linux 7 Reporter: Petr Sklenar <psklenar>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0CC: mmalik, tbzatek
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.12.1-100.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 10:56:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 922084    

Description Petr Sklenar 2013-11-08 13:58:48 UTC 
Description of problem:
there is selinux denial on /var/log/wtmp , see steps

Version-Release number of selected component (if applicable):
openlmi-0.4.1-2.el7.noarch
selinux-policy-3.12.1-98.el7.noarch

How reproducible:
always

Steps to Reproduce:
1.create user up to the http://www.openlmi.org/sites/default/files/doc/admin/openlmi-providers/0.4.1/account/usage.html#create-user


Actual results:
type=AVC msg=audit(1383916188.333:131340): avc:  denied  { read } for  pid=23836 comm="cimprovagt" name="wtmp" dev="dm-1" ino=201909553 scontext=system_u:system_r:pegasus_openlmi_account_t:s0 tcontext=system_u:object_r:wtmp_t:s0 tclass=file



Expected results:
no avc

Additional info:
Comment 2 Petr Sklenar 2013-11-08 14:28:23 UTC 
when running in permissive:

time->Fri Nov  8 09:22:00 2013
type=SYSCALL msg=audit(1383920520.640:212045): arch=c000003e syscall=2 success=yes exit=10 a0=7fc87422d2e0 a1=80000 a2=7fc87ab45cd5 a3=14 items=0 ppid=1 pid=7492 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimprovagt" exe="/usr/libexec/pegasus/cimprovagt" subj=system_u:system_r:pegasus_openlmi_account_t:s0 key=(null)
type=AVC msg=audit(1383920520.640:212045): avc:  denied  { open } for  pid=7492 comm="cimprovagt" path="/var/log/wtmp" dev="dm-1" ino=201909553 scontext=system_u:system_r:pegasus_openlmi_account_t:s0 tcontext=system_u:object_r:wtmp_t:s0 tclass=file
type=AVC msg=audit(1383920520.640:212045): avc:  denied  { read } for  pid=7492 comm="cimprovagt" name="wtmp" dev="dm-1" ino=201909553 scontext=system_u:system_r:pegasus_openlmi_account_t:s0 tcontext=system_u:object_r:wtmp_t:s0 tclass=file
Comment 3 Miroslav Grepl 2013-11-11 12:30:29 UTC 
It makes sense.

commit b9f4f0bc3c85df1fdf9d66fd591287d51ede3155
Author: Miroslav Grepl <mgrepl>
Date:   Mon Nov 11 13:29:17 2013 +0100

    Allow account provider to read login records
Comment 5 Ludek Smid 2014-06-13 10:56:30 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.