| Summary: | SELinux prevents watchdog from reading /etc/passwd file | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Milos Malik <mmalik> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.0 | ||
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.12.1-106.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-06-13 09:42:02 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Actual results (permissive mode):
----
type=PATH msg=audit(11/21/2013 18:57:53.770:564) : item=0 name=/etc/passwd inode=9326547 dev=fd:03 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:passwd_file_t:s0 objtype=NORMAL
type=CWD msg=audit(11/21/2013 18:57:53.770:564) : cwd=/
type=SYSCALL msg=audit(11/21/2013 18:57:53.770:564) : arch=x86_64 syscall=open success=yes exit=1 a0=0x7f4bd0b3b41a a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x0 items=1 ppid=2933 pid=2935 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sh exe=/usr/bin/bash subj=system_u:system_r:watchdog_t:s0 key=(null)
type=AVC msg=audit(11/21/2013 18:57:53.770:564) : avc: denied { open } for pid=2935 comm=sh path=/etc/passwd dev="vda3" ino=9326547 scontext=system_u:system_r:watchdog_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=AVC msg=audit(11/21/2013 18:57:53.770:564) : avc: denied { read } for pid=2935 comm=sh name=passwd dev="vda3" ino=9326547 scontext=system_u:system_r:watchdog_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
----
type=SYSCALL msg=audit(11/21/2013 18:57:53.770:565) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x1 a1=0x7fff2e6d8da0 a2=0x7fff2e6d8da0 a3=0x0 items=0 ppid=2933 pid=2935 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sh exe=/usr/bin/bash subj=system_u:system_r:watchdog_t:s0 key=(null)
type=AVC msg=audit(11/21/2013 18:57:53.770:565) : avc: denied { getattr } for pid=2935 comm=sh path=/etc/passwd dev="vda3" ino=9326547 scontext=system_u:system_r:watchdog_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
----
Already added to Fedora. This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |
Description of problem: * be careful - the scenario causes a reboot of your machine Version-Release number of selected component (if applicable): selinux-policy-3.12.1-103.el7.noarch selinux-policy-devel-3.12.1-103.el7.noarch selinux-policy-doc-3.12.1-103.el7.noarch selinux-policy-minimum-3.12.1-103.el7.noarch selinux-policy-mls-3.12.1-103.el7.noarch selinux-policy-targeted-3.12.1-103.el7.noarch watchdog-5.13-9.el7.x86_64 How reproducible: always Steps to Reproduce: 1. get a RHEL-7.0 machine with targeted policy 2. add following line to /etc/watchdog.conf test-binary = 1 3. service watchdog restart 4. search for AVCs Actual results (enforcing mode): ---- type=PATH msg=audit(11/21/2013 18:49:23.503:534) : item=0 name=/etc/passwd inode=9326547 dev=fd:03 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:passwd_file_t:s0 objtype=NORMAL type=CWD msg=audit(11/21/2013 18:49:23.503:534) : cwd=/ type=SYSCALL msg=audit(11/21/2013 18:49:23.503:534) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7fbbd799141a a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x0 items=1 ppid=2524 pid=2526 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sh exe=/usr/bin/bash subj=system_u:system_r:watchdog_t:s0 key=(null) type=AVC msg=audit(11/21/2013 18:49:23.503:534) : avc: denied { read } for pid=2526 comm=sh name=passwd dev="vda3" ino=9326547 scontext=system_u:system_r:watchdog_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file ---- Expected results: * no AVCs