Bug 1037539
| Summary: | speech-dispatcher runs as init_t | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Milos Malik <mmalik> | |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | |
| Status: | CLOSED WONTFIX | QA Contact: | Milos Malik <mmalik> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 7.0 | CC: | mgrepl, riehecky | |
| Target Milestone: | rc | |||
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1241446 (view as bug list) | Environment: | ||
| Last Closed: | 2016-04-05 15:53:10 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 877026, 1042890 | |||
| Bug Blocks: | 848829, 1241446 | |||
commit c0c42f70b277e26e21c75c8d8f2eb3725ebdb981
Author: Lukas Vrabec <lvrabec>
Date: Fri Dec 20 15:22:01 2013 +0100
Added new policy for speech-dispatcher
There are no AVCs but it's not possible to start speech-dispatcherd service in enforcing mode. The service can be started in permissive mode and here are the AVCs:
----
type=PATH msg=audit(01/21/2014 22:09:41.657:811) : item=1 name=/root/.speech-dispatcher inode=17169485 dev=fd:03 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:admin_home_t:s0 objtype=CREATE
type=PATH msg=audit(01/21/2014 22:09:41.657:811) : item=0 name=/root/ inode=16818305 dev=fd:03 mode=dir,550 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:admin_home_t:s0 objtype=PARENT
type=CWD msg=audit(01/21/2014 22:09:41.657:811) : cwd=/
type=SYSCALL msg=audit(01/21/2014 22:09:41.657:811) : arch=x86_64 syscall=mkdir success=yes exit=0 a0=0x1049970 a1=0700 a2=0x1049970 a3=0x7fff12a32a10 items=2 ppid=1 pid=7293 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=speech-dispatch exe=/usr/bin/speech-dispatcher subj=system_u:system_r:speech-dispatcher_t:s0 key=(null)
type=AVC msg=audit(01/21/2014 22:09:41.657:811) : avc: denied { create } for pid=7293 comm=speech-dispatch name=.speech-dispatcher scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
type=AVC msg=audit(01/21/2014 22:09:41.657:811) : avc: denied { add_name } for pid=7293 comm=speech-dispatch name=.speech-dispatcher scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
type=AVC msg=audit(01/21/2014 22:09:41.657:811) : avc: denied { write } for pid=7293 comm=speech-dispatch name=root dev="vda3" ino=16818305 scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
type=AVC msg=audit(01/21/2014 22:09:41.657:811) : avc: denied { dac_override } for pid=7293 comm=speech-dispatch capability=dac_override scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:system_r:speech-dispatcher_t:s0 tclass=capability
----
type=PATH msg=audit(01/21/2014 22:09:41.660:812) : item=1 name=/root/.speech-dispatcher/pid/speech-dispatcher.pid inode=25676487 dev=fd:03 mode=file,660 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:admin_home_t:s0 objtype=CREATE
type=PATH msg=audit(01/21/2014 22:09:41.660:812) : item=0 name=/root/.speech-dispatcher/pid/ inode=25179993 dev=fd:03 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:admin_home_t:s0 objtype=PARENT
type=CWD msg=audit(01/21/2014 22:09:41.660:812) : cwd=/
type=SYSCALL msg=audit(01/21/2014 22:09:41.660:812) : arch=x86_64 syscall=open success=yes exit=3 a0=0x1049900 a1=O_WRONLY|O_CREAT|O_TRUNC a2=0666 a3=0x1 items=2 ppid=1 pid=7293 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=speech-dispatch exe=/usr/bin/speech-dispatcher subj=system_u:system_r:speech-dispatcher_t:s0 key=(null)
type=AVC msg=audit(01/21/2014 22:09:41.660:812) : avc: denied { write open } for pid=7293 comm=speech-dispatch path=/root/.speech-dispatcher/pid/speech-dispatcher.pid dev="vda3" ino=25676487 scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
type=AVC msg=audit(01/21/2014 22:09:41.660:812) : avc: denied { create } for pid=7293 comm=speech-dispatch name=speech-dispatcher.pid scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
----
type=SYSCALL msg=audit(01/21/2014 22:09:41.661:813) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x3 a1=0x7fff12a323f0 a2=0x7fff12a323f0 a3=0x0 items=0 ppid=1 pid=7293 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=speech-dispatch exe=/usr/bin/speech-dispatcher subj=system_u:system_r:speech-dispatcher_t:s0 key=(null)
type=AVC msg=audit(01/21/2014 22:09:41.661:813) : avc: denied { getattr } for pid=7293 comm=speech-dispatch path=/root/.speech-dispatcher/pid/speech-dispatcher.pid dev="vda3" ino=25676487 scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
----
type=SYSCALL msg=audit(01/21/2014 22:09:41.661:814) : arch=x86_64 syscall=fcntl success=yes exit=0 a0=0x3 a1=F_SETLK a2=0x7fff12a32c00 a3=0x7fff12a329c0 items=0 ppid=1 pid=7293 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=speech-dispatch exe=/usr/bin/speech-dispatcher subj=system_u:system_r:speech-dispatcher_t:s0 key=(null)
type=AVC msg=audit(01/21/2014 22:09:41.661:814) : avc: denied { lock } for pid=7293 comm=speech-dispatch path=/root/.speech-dispatcher/pid/speech-dispatcher.pid dev="vda3" ino=25676487 scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
----
type=PATH msg=audit(01/21/2014 22:09:41.661:815) : item=1 name=/root/.speech-dispatcher/log//speechd.log inode=69156 dev=fd:03 mode=file,660 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:admin_home_t:s0 objtype=CREATE
type=PATH msg=audit(01/21/2014 22:09:41.661:815) : item=0 name=/root/.speech-dispatcher/log// inode=32188 dev=fd:03 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:admin_home_t:s0 objtype=PARENT
type=CWD msg=audit(01/21/2014 22:09:41.661:815) : cwd=/
type=SYSCALL msg=audit(01/21/2014 22:09:41.661:815) : arch=x86_64 syscall=open success=yes exit=7 a0=0x104c580 a1=O_WRONLY|O_CREAT|O_APPEND a2=0666 a3=0x70732f2f676f6c2f items=2 ppid=1 pid=7293 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=speech-dispatch exe=/usr/bin/speech-dispatcher subj=system_u:system_r:speech-dispatcher_t:s0 key=(null)
type=AVC msg=audit(01/21/2014 22:09:41.661:815) : avc: denied { append } for pid=7293 comm=speech-dispatch path=/root/.speech-dispatcher/log/speechd.log dev="vda3" ino=69156 scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
----
type=PATH msg=audit(01/21/2014 22:09:41.662:816) : item=1 name=(null) inode=17427267 dev=fd:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL
type=PATH msg=audit(01/21/2014 22:09:41.662:816) : item=0 name=/usr/lib64/speech-dispatcher-modules/sd_espeak inode=1713993 dev=fd:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:lib_t:s0 objtype=NORMAL
type=CWD msg=audit(01/21/2014 22:09:41.662:816) : cwd=/
type=EXECVE msg=audit(01/21/2014 22:09:41.662:816) : argc=2 a1=/etc/speech-dispatcher/modules//espeak.conf
type=SYSCALL msg=audit(01/21/2014 22:09:41.662:816) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x104c8f0 a1=0x7fff12a2fa40 a2=0x7fff12a32e10 a3=0x7fff12a31870 items=2 ppid=7293 pid=7295 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sd_espeak exe=/usr/lib64/speech-dispatcher-modules/sd_espeak subj=system_u:system_r:speech-dispatcher_t:s0 key=(null)
type=AVC msg=audit(01/21/2014 22:09:41.662:816) : avc: denied { execute_no_trans } for pid=7295 comm=speech-dispatch path=/usr/lib64/speech-dispatcher-modules/sd_espeak dev="vda3" ino=1713993 scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
----
type=PATH msg=audit(01/21/2014 22:09:41.733:817) : item=0 name=/root/.config/pulse/client.conf objtype=UNKNOWN
type=CWD msg=audit(01/21/2014 22:09:41.733:817) : cwd=/
type=SYSCALL msg=audit(01/21/2014 22:09:41.733:817) : arch=x86_64 syscall=open success=no exit=-2(No such file or directory) a0=0xddef20 a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x1 items=1 ppid=7293 pid=7295 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sd_espeak exe=/usr/lib64/speech-dispatcher-modules/sd_espeak subj=system_u:system_r:speech-dispatcher_t:s0 key=(null)
type=AVC msg=audit(01/21/2014 22:09:41.733:817) : avc: denied { search } for pid=7295 comm=sd_espeak name=pulse dev="vda3" ino=25572285 scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:object_r:pulseaudio_home_t:s0 tclass=dir
----
type=PATH msg=audit(01/21/2014 22:09:41.735:818) : item=0 name=/root/.config/pulse/cookie inode=25668792 dev=fd:03 mode=file,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:pulseaudio_home_t:s0 objtype=NORMAL
type=CWD msg=audit(01/21/2014 22:09:41.735:818) : cwd=/
type=SYSCALL msg=audit(01/21/2014 22:09:41.735:818) : arch=x86_64 syscall=open success=yes exit=11 a0=0xdde920 a1=O_RDONLY|O_NOCTTY|O_CLOEXEC a2=0x180 a3=0x7fff5c60ce00 items=1 ppid=7293 pid=7295 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sd_espeak exe=/usr/lib64/speech-dispatcher-modules/sd_espeak subj=system_u:system_r:speech-dispatcher_t:s0 key=(null)
type=AVC msg=audit(01/21/2014 22:09:41.735:818) : avc: denied { open } for pid=7295 comm=sd_espeak path=/root/.config/pulse/cookie dev="vda3" ino=25668792 scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:object_r:pulseaudio_home_t:s0 tclass=file
type=AVC msg=audit(01/21/2014 22:09:41.735:818) : avc: denied { read } for pid=7295 comm=sd_espeak name=cookie dev="vda3" ino=25668792 scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:object_r:pulseaudio_home_t:s0 tclass=file
----
type=SYSCALL msg=audit(01/21/2014 22:09:41.735:819) : arch=x86_64 syscall=fcntl success=no exit=-9(Bad file descriptor) a0=0xb a1=F_SETLKW a2=0x7fff5c60d020 a3=0x7fff5c60ce30 items=0 ppid=7293 pid=7295 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sd_espeak exe=/usr/lib64/speech-dispatcher-modules/sd_espeak subj=system_u:system_r:speech-dispatcher_t:s0 key=(null)
type=AVC msg=audit(01/21/2014 22:09:41.735:819) : avc: denied { lock } for pid=7295 comm=sd_espeak path=/root/.config/pulse/cookie dev="vda3" ino=25668792 scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:object_r:pulseaudio_home_t:s0 tclass=file
----
type=PATH msg=audit(01/21/2014 22:09:41.735:820) : item=0 name=/dev/shm/ inode=5752 dev=00:11 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmpfs_t:s0 objtype=NORMAL
type=CWD msg=audit(01/21/2014 22:09:41.735:820) : cwd=/
type=SYSCALL msg=audit(01/21/2014 22:09:41.735:820) : arch=x86_64 syscall=statfs success=yes exit=0 a0=0x7f8b75116150 a1=0x7fff5c60cf40 a2=0x1 a3=0x7fff5c60ccc0 items=1 ppid=7293 pid=7295 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sd_espeak exe=/usr/lib64/speech-dispatcher-modules/sd_espeak subj=system_u:system_r:speech-dispatcher_t:s0 key=(null)
type=AVC msg=audit(01/21/2014 22:09:41.735:820) : avc: denied { getattr } for pid=7295 comm=sd_espeak name=/ dev="tmpfs" ino=5752 scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem
----
type=PATH msg=audit(01/21/2014 22:09:41.736:821) : item=0 name=/root/.config/pulse inode=25572285 dev=fd:03 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:pulseaudio_home_t:s0 objtype=NORMAL
type=CWD msg=audit(01/21/2014 22:09:41.736:821) : cwd=/
type=SYSCALL msg=audit(01/21/2014 22:09:41.736:821) : arch=x86_64 syscall=open success=yes exit=10 a0=0xddea50 a1=O_RDONLY|O_NOCTTY|O_NOFOLLOW|O_CLOEXEC a2=0xffffffff a3=0x7fff5c60cef0 items=1 ppid=7293 pid=7295 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sd_espeak exe=/usr/lib64/speech-dispatcher-modules/sd_espeak subj=system_u:system_r:speech-dispatcher_t:s0 key=(null)
type=AVC msg=audit(01/21/2014 22:09:41.736:821) : avc: denied { open } for pid=7295 comm=sd_espeak path=/root/.config/pulse dev="vda3" ino=25572285 scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:object_r:pulseaudio_home_t:s0 tclass=dir
type=AVC msg=audit(01/21/2014 22:09:41.736:821) : avc: denied { read } for pid=7295 comm=sd_espeak name=pulse dev="vda3" ino=25572285 scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:object_r:pulseaudio_home_t:s0 tclass=dir
----
type=SYSCALL msg=audit(01/21/2014 22:09:41.736:822) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0xa a1=0x7fff5c60d160 a2=0x7fff5c60d160 a3=0x7fff5c60cef0 items=0 ppid=7293 pid=7295 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sd_espeak exe=/usr/lib64/speech-dispatcher-modules/sd_espeak subj=system_u:system_r:speech-dispatcher_t:s0 key=(null)
type=AVC msg=audit(01/21/2014 22:09:41.736:822) : avc: denied { getattr } for pid=7295 comm=sd_espeak path=/root/.config/pulse dev="vda3" ino=25572285 scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:object_r:pulseaudio_home_t:s0 tclass=dir
----
type=PATH msg=audit(01/21/2014 22:09:41.736:823) : item=0 name=(null) inode=25572285 dev=fd:03 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:pulseaudio_home_t:s0 objtype=NORMAL
type=SYSCALL msg=audit(01/21/2014 22:09:41.736:823) : arch=x86_64 syscall=fchown success=yes exit=0 a0=0xa a1=0x0 a2=0x0 a3=0x7fff5c60cef0 items=1 ppid=7293 pid=7295 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sd_espeak exe=/usr/lib64/speech-dispatcher-modules/sd_espeak subj=system_u:system_r:speech-dispatcher_t:s0 key=(null)
type=AVC msg=audit(01/21/2014 22:09:41.736:823) : avc: denied { setattr } for pid=7295 comm=sd_espeak name=pulse dev="vda3" ino=25572285 scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:object_r:pulseaudio_home_t:s0 tclass=dir
----
type=PATH msg=audit(01/21/2014 22:09:41.737:824) : item=0 name=/root/.config/pulse/52107acb55482f46398d06f35ed37412-runtime inode=25676480 dev=fd:03 mode=link,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:pulseaudio_home_t:s0 objtype=NORMAL
type=CWD msg=audit(01/21/2014 22:09:41.737:824) : cwd=/
type=SYSCALL msg=audit(01/21/2014 22:09:41.737:824) : arch=x86_64 syscall=readlink success=yes exit=23 a0=0xddefa0 a1=0xddea50 a2=0x63 a3=0x7fff5c60d000 items=1 ppid=7293 pid=7295 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sd_espeak exe=/usr/lib64/speech-dispatcher-modules/sd_espeak subj=system_u:system_r:speech-dispatcher_t:s0 key=(null)
type=AVC msg=audit(01/21/2014 22:09:41.737:824) : avc: denied { read } for pid=7295 comm=sd_espeak name=52107acb55482f46398d06f35ed37412-runtime dev="vda3" ino=25676480 scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:object_r:pulseaudio_home_t:s0 tclass=lnk_file
----
type=PATH msg=audit(01/21/2014 22:09:41.738:825) : item=0 name=/root/.config inode=20141882 dev=fd:03 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:config_home_t:s0 objtype=NORMAL
type=CWD msg=audit(01/21/2014 22:09:41.738:825) : cwd=/
type=SYSCALL msg=audit(01/21/2014 22:09:41.738:825) : arch=x86_64 syscall=lstat success=yes exit=0 a0=0xdd39b0 a1=0x7fff5c60d210 a2=0x7fff5c60d210 a3=0x1 items=1 ppid=7293 pid=7295 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sd_espeak exe=/usr/lib64/speech-dispatcher-modules/sd_espeak subj=system_u:system_r:speech-dispatcher_t:s0 key=(null)
type=AVC msg=audit(01/21/2014 22:09:41.738:825) : avc: denied { getattr } for pid=7295 comm=sd_espeak path=/root/.config dev="vda3" ino=20141882 scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=unconfined_u:object_r:config_home_t:s0 tclass=dir
----
type=PATH msg=audit(01/21/2014 22:09:41.738:826) : item=0 name=/root/.config/pulse/52107acb55482f46398d06f35ed37412-runtime inode=25676480 dev=fd:03 mode=link,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:pulseaudio_home_t:s0 objtype=NORMAL
type=CWD msg=audit(01/21/2014 22:09:41.738:826) : cwd=/
type=SYSCALL msg=audit(01/21/2014 22:09:41.738:826) : arch=x86_64 syscall=lstat success=yes exit=0 a0=0xdd39b0 a1=0x7fff5c60d210 a2=0x7fff5c60d210 a3=0x6e75722d32313437 items=1 ppid=7293 pid=7295 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sd_espeak exe=/usr/lib64/speech-dispatcher-modules/sd_espeak subj=system_u:system_r:speech-dispatcher_t:s0 key=(null)
type=AVC msg=audit(01/21/2014 22:09:41.738:826) : avc: denied { getattr } for pid=7295 comm=sd_espeak path=/root/.config/pulse/52107acb55482f46398d06f35ed37412-runtime dev="vda3" ino=25676480 scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:object_r:pulseaudio_home_t:s0 tclass=lnk_file
----
type=PATH msg=audit(01/21/2014 22:09:41.745:827) : item=0 name=/etc/resolv.conf inode=8820765 dev=fd:03 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL
type=CWD msg=audit(01/21/2014 22:09:41.745:827) : cwd=/
type=SYSCALL msg=audit(01/21/2014 22:09:41.745:827) : arch=x86_64 syscall=open success=yes exit=13 a0=0x7f6c9fd9f448 a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x0 items=1 ppid=7293 pid=7300 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sd_festival exe=/usr/lib64/speech-dispatcher-modules/sd_festival subj=system_u:system_r:speech-dispatcher_t:s0 key=(null)
type=AVC msg=audit(01/21/2014 22:09:41.745:827) : avc: denied { open } for pid=7300 comm=sd_festival path=/etc/resolv.conf dev="vda3" ino=8820765 scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file
type=AVC msg=audit(01/21/2014 22:09:41.745:827) : avc: denied { read } for pid=7300 comm=sd_festival name=resolv.conf dev="vda3" ino=8820765 scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file
----
type=SYSCALL msg=audit(01/21/2014 22:09:41.746:828) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0xd a1=0x7fff407a3c30 a2=0x7fff407a3c30 a3=0x0 items=0 ppid=7293 pid=7300 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sd_festival exe=/usr/lib64/speech-dispatcher-modules/sd_festival subj=system_u:system_r:speech-dispatcher_t:s0 key=(null)
type=AVC msg=audit(01/21/2014 22:09:41.746:828) : avc: denied { getattr } for pid=7300 comm=sd_festival path=/etc/resolv.conf dev="vda3" ino=8820765 scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file
----
type=PATH msg=audit(01/21/2014 22:09:41.755:829) : item=4 name=(null) inode=17582883 dev=fd:03 mode=socket,770 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:admin_home_t:s0 objtype=CREATE
type=PATH msg=audit(01/21/2014 22:09:41.755:829) : item=3 name=(null) inode=17169485 dev=fd:03 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:admin_home_t:s0 objtype=PARENT
type=PATH msg=audit(01/21/2014 22:09:41.755:829) : item=2 name=(null) objtype=CREATE
type=PATH msg=audit(01/21/2014 22:09:41.755:829) : item=1 name=(null) inode=17169485 dev=fd:03 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:admin_home_t:s0 objtype=PARENT
type=PATH msg=audit(01/21/2014 22:09:41.755:829) : item=0 name=(null) inode=17169485 dev=fd:03 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:admin_home_t:s0 objtype=PARENT
type=SOCKADDR msg=audit(01/21/2014 22:09:41.755:829) : saddr=local /root/.speech-dispatcher/speechd.sock
type=SYSCALL msg=audit(01/21/2014 22:09:41.755:829) : arch=x86_64 syscall=bind success=yes exit=0 a0=0xf a1=0x7fff12a32bb0 a2=0x27 a3=0x7fff12a32970 items=5 ppid=1 pid=7293 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=speech-dispatch exe=/usr/bin/speech-dispatcher subj=system_u:system_r:speech-dispatcher_t:s0 key=(null)
type=AVC msg=audit(01/21/2014 22:09:41.755:829) : avc: denied { create } for pid=7293 comm=speech-dispatch name=speechd.sock scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=sock_file
----
type=PATH msg=audit(01/21/2014 22:09:41.759:831) : item=1 name=/root/.speech-dispatcher/pid/speech-dispatcher.pid inode=25676487 dev=fd:03 mode=file,660 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:admin_home_t:s0 objtype=DELETE
type=PATH msg=audit(01/21/2014 22:09:41.759:831) : item=0 name=/root/.speech-dispatcher/pid/ inode=25179993 dev=fd:03 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:admin_home_t:s0 objtype=PARENT
type=CWD msg=audit(01/21/2014 22:09:41.759:831) : cwd=/
type=SYSCALL msg=audit(01/21/2014 22:09:41.759:831) : arch=x86_64 syscall=unlink success=yes exit=0 a0=0x1049900 a1=0x2 a2=0x7fff12a32ba0 a3=0x7fff12a32a10 items=2 ppid=1 pid=7303 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=speech-dispatch exe=/usr/bin/speech-dispatcher subj=system_u:system_r:speech-dispatcher_t:s0 key=(null)
type=AVC msg=audit(01/21/2014 22:09:41.759:831) : avc: denied { unlink } for pid=7303 comm=speech-dispatch name=speech-dispatcher.pid dev="vda3" ino=25676487 scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
type=AVC msg=audit(01/21/2014 22:09:41.759:831) : avc: denied { remove_name } for pid=7303 comm=speech-dispatch name=speech-dispatcher.pid dev="vda3" ino=25676487 scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
----
I'm surprised that speech-dispatcher (in default configuration) uses /root/.speech-dispatcher directory for storing PID and log files.
This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. The comment above is incorrect. The correct version is bellow. I'm sorry for any inconvenience. --------------------------------------------------------------- This request was NOT resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you need to escalate this bug. # rpm -qa speech\* selinux\* | sort
selinux-policy-3.12.1-153.el7_0.11.noarch
selinux-policy-devel-3.12.1-153.el7_0.11.noarch
selinux-policy-sandbox-3.12.1-153.el7_0.11.noarch
selinux-policy-targeted-3.12.1-153.el7_0.11.noarch
speech-dispatcher-0.7.1-15.el7
#
Following AVC appeared in enforcing mode:
----
type=PATH msg=audit(09/28/2014 05:40:28.984:1057) : item=1 name=/root/.speech-dispatcher objtype=CREATE
type=PATH msg=audit(09/28/2014 05:40:28.984:1057) : item=0 name=/root/ inode=67160193 dev=fd:01 mode=dir,550 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:admin_home_t:s0 objtype=PARENT
type=CWD msg=audit(09/28/2014 05:40:28.984:1057) : cwd=/
type=SYSCALL msg=audit(09/28/2014 05:40:28.984:1057) : arch=s390x syscall=mkdir success=no exit=-13(Permission denied) a0=0x8ddbbc70 a1=0700 a2=0x80007888 a3=0x0 items=2 ppid=1 pid=38076 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=speech-dispatch exe=/usr/bin/speech-dispatcher subj=system_u:system_r:speech-dispatcher_t:s0 key=(null)
type=AVC msg=audit(09/28/2014 05:40:28.984:1057) : avc: denied { dac_override } for pid=38076 comm=speech-dispatch capability=dac_override scontext=system_u:system_r:speech-dispatcher_t:s0 tcontext=system_u:system_r:speech-dispatcher_t:s0 tclass=capability
----
Hi Mirek, Please check: https://bugzilla.redhat.com/show_bug.cgi?id=1042890 Probably we don't want policy for speech-dispatcher. Moving to 7.3. We must create policy in fedora first. From rhbz#1042890 comment2: "Running speech-dispatcher as a system service doesn't make sense since we ship it configured (in /etc/speech-dispatcher/speechd.conf) to auto-spawn a user instance whenever the client side library needs it." I closing this issue as WONTFIX, because it doesn't make sance to run speech-dispatcher as a service, so new policy is not necessary. |
Description of problem: * speech-dispatcher uses too powerful SELinux domain Version-Release number of selected component (if applicable): speech-dispatcher-0.7.1-13.el7.x86_64 selinux-policy-3.12.1-105.el7.noarch selinux-policy-devel-3.12.1-105.el7.noarch selinux-policy-doc-3.12.1-105.el7.noarch selinux-policy-minimum-3.12.1-105.el7.noarch selinux-policy-mls-3.12.1-105.el7.noarch selinux-policy-targeted-3.12.1-105.el7.noarch How reproducible: always Steps to Reproduce: # service speech-dispatcherd status Redirecting to /bin/systemctl status speech-dispatcherd.service speech-dispatcherd.service - Speech-Dispatcher an high-level device independent layer for speech synthesis. Loaded: loaded (/usr/lib/systemd/system/speech-dispatcherd.service; disabled) Active: inactive (dead) # service speech-dispatcherd start Redirecting to /bin/systemctl start speech-dispatcherd.service # service speech-dispatcherd status Redirecting to /bin/systemctl status speech-dispatcherd.service speech-dispatcherd.service - Speech-Dispatcher an high-level device independent layer for speech synthesis. Loaded: loaded (/usr/lib/systemd/system/speech-dispatcherd.service; disabled) Active: active (running) since Tue 2013-12-03 11:37:31 CET; 1s ago Process: 19127 ExecStart=/usr/bin/speech-dispatcher -d (code=exited, status=0/SUCCESS) CGroup: /system.slice/speech-dispatcherd.service ├─19133 [sd_dummy] └─19135 /usr/bin/speech-dispatcher -d Dec 03 11:37:30 rhel70.localdomain speech-dispatcher[19127]: [Tue Dec 3 11:3... Dec 03 11:37:31 rhel70.localdomain systemd[1]: Started Speech-Dispatcher an .... Hint: Some lines were ellipsized, use -l to show in full. # ps -efZ | grep speech-dispatcher system_u:system_r:init_t:s0 root 19135 1 0 11:37 ? 00:00:00 /usr/bin/speech-dispatcher -d unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 19149 2416 0 11:37 pts/0 00:00:00 grep --color=auto speech-dispatcher # Actual results: * speech-dispatcher runs as init_t Expected results: * speech-dispatcher runs in its own SELinux domain