Bug 1179968
Summary: | The setfiles utility is prevented from reading files of type admin_home_t | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Robert Nichols <rnichols42> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.6 | CC: | dwalsh, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.7.19-266.el6 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-07-22 07:10:40 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Robert Nichols
2015-01-07 23:00:44 UTC
# ls -Z ./local-mods -rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 ./local-mods # cat ./local-mods boolean -1 virt_use_sysfs # semanage -i ./local-mods # It looks like a leaked file descriptor. Here are AVCs gathered in enforcing mode: ---- type=PATH msg=audit(01/08/2015 10:28:52.680:268) : item=1 name=(null) inode=325938 dev=fc:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL type=PATH msg=audit(01/08/2015 10:28:52.680:268) : item=0 name=/sbin/load_policy inode=292115 dev=fc:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:load_policy_exec_t:s0 nametype=NORMAL type=CWD msg=audit(01/08/2015 10:28:52.680:268) : cwd=/root type=EXECVE msg=audit(01/08/2015 10:28:52.680:268) : argc=1 a0=/sbin/load_policy type=SYSCALL msg=audit(01/08/2015 10:28:52.680:268) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x4e127c0 a1=0x3812700 a2=0x0 a3=0x12 items=2 ppid=5872 pid=5880 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=6 comm=load_policy exe=/sbin/load_policy subj=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(01/08/2015 10:28:52.680:268) : avc: denied { read } for pid=5880 comm=load_policy path=/root/local-mods dev=vda3 ino=364658 scontext=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file ---- type=PATH msg=audit(01/08/2015 10:28:54.685:270) : item=1 name=(null) inode=325938 dev=fc:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL type=PATH msg=audit(01/08/2015 10:28:54.685:270) : item=0 name=/sbin/setfiles inode=292163 dev=fc:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:setfiles_exec_t:s0 nametype=NORMAL type=CWD msg=audit(01/08/2015 10:28:54.685:270) : cwd=/root type=EXECVE msg=audit(01/08/2015 10:28:54.685:270) : argc=5 a0=/sbin/setfiles a1=-q a2=-c a3=/etc/selinux/targeted/policy/policy.24 a4=/etc/selinux/targeted/contexts/files/file_contexts type=SYSCALL msg=audit(01/08/2015 10:28:54.685:270) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x4e5d920 a1=0x763bcd0 a2=0x0 a3=0x31 items=2 ppid=5872 pid=5886 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=6 comm=setfiles exe=/sbin/setfiles subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(01/08/2015 10:28:54.685:270) : avc: denied { read } for pid=5886 comm=setfiles path=/root/local-mods dev=vda3 ino=364658 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file ---- commit 0cabf48d05f00c68f597b8ffdc74d6297eee2237 Author: Miroslav Grepl <mgrepl> Date: Tue Mar 3 12:12:23 2015 +0100 Allow setfiles domain to access files with admin_home_t. semanage -i /root/testfile. commit a69bedf1046a3771f45589971ad6ec327e475313 Author: Miroslav Grepl <mgrepl> Date: Tue May 12 09:05:16 2015 +0200 Dontaudit read access on admin_home_t for load_policy. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-1375.html |