Bug 1179968
| Summary: | The setfiles utility is prevented from reading files of type admin_home_t | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Robert Nichols <rnichols42> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.6 | CC: | dwalsh, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.7.19-266.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-07-22 07:10:40 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
# ls -Z ./local-mods
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 ./local-mods
# cat ./local-mods
boolean -1 virt_use_sysfs
# semanage -i ./local-mods
#
It looks like a leaked file descriptor. Here are AVCs gathered in enforcing mode:
----
type=PATH msg=audit(01/08/2015 10:28:52.680:268) : item=1 name=(null) inode=325938 dev=fc:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL
type=PATH msg=audit(01/08/2015 10:28:52.680:268) : item=0 name=/sbin/load_policy inode=292115 dev=fc:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:load_policy_exec_t:s0 nametype=NORMAL
type=CWD msg=audit(01/08/2015 10:28:52.680:268) : cwd=/root
type=EXECVE msg=audit(01/08/2015 10:28:52.680:268) : argc=1 a0=/sbin/load_policy
type=SYSCALL msg=audit(01/08/2015 10:28:52.680:268) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x4e127c0 a1=0x3812700 a2=0x0 a3=0x12 items=2 ppid=5872 pid=5880 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=6 comm=load_policy exe=/sbin/load_policy subj=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(01/08/2015 10:28:52.680:268) : avc: denied { read } for pid=5880 comm=load_policy path=/root/local-mods dev=vda3 ino=364658 scontext=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
----
type=PATH msg=audit(01/08/2015 10:28:54.685:270) : item=1 name=(null) inode=325938 dev=fc:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL
type=PATH msg=audit(01/08/2015 10:28:54.685:270) : item=0 name=/sbin/setfiles inode=292163 dev=fc:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:setfiles_exec_t:s0 nametype=NORMAL
type=CWD msg=audit(01/08/2015 10:28:54.685:270) : cwd=/root
type=EXECVE msg=audit(01/08/2015 10:28:54.685:270) : argc=5 a0=/sbin/setfiles a1=-q a2=-c a3=/etc/selinux/targeted/policy/policy.24 a4=/etc/selinux/targeted/contexts/files/file_contexts
type=SYSCALL msg=audit(01/08/2015 10:28:54.685:270) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x4e5d920 a1=0x763bcd0 a2=0x0 a3=0x31 items=2 ppid=5872 pid=5886 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=6 comm=setfiles exe=/sbin/setfiles subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(01/08/2015 10:28:54.685:270) : avc: denied { read } for pid=5886 comm=setfiles path=/root/local-mods dev=vda3 ino=364658 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
----
commit 0cabf48d05f00c68f597b8ffdc74d6297eee2237
Author: Miroslav Grepl <mgrepl>
Date: Tue Mar 3 12:12:23 2015 +0100
Allow setfiles domain to access files with admin_home_t. semanage -i /root/testfile.
commit a69bedf1046a3771f45589971ad6ec327e475313
Author: Miroslav Grepl <mgrepl>
Date: Tue May 12 09:05:16 2015 +0200
Dontaudit read access on admin_home_t for load_policy.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-1375.html |
Description of problem: Running "semanage -i someFile" where someFile is type admin_home_t results in an AVC denial when setfiles tries to read it. Version-Release number of selected component (if applicable): selinux-policy-3.7.19-260.el6_6.1.noarch selinux-policy-targeted-3.7.19-260.el6_6.1.noarch policycoreutils-2.0.83-19.47.el6_6.1.x86_64 How reproducible: Always Steps to Reproduce: 1. In root's home directory, create a file myContext with the single line like: fcontext -a -f 'character device' -t tty_device_t '/dev/UPS' 2. Verify that the file's type is "admin_home_t" 3. Run "semanage -i myContext" from root's unconfined domain Actual results: An AVC denial for setfiles with source context setfiles_t and target context admin_home_t Expected results: No denial Additional info: setfiles_t is allowed to read user_home_t, file_t, and a host of other types. It is strange that it would be restricted from reading admin_home_t.