Bug 1248072
Summary: | AVC denied for "dir search" by nslookup(1) when called by nagios_services_plugin_t | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Robert Scheck <redhat-bugzilla> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.7 | CC: | dwalsh, lvrabec, mgrepl, mmalik, plautrba, pvrabec, redhat-bugzilla, robert.scheck, ssekidde |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-07-30 21:37:35 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Robert Scheck
2015-07-29 14:25:08 UTC
Cross-filed case 01484376 on the Red Hat customer portal. # rpm -qa selinux\* selinux-policy-doc-3.7.19-279.el6.noarch selinux-policy-minimum-3.7.19-279.el6.noarch selinux-policy-mls-3.7.19-279.el6.noarch selinux-policy-targeted-3.7.19-279.el6.noarch selinux-policy-3.7.19-279.el6.noarch # sesearch -s nagios_services_plugin_t -t sysctl_vm_t -c dir -p search -A -C Found 1 semantic av rules: allow domain sysctl_vm_t : dir { getattr search open } ; # Did the AVC appear after upgrade of selinux-policy* packages? (In reply to Milos Malik from comment #3) > Did the AVC appear after upgrade of selinux-policy* packages? Good point. During as it seems only. No occurence before and none after so far. Robert, Most likely during the update of policy either from -231 or -260 $ rpm -q selinux-policy; sesearch -s nagios_services_plugin_t -t sysctl_vm_t -c dir -p search -A -C selinux-policy-3.7.19-231.el6.noarch <blank> $ rpm -q selinux-policy; sesearch -s nagios_services_plugin_t -t sysctl_vm_t -c dir -p search -A -C selinux-policy-3.7.19-260.el6_6.5.noarch <blank> Should now be fixed in the latest build as Milos pointed out #============= nagios_services_plugin_t ============== #!!!! This avc is allowed in the current policy allow nagios_services_plugin_t sysctl_vm_t:dir search; Yes, I updated from -260. So sorry for the noise, let's close this. |