Bug 1376344

Summary: KRB5_TRACE=/dev/stderr kinit admin now produces AVC denial about create name="2"
Product: [Fedora] Fedora Reporter: Jan Pazdziora (Red Hat) <jpazdziora>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 24CC: abokovoy, dominick.grift, dwalsh, jpazdziora, j, lvrabec, mgrepl, nalin, npmccallum, plautrba, rharwood
Target Milestone: ---Keywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-191.24.fc24 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-02-27 11:12:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Pazdziora (Red Hat) 2016-09-15 07:48:47 UTC 
Description of problem:

When KRB5_TRACE=/dev/stderr kinit admin is run, AVC denial is logget.

Version-Release number of selected component (if applicable):

krb5-workstation-1.14.3-8.fc24.x86_64
selinux-policy-3.13.1-191.14.fc24.noarch

How reproducible:

Deterministic.

Steps to Reproduce:
1. dnf install krb5-workstation
2. KRB5_TRACE=/dev/stderr kinit admin

This will fail with
kinit: Configuration file does not specify default realm when parsing name admin
but that does not matter.

3. grep AVC /var/log/audit/audit.log

Actual results:

type=AVC msg=audit(1473925602.153:178): avc:  denied  { create } for  pid=21550 comm="kinit" name="2" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unconfined_t:s0 tclass=file permissive=0

Expected results:

No AVC denial.

Additional info:

I've never seen encountered this issue before today.
Comment 1 Robbie Harwood 2016-09-15 16:24:47 UTC 
Neither have I, nor do I know what could cause it.  Perhaps selinux people can tell us more?
Comment 2 Daniel Walsh 2016-09-16 12:44:23 UTC 
This is the same issue that we have been seeing with chrome, basic change to the kernel which is not checking on /proc for create access when an app does a create/write in an open call.  Even though you are not allowed to create files in /proc.  The next selinux-policy package has added a dontaudit rule for this.
Comment 3 Fedora Admin XMLRPC Client 2016-09-27 15:15:11 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 4 Jan Pazdziora (Red Hat) 2017-02-27 11:07:07 UTC 
Was this fix released?
Comment 5 Lukas Vrabec 2017-02-27 11:12:32 UTC 
$ sesearch -D -s unconfined_t -t unconfined_t -c file -p create
Found 1 semantic av rules:
   dontaudit unconfined_t unconfined_t : file { create setattr relabelto } ; 


$ rpm -q selinux-policy 
selinux-policy-3.13.1-191.24.fc24.noarch

Yes, it is.