Bug 145033

Summary: Reading the SElinux config: ssh, dhcp, httpd
Product: [Fedora] Fedora Reporter: Ivan Gyurdiev <ivg231>
Component: selinux-policy-strictAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhide   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-01-20 18:24:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ivan Gyurdiev 2005-01-13 21:18:40 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041228 Firefox/1.0 Fedora/1.0-8

Description of problem:
Various things try to read the SElinux config and fail.

DHCP:
====
audit(1105648184.064:0): avc:  denied  { read } for  pid=2592
exe=/bin/cp name=config dev=dm-0 ino=669241
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:selinux_config_t tclass=file

audit(1105648184.064:0): avc:  denied  { getattr } for  pid=2592
exe=/bin/cp path=/etc/selinux/config dev=dm-0 ino=669241
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:selinux_config_t tclass=file

audit(1105648196.549:0): avc:  denied  { read } for  pid=2991
exe=/bin/cp name=config dev=dm-0 ino=669241
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:selinux_config_t tclass=file

audit(1105648196.549:0): avc:  denied  { getattr } for  pid=2991
exe=/bin/cp path=/etc/selinux/config dev=dm-0 ino=669241
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:selinux_config_t tclass=file


HTTPD:
======
audit(1105648202.127:0): avc:  denied  { search } for  pid=3021
exe=/usr/sbin/httpd name=selinux dev=dm-0 ino=667342
scontext=system_u:system_r:httpd_t
tcontext=system_u:object_r:selinux_config_t tclass=dir

audit(1105648202.127:0): avc:  denied  { read } for  pid=3021
exe=/usr/sbin/httpd name=config dev=dm-0 ino=669241
scontext=system_u:system_r:httpd_t
tcontext=system_u:object_r:selinux_config_t tclass=file

audit(1105648202.128:0): avc:  denied  { getattr } for  pid=3021
exe=/usr/sbin/httpd path=/etc/selinux/config dev=dm-0 ino=669241
scontext=system_u:system_r:httpd_t
tcontext=system_u:object_r:selinux_config_t tclass=file

SSH:
====
audit(1105648224.294:0): avc:  denied  { read } for  pid=3654
exe=/usr/bin/ssh-agent name=config dev=dm-0 ino=669241
scontext=user_u:user_r:user_ssh_agent_t
tcontext=system_u:object_r:selinux_config_t tclass=file

audit(1105648224.294:0): avc:  denied  { getattr } for  pid=3654
exe=/usr/bin/ssh-agent path=/etc/selinux/config dev=dm-0 ino=669241
scontext=user_u:user_r:user_ssh_agent_t
tcontext=system_u:object_r:selinux_config_t tclass=file

Version-Release number of selected component (if applicable):
selinux-policy-strict-1.21.1-1

How reproducible:
Always

Steps to Reproduce:
1. Boot with strict policy

Additional info:
Comment 1 Daniel Walsh 2005-01-18 21:47:52 UTC 
Are you running in permissive mode.  I believe most of these would be
prevented in enforcing mode.  Putting the code in enforcing will might
cause a dontaudit to happen which causes the application to go a
different code patch.  So for instance if I do a ls
/etc/selinux/targeted/ I might get a Denial of search on the directory
and ls will stop.  But in permissive mode, I would get the search
denial plus all the reads of the files under neath it.  So we only
care about AVC messages in enforcing mode.
Comment 2 Ivan Gyurdiev 2005-01-18 22:10:26 UTC 
This is in permissive mode.
I'll try enforcing too, but last time I did this 
X wouldn't start - will investigate and close bug if necessary.
Comment 3 Ivan Gyurdiev 2005-01-20 18:24:59 UTC 
Closing bug, will reopen if I see it again.
With execmod changes that I added to X I can now run in enforcing,
and I see very few denials.