Bug 165188
Summary: | Strict policy breaks ddclient | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | W. Michael Petullo <redhat> | ||||
Component: | selinux-policy-strict | Assignee: | Daniel Walsh <dwalsh> | ||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | |||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 4 | ||||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | 1.25.4-10 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2005-09-05 05:40:36 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
W. Michael Petullo
2005-08-05 01:52:54 UTC
Did you try the policy that was already in the unused directory of strict policy? /etc/selinux/strict/src/policy/domains/program/unused/ddclient.te I did not know strict/src/policy/domains/program/unused/ddclient.te existed. I don't think /var/cache/ddclient.cache is created with the proper context (ddclient creates it as root:object_r:var_t.) Here are the messages that are logged when I use this policy fragment: type=AVC msg=audit(1123382532.061:6803231): avc: denied { read write } for pid=11252 comm="ddclient" name="1" dev=devpts ino=3 scontext=root:system_r:ddclient_t tcontext=root:object_r:user_devpts_t tclass=chr_file type=SYSCALL msg=audit(1123382532.061:6803231): arch=40000003 syscall=11 success=yes exit=0 a0=82a1340 a1=828e178 a2=828e308 a3=0 items=3 pid=11252 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ddclient" exe="/usr/bin/perl" type=CWD msg=audit(1123382532.061:6803231): cwd="/etc/selinux/strict/src/policy" type=PATH msg=audit(1123382532.061:6803231): item=0 name="/usr/sbin/ddclient" flags=101 inode=32909 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1123382532.061:6803231): item=1 flags=101 inode=33489 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1123382532.061:6803231): item=2 flags=101 inode=47064 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1123382532.084:6803376): avc: denied { ioctl } for pid=11252 comm="ddclient" name="1" dev=devpts ino=3 scontext=root:system_r:ddclient_t tcontext=root:object_r:user_devpts_t tclass=chr_file type=SYSCALL msg=audit(1123382532.084:6803376): arch=40000003 syscall=54 success=yes exit=0 a0=0 a1=5401 a2=bfbb4dd8 a3=bfbb4e18 items=0 pid=11252 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ddclient" exe="/usr/bin/perl" type=AVC_PATH msg=audit(1123382532.084:6803376): path="/dev/pts/1" type=AVC msg=audit(1123382533.231:6805020): avc: denied { search } for pid=11255 comm="sh" name="/" dev=devpts ino=1 scontext=root:system_r:ddclient_t tcontext=system_u:object_r:devpts_t tclass=dirtype=SYSCALL msg=audit(1123382533.231:6805020): arch=40000003 syscall=5 success=yes exit=3 a0=80c78f6 a1=8802 a2=0 a3=8802 items=1 pid=11255 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="sh" exe="/bin/bash" type=CWD msg=audit(1123382533.231:6805020): cwd="/etc/selinux/strict/src/policy" type=PATH msg=audit(1123382533.231:6805020): item=0 name="/dev/tty" flags=101 inode=2240 dev=00:0d mode=020666 ouid=0 ogid=0 rdev=05:00 type=AVC msg=audit(1123382533.235:6805055): avc: denied { search } for pid=11255 comm="sh" name="src" dev=hda2 ino=63918 scontext=root:system_r:ddclient_t tcontext=system_u:object_r:policy_src_t tclass=dir type=AVC msg=audit(1123382533.235:6805055): avc: denied { getattr } for pid=11255 comm="sh" name="policy" dev=hda2 ino=63919 scontext=root:system_r:ddclient_t tcontext=system_u:object_r:policy_src_t tclass=dir type=SYSCALL msg=audit(1123382533.235:6805055): arch=40000003 syscall=195 success=yes exit=0 a0=9371830 a1=bfeda0ac a2=229ff4 a3=bfeda0ac items=1 pid=11255 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="sh" exe="/bin/bash" type=AVC_PATH msg=audit(1123382533.235:6805055): path="/etc/selinux/strict/src/policy" type=CWD msg=audit(1123382533.235:6805055): cwd="/etc/selinux/strict/src/policy" type=PATH msg=audit(1123382533.235:6805055): item=0 name="/etc/selinux/strict/src/policy" flags=1 inode=63919 dev=03:02 mode=040700 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1123382533.237:6805075): avc: denied { read } for pid=11255 comm="sh" name="policy" dev=hda2 ino=63919 scontext=root:system_r:ddclient_t tcontext=system_u:object_r:policy_src_t tclass=dir type=SYSCALL msg=audit(1123382533.237:6805075): arch=40000003 syscall=5 success=yes exit=3 a0=80d39e2 a1=18800 a2=22b8b8 a3=9373588 items=1 pid=11255 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="sh" exe="/bin/bash" type=CWD msg=audit(1123382533.237:6805075): cwd="/etc/selinux/strict/src/policy" type=PATH msg=audit(1123382533.237:6805075): item=0 name="." flags=103 inode=63919 dev=03:02 mode=040700 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1123382533.246:6805157): avc: denied { write } for pid=11253 comm="ddclient" name="cache" dev=hda2 ino=14648 scontext=root:system_r:ddclient_t tcontext=system_u:object_r:var_t tclass=dir type=AVC msg=audit(1123382533.246:6805157): avc: denied { add_name } for pid=11253 comm="ddclient" name="ddclient.cache" scontext=root:system_r:ddclient_t tcontext=system_u:object_r:var_t tclass=dir type=AVC msg=audit(1123382533.246:6805157): avc: denied { create } for pid=11253 comm="ddclient" name="ddclient.cache" scontext=root:system_r:ddclient_t tcontext=root:object_r:var_t tclass=file type=SYSCALL msg=audit(1123382533.246:6805157): arch=40000003 syscall=5 success=yes exit=3 a0=9c41e50 a1=8241 a2=1b6 a3=8241 items=1 pid=11253 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ddclient" exe="/usr/bin/perl" type=CWD msg=audit(1123382533.246:6805157): cwd="/etc/selinux/strict/src/policy" type=PATH msg=audit(1123382533.246:6805157): item=0 name="/var/cache/ddclient.cache" flags=310 inode=14648 dev=03:02 mode=040755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1123382533.248:6805158): avc: denied { ioctl } for pid=11253 comm="ddclient" name="ddclient.cache" dev=hda2 ino=14933 scontext=root:system_r:ddclient_t tcontext=root:object_r:var_t tclass=file type=SYSCALL msg=audit(1123382533.248:6805158): arch=40000003 syscall=54 success=no exit=-25 a0=3 a1=5401 a2=bfbb4dd8 a3=bfbb4e18 items=0 pid=11253 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ddclient" exe="/usr/bin/perl" type=AVC_PATH msg=audit(1123382533.248:6805158): path="/var/cache/ddclient.cache" type=AVC msg=audit(1123382533.248:6805160): avc: denied { getattr } for pid=11253 comm="ddclient" name="ddclient.cache" dev=hda2 ino=14933 scontext=root:system_r:ddclient_t tcontext=root:object_r:var_t tclass=file type=SYSCALL msg=audit(1123382533.248:6805160): arch=40000003 syscall=197 success=yes exit=0 a0=3 a1=998c068 a2=a46ff4 a3=9c42142 items=0 pid=11253 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ddclient" exe="/usr/bin/perl" type=AVC_PATH msg=audit(1123382533.248:6805160): path="/var/cache/ddclient.cache" type=AVC msg=audit(1123382533.249:6805169): avc: denied { write } for pid=11253 comm="ddclient" name="ddclient.cache" dev=hda2 ino=14933 scontext=root:system_r:ddclient_t tcontext=root:object_r:var_t tclass=file type=SYSCALL msg=audit(1123382533.249:6805169): arch=40000003 syscall=4 success=yes exit=276 a0=3 a1=9c53320 a2=114 a3=9c53320 items=0 pid=11253 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ddclient" exe="/usr/bin/perl" type=AVC_PATH msg=audit(1123382533.249:6805169): path="/var/cache/ddclient.cache" Created attachment 117523 [details]
DDclient patch to fix cache creation
If you apply this patch to ddclient.te, does it fix your problems. You might
need to restorecon /var/cache/ddclient*
This patch will be in the next update, although we do not ship ddclient.te...
The patch is comment #3 seems to work. Fixed in policy version 1.25.4-10 |