Bug 1830493
Summary: | Typo in section 4.5. | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Tsur Trieger <triger_t> |
Component: | doc-SELinux_Users_and_Administrators_Guide | Assignee: | Mirek Jahoda <mjahoda> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Milos Malik <mmalik> |
Severity: | low | Docs Contact: | |
Priority: | high | ||
Version: | 7.8 | CC: | mprpic, pkennedy, plautrba, rhel-docs, zach |
Target Milestone: | rc | Keywords: | Documentation, EasyFix |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-05-29 09:52:48 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Tsur Trieger
2020-05-02 08:22:17 UTC
Hello, thank you for the report. It seems that this has been misfiled, the document is RHEL 7 documentation, not Fedora documentation, so I'm changing the product and component and someone from the RHEL documentation team will pick this up. I believe that it should read as: "In *enforcing* mode, only the first denial is reported. However, in enforcing mode you might get a denial on reading a directory and an application stops. In permissive mode, you get the same AVC message, but the application continues reading files in the directory and you get an AVC for each denial in addition." Petr, what is the most appropriate wording from your perspective? Let me show you an example: [root@localhost ~]# setenforce 1 [root@localhost ~]# date Mon May 18 18:35:33 CEST 2020 [root@localhost ~]# runcon -t user_t -r user_r -u user_u -l s0 -- cat /etc/passwd > /dev/null runcon: 'cat': Permission denied [root@localhost ~]# runcon -t user_t -r user_r -u user_u -l s0 -- cat /etc/passwd > /dev/null runcon: 'cat': Permission denied [root@localhost ~]# runcon -t user_t -r user_r -u user_u -l s0 -- cat /etc/passwd > /dev/null runcon: 'cat': Permission denied [root@localhost ~]# ausearch -m avc -ts 18:35:33 ---- time->Mon May 18 18:35:38 2020 type=AVC msg=audit(1589819738.988:690): avc: denied { transition } for pid=22368 comm="runcon" path="/usr/bin/cat" dev="dm-1" ino=786826 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=user_u:user_r:user_t:s0 tclass=process permissive=0 ---- time->Mon May 18 18:35:38 2020 type=AVC msg=audit(1589819738.988:691): avc: denied { transition } for pid=22368 comm="runcon" path="/usr/bin/cat" dev="dm-1" ino=786826 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=user_u:user_r:user_t:s0 tclass=process permissive=0 ---- time->Mon May 18 18:35:39 2020 type=AVC msg=audit(1589819739.842:692): avc: denied { transition } for pid=22374 comm="runcon" path="/usr/bin/cat" dev="dm-1" ino=786826 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=user_u:user_r:user_t:s0 tclass=process permissive=0 ---- time->Mon May 18 18:35:39 2020 type=AVC msg=audit(1589819739.842:693): avc: denied { transition } for pid=22374 comm="runcon" path="/usr/bin/cat" dev="dm-1" ino=786826 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=user_u:user_r:user_t:s0 tclass=process permissive=0 ---- time->Mon May 18 18:35:40 2020 type=AVC msg=audit(1589819740.673:694): avc: denied { transition } for pid=22375 comm="runcon" path="/usr/bin/cat" dev="dm-1" ino=786826 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=user_u:user_r:user_t:s0 tclass=process permissive=0 ---- time->Mon May 18 18:35:40 2020 type=AVC msg=audit(1589819740.673:695): avc: denied { transition } for pid=22375 comm="runcon" path="/usr/bin/cat" dev="dm-1" ino=786826 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=user_u:user_r:user_t:s0 tclass=process permissive=0 You get the same AVC denial message several times. But: [root@localhost ~]# runcon -t user_t -r user_r -u user_u -l s0 -- cat /etc/passwd > /dev/null [root@localhost ~]# runcon -t user_t -r user_r -u user_u -l s0 -- cat /etc/passwd > /dev/null [root@localhost ~]# runcon -t user_t -r user_r -u user_u -l s0 -- cat /etc/passwd > /dev/null [root@localhost ~]# ausearch -m avc -ts 18:38:24 ---- time->Mon May 18 18:38:27 2020 type=AVC msg=audit(1589819907.682:710): avc: denied { transition } for pid=22827 comm="runcon" path="/usr/bin/cat" dev="dm-1" ino=786826 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=user_u:user_r:user_t:s0 tclass=process permissive=1 You get only 1 AVC denial message despite the fact that SELinux would denied transition at least 3 times in enforcing. Based on the comment 4, I made the description of permissive mode clearer: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-enabling_and_disabling_selinux-dracut-parameters Thank you for the report. |