Bug 219999
Summary: | denied getattr hald automount_etc_t | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Orion Poplawski <orion> |
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Ben Levenson <benl> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 6 | CC: | dwalsh, pradeepjp |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Current | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2007-08-22 14:13:40 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Orion Poplawski
2006-12-18 05:27:46 UTC
Also seeing: Dec 17 16:43:51 hawk kernel: audit(1166399031.969:3445): avc: denied { setgid } for pid=28543 comm="automount" capability=6 scontext=root:system_r:automount_t:s0 tcontext=root:system_r:automount_t:s0 tclass=capability but this has been happening for longer. That will be fixed in selinux-policy-2.4.6-15 Thanks for the resolution Daniel ! Just for completeness, here's what I see in the logs: Jan 10 05:48:17 odin setroubleshoot: SELinux is preventing /usr/sbin/hald (hald_t) "getattr" access to /etc/auto.misc (automount_etc_t). For complete SELinux messages. run sealert -l 239373a4-f370-48ca-84a4-9a82beb600c1 setgid is gone now, but now I seee: Jan 12 00:50:35 hawk kernel: audit(1168588235.987:213): avc: denied { setuid } for pid=32288 comm="automount" capability=7 scontext=system_u:system_r:automount_t:s0 tcontext=system_u:system_r:automount_t:s0 tclass=capability selinux-policy-2.4.6-23.fc6 Orion are you in the wrong bugzilla? Well, I thought it was related to my comment in #1, but I can file a new report if that helps. Ah ok, I guess I should have commented on the first one, But I have already added the fix and it should be in the -26 version, so don't worry about moving the report. If you add local policy, do you get any other avc's? Here's what I've got on this machine: From when 2.4.6-17.fc6 was installed ontop of 2.4.6-13.fc6 from cron: Jan 8 04:22:10 hawk kernel: audit(1168255330.928:109): avc: denied { write } for pid=21598 comm="load_policy" name="[1141143]" dev=pipefs ino=1141143 scontext=user_u:system_r:load_policy_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=fifo_file Jan 8 04:22:10 hawk kernel: audit(1168255330.929:110): avc: denied { write } for pid=21598 comm="load_policy" name="[1141143]" dev=pipefs ino=1141143 scontext=user_u:system_r:load_policy_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=fifo_file This is from a cfagent run started by the cfenvd daemon I think: Jan 9 11:52:48 hawk kernel: audit(1168368768.870:156): avc: denied { read write } for pid=14893 comm="ifconfig" name="[1508602]" dev=sockfs ino=1508602 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=tcp_socket Not sure about this one: Jan 11 11:23:23 hawk kernel: audit(1168539803.007:203): avc: denied { read } for pid=21958 comm="umount" name="mounts" dev=proc ino=136314897 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:system_r:automount_t:s0 tclass=file Sorry about still continuing random selinux-bugzilla entries, but I'm still seeing this when yum is run from cron and selinux is updated (mentioned in comment #8): Apr 6 03:23:24 hammer kernel: audit(1175851404.139:21): avc: denied { write } for pid=9310 comm="load_policy" name="[3496209]" dev=pipefs ino=3496209 scontext=user_u:system_r:load_policy_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=fifo_file Also still seeing the very occaisional: Apr 4 14:28:08 hawk kernel: audit(1175718488.214:1774): avc: denied { read write } for pid=11473 comm="mount" name="[11889506]" dev=sockfs ino=11889506 scontext=user_u:system_r:mount_t:s0 tcontext=user_u:system_r:automount_t:s0 tclass=udp_socket Apr 7 00:31:26 hawk kernel: audit(1175927486.004:1778): avc: denied { read } for pid=13921 comm="umount" name="mounts" dev=proc ino=12709232 scontext=user_u:system_r:mount_t:s0 tcontext=user_u:system_r:automount_t:s0 tclass=file None of these are harmful, although I am sure they aggravate. Looks like automount is leaking an open file descriptor to a udp_socket. Not sure why umount would be looking at the /proc system for automount. This should be reported as a bug against automount. I have updated the dontaudit rule for load_policy to now log when trying to write to the cron fifo_file. This is caused by the kernel looking at the terminal which is associated with load_policy and checking its access. When it is run from cron, the terminal is set to a fifo_file owned by unconfined_t. Fixed in current release |