Bug 2215507
| Summary: | Listing /var with details (ls -l /var) leads to missing permissions printing on some directories | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Welterlen Benoit <bwelterl> | |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> | |
| Status: | VERIFIED --- | QA Contact: | Milos Malik <mmalik> | |
| Severity: | low | Docs Contact: | ||
| Priority: | low | |||
| Version: | 9.0 | CC: | daniel.j.arevalo.civ, lvrabec, mmalik, nknazeko, ziad.a.haddad.civ, zpytela | |
| Target Milestone: | rc | Keywords: | Triaged | |
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | All | |||
| Whiteboard: | ||||
| Fixed In Version: | selinux-policy-38.1.20-1.el9 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 2216151 (view as bug list) | Environment: | ||
| Last Closed: | Type: | Bug | ||
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 2216151 | |||
Commit to backport: af31eedaf Allow user_u and staff_u get attributes of non-security dirs |
Description of problem: With MLS policy and running in staff_r role, listing /var with details (ls -l /var) leads to missing permissions printing on some directories /var/account, /var/crash and /var/yp: --- # id -Z root:staff_r:staff_t:s0-s15:c0.c1023 # ls -l /var ls: cannot access '/var/yp': Permission denied ls: cannot access '/var/crash': Permission denied ls: cannot access '/var/account': Permission denied total 16 d?????????? ? ? ? ? ? account drwxr-xr-x. 2 root root 6 Aug 10 2021 adm drwxr-xr-x. 18 root root 4096 Jan 27 10:15 cache d?????????? ? ? ? ? ? crash drwxr-xr-x. 3 root root 18 Jan 27 10:01 db drwxr-xr-x. 2 root root 6 Aug 10 2021 empty drwxr-xr-x. 2 root root 6 Aug 10 2021 ftp drwxr-xr-x. 2 root root 6 Aug 10 2021 games drwxr-xr-x. 3 root root 18 Jan 27 10:01 kerberos drwxr-xr-x. 59 root root 4096 Feb 6 10:06 lib drwxr-xr-x. 2 root root 6 Aug 10 2021 local lrwxrwxrwx. 1 root root 11 Jan 27 10:00 lock -> ../run/lock drwxr-xr-x. 15 root root 4096 Feb 5 21:32 log lrwxrwxrwx. 1 root root 10 Aug 10 2021 mail -> spool/mail drwxr-xr-x. 2 root root 6 Aug 10 2021 nis drwxr-xr-x. 2 root root 6 Aug 10 2021 opt drwxr-xr-x. 2 root root 6 Aug 10 2021 preserve lrwxrwxrwx. 1 root root 6 Jan 27 10:00 run -> ../run drwxr-xr-x. 10 root root 106 Jan 27 10:03 spool drwxrwxrwt. 7 root root 4096 Jun 16 11:02 tmp d?????????? ? ? ? ? ? yp --- - if we disable the dontaudit rules, we can see the AVC: --- type=AVC msg=audit(1686904726.400:201): avc: denied { getattr } for pid=1502 comm="ls" path="/var/yp" dev="dm-0" ino=33839460 scontext=root:staff_r:staff_t:s0-s15:c0.c1023 tcontext=system_u:object_r:var_yp_t:s0 tclass=dir permissive=1 type=SYSCALL msg=audit(1686904726.400:201): arch=c000003e syscall=332 success=yes exit=0 a0=ffffff9c a1=7fff8c839a20 a2=100 a3=25e items=0 ppid=1464 pid=1502 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="ls" exe="/usr/bin/ls" subj=root:staff_r:staff_t:s0-s15:c0.c1023 key=(null)ARCH=x86_64 SYSCALL=statx AUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=PROCTITLE msg=audit(1686904726.400:201): proctitle=6C73002D2D636F6C6F723D6175746F002D6C002F766172 type=AVC msg=audit(1686904726.400:202): avc: denied { getattr } for pid=1502 comm="ls" path="/var/crash" dev="dm-0" ino=35114033 scontext=root:staff_r:staff_t:s0-s15:c0.c1023 tcontext=system_u:object_r:kdump_crash_t:s0 tclass=dir permissive=1 type=SYSCALL msg=audit(1686904726.400:202): arch=c000003e syscall=332 success=yes exit=0 a0=ffffff9c a1=7fff8c839a10 a2=100 a3=25e items=0 ppid=1464 pid=1502 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="ls" exe="/usr/bin/ls" subj=root:staff_r:staff_t:s0-s15:c0.c1023 key=(null)ARCH=x86_64 SYSCALL=statx AUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=PROCTITLE msg=audit(1686904726.400:202): proctitle=6C73002D2D636F6C6F723D6175746F002D6C002F766172 type=AVC msg=audit(1686904726.400:203): avc: denied { getattr } for pid=1502 comm="ls" path="/var/account" dev="dm-0" ino=51226390 scontext=root:staff_r:staff_t:s0-s15:c0.c1023 tcontext=system_u:object_r:acct_data_t:s0 tclass=dir permissive=1 type=SYSCALL msg=audit(1686904726.400:203): arch=c000003e syscall=332 success=yes exit=0 a0=ffffff9c a1=7fff8c839a10 a2=100 a3=25e items=0 ppid=1464 pid=1502 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="ls" exe="/usr/bin/ls" subj=root:staff_r:staff_t:s0-s15:c0.c1023 key=(null)ARCH=x86_64 SYSCALL=statx AUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=PROCTITLE msg=audit(1686904726.400:203): proctitle=6C73002D2D636F6C6F723D6175746F002D6C002F766172 --- - From the policy, staff_t is not allowed to getattr for these dir: --- $ sesearch -A -s staff_t -p getattr -c dir -t acct_data_t <...> $ sesearch -A -s staff_t -p getattr -c dir -t httpd_sys_content_t <...> $ sesearch -A -s staff_t -p getattr -c dir -t kdump_crash_t <...> $ sesearch -A -s staff_t -p getattr -c dir -t var_yp_t allow nsswitch_domain var_yp_t:dir { getattr ioctl lock open read search }; [ nis_enabled ]:True --- - Is there a reason to have this deny for staff_r ? Version-Release number of selected component (if applicable): selinux-policy-mls-34.1.29-1.el9_0.2.noarch RHEL9 How reproducible: always Steps to Reproduce: 1. enable MLS 2. ls -l /var 3. Actual results: Directory attributes are not printed. Expected results: Details on directories Additional info: