Bug 229543

Summary: LSPP: odd avc message
Product: Red Hat Enterprise Linux 5 Reporter: Kylene J Hall <kylene>
Component: kernelAssignee: Eric Paris <eparis>
Status: CLOSED NOTABUG QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.0CC: eparis, iboverma, linda.knippers, sdsmall, sgrubb
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-03-05 22:39:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 224041    

Description Kylene J Hall 2007-02-21 19:34:50 UTC 
Description of problem:
Kernel problem specifically with SELinux.

When attempting to write garbage (i.e. "invalid context") to
/proc/self/attr/current or /proc/self/attr/exec I get an AVC message that says
granted {setcurrent} or granted {setexec} even though the write fails as expected.

If I had to guess I'd say the SELinux check is probably passing thus the AVC
granted; however, an admin looking for who changed there process context would
probably want to know the operation ultimately failed, no?

Version-Release number of selected component (if applicable):
kernel-2.6.18-8.el5.lspp.65
selinux-policy-mls-2.4.6-37.el5

How reproducible:
Always

Steps to Reproduce:
1. echo "invalid context" > /proc/self/attr/current
2. tail /var/log/audit/audit.log
  
Actual results:
type=AVC msg=audit(1172085945.393:64052): avc:  granted  { setcurrent } for 
pid=21353 comm="bash" scontext=abat_u:abat_r:abat_t:s0-s15:c0.c1023
tcontext=abat_u:abat_r:abat_t:s0-s15:c0.c1023 tclass=process

Expected results:
Thought it would be an avc:  denied  { setcurrent } message.

Additional info:
Comment 1 Stephen Smalley 2007-02-22 12:52:45 UTC 
Not a bug.  SELinux avc messages are only about the permission check itself, not
the full operation (syscall audit records are for the latter), and only show you
whether the permission was granted by policy or denied by policy.  setcurrent is
just a check to see whether the task is allowed to change its current context at
all, not a check against the new context (the latter is covered by the later
dyntransition check, but we never reach that since the context wasn't valid at all).
Comment 2 Issue Tracker 2007-02-22 21:35:51 UTC 
----- Additional Comments From krisw.com  2007-02-22 15:25 EDT
-------
The interface shouldn't report success for invalid operations.  I don't
think 
this should be closed but perhaps deferred for a future fix. 

Internal Status set to 'Waiting on Support'
Status set to: Waiting on Tech

This event sent from IssueTracker by jwest 
 issue 114371
Comment 5 Steve Grubb 2007-03-05 22:39:18 UTC 
We should address this against the new development work and not RHEL5. Will
close the bug.