Bug 237617
| Summary: | logwatch_t should be allowed to search httpd_sys_content_t | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Tomas Mraz <tmraz> |
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 5.0 | CC: | ebenes, varekova |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | RHBA-2007-0544 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2007-11-07 16:39:17 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This seems legal. Its just trying to find the mount point so it can do a statfs. The question is it necessary or not. IE Can we don't audit it or do we need to allow it. If we allow it, it would mean that logwatch_t can read all search all directories on the system, even ones with no log files. If we can dontaudit it and everything continues to work it would be much easier to get up stream. But it makes df (which is called in every logwatch) to add permission denied to the mail generated by logwatch. Alternative solution (perhaps preferable?) could be to have special exec_t assigned to df and transition when it is called from logwatch. This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release. Fixed in selinux-policy-2.4.6-69.el5.src.rpm Tomas, could you try the latest policy available at the link below and reply whether the new packages solve your problem? Thank you. http://porkchop.devel.redhat.com/brewroot/packages/selinux-policy/2.4.6/88.el5/ noarch/ An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2007-0544.html |
Logwatch reports free spaces of all mounted directories calling df. I have mounted a filesystem with httpd_sys_content_t context into /var/www/html subdir. Here is the raw avc: avc: denied { search } for comm="df" dev=dm-2 egid=0 euid=0 exe="/bin/df" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="www" pid=4127 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 sgid=0 subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 suid=0 tclass=dir tcontext=system_u:object_r:httpd_sys_content_t:s0 tty=(none) uid=0 Note that basically logwatch_t should be allowed to search any contexts which can be potentially assigned to directories.