Bug 249754
Summary: | File watches using audit fail on files located in user home dirs | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Justin Nemmers <jnemmers> |
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 5.0 | CC: | ebenes |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | RHBA-2007-0544 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2007-11-07 16:40:56 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Justin Nemmers
2007-07-26 20:10:35 UTC
More info about the bug: As jnemmers, I create a file in /home/jnemmers: [jnemmers@ThinClientTest ~]$ date > file; ls -Z file -rw-rw-r-- jnemmers jnemmers user_u:object_r:user_home_t file Then, I verify that I can read said file as root: [root@ThinClientTest ~]# cat /home/jnemmers/file Thu Jul 26 14:35:01 EDT 2007 But it seems that when I attempt to create an audit watch on that file, I get AVC denials: [root@ThinClientTest ~]# auditctl -w /home/jnemmers/file Error sending add rule data request (Permission denied) and from the Audit log: type=AVC msg=audit(1185475033.137:1228): avc: denied { dac_override } for pid=27209 comm="auditctl" capability=1 scontext=root:system_r:auditctl_t:s0-s0:c0.c1023 tcontext=root:system_r:auditctl_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1185475033.137:1228): avc: denied { dac_read_search } for pid=27209 comm="auditctl" capability=2 scontext=root:system_r:auditctl_t:s0-s0:c0.c1023 tcontext=root:system_r:auditctl_t:s0-s0:c0.c1023 tclass=capability type=CONFIG_CHANGE msg=audit(1185475033.137:1229): auid=0 subj=root:system_r:auditctl_t:s0-s0:c0.c1023 op=add rule key=(null) list=4 res=0 type=SYSCALL msg=audit(1185475033.137:1228): arch=40000003 syscall=102 success=yes exit=1076 a0=b a1=bfc7bc90 a2=805d4c4 a3=97a6008 items=0 ppid=26853 pid=27209 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 comm="auditctl" exe="/ sbin/auditctl" subj=root:system_r:auditctl_t:s0-s0:c0.c1023 key=(null) Fixed in selinux-policy-2.4.6-81 With the current policy (84), I'm still getting AVC denials when setting watches on file in user home dir. This seems to be present only with audit- 1.5.5-7 (no AVC with 1.3.1-1): .qa.[root@pipa03 ~]# auditctl -W /home/foo/file .qa.[root@pipa03 ~]# date Tue Aug 28 13:12:14 CEST 2007 .qa.[root@pipa03 ~]# auditctl -w /home/foo/file .qa.[root@pipa03 ~]# ausearch --start 13:12:15 -sv no -c auditctl ---- time->Tue Aug 28 13:12:33 2007 type=SYSCALL msg=audit(1188299553.731:268): arch=40000003 syscall=195 success=no exit=-13 a0=bf907b71 a1=bf906140 a2=368ff4 a3=3 items=0 ppid=3399 pid=38 90 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="auditctl" exe="/sbin/auditctl" subj=root:system_r:auditctl_t:s0-s0:c0.c1 023 key=(null) type=AVC msg=audit(1188299553.731:268): avc: denied { getattr } for pid=3890 comm="auditctl" path="/home/foo/file" dev=sda2 ino=29392920 scontext=root :system_r:auditctl_t:s0-s0:c0.c1023 tcontext=user_u:object_r:user_home_t:s0 tclass=file .qa.[root@pipa03 ~]# cat /home/foo/file Tue Aug 28 12:46:12 CEST 2007 .qa.[root@pipa03 ~]# ausearch --start 13:12:14 -m PATH -f "/home/foo/file" ---- time->Tue Aug 28 13:14:49 2007 type=PATH msg=audit(1188299689.104:270): item=0 name="/home/foo/file" inode=29392920 dev=08:02 mode=0100664 ouid=501 ogid=501 rdev=00:00 obj=user_u:objec t_r:user_home_t:s0 type=CWD msg=audit(1188299689.104:270): cwd="/root" type=SYSCALL msg=audit(1188299689.104:270): arch=40000003 syscall=5 success=yes exit=3 a0=bfe81b7d a1=8000 a2=0 a3=8000 items=1 ppid=3399 pid=3898 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="cat" exe="/bin/cat" subj=root:system_r:unconfined_t:s0-s0:c0.c1023 key=(null) .qa.[root@pipa03 ~]# sestatus && rpm -qa | grep selinux-policy SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 21 Policy from config file: targeted selinux-policy-mls-2.4.6-84.el5.noarch selinux-policy-strict-2.4.6-84.el5.noarch selinux-policy-2.4.6-84.el5.noarch selinux-policy-targeted-2.4.6-84.el5.noarch selinux-policy-devel-2.4.6-84.el5.noarch Fixed in selinux-policy-2.4.6-85 An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2007-0544.html |