Bug 249754

Summary: File watches using audit fail on files located in user home dirs
Product: Red Hat Enterprise Linux 5 Reporter: Justin Nemmers <jnemmers>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: 5.0CC: ebenes
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHBA-2007-0544 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-11-07 16:40:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Justin Nemmers 2007-07-26 20:10:35 UTC 
root is able to create a watch on the parent dir without issue:
[root@ThinClientTest ~]# ls -Zd /home/joesmith
drwx------  joesmith joesmith user_u:object_r:user_home_dir_t  /home/joesmith
[root@ThinClientTest ~]# auditctl -w /home/joesmith
(returns with no errors)

Expected results:
Watch rule is successfully added.  Disabling SELinux, and re-running the auditctl -w /home/joesmith/file 
command produces the desired result.
Comment 2 Steve Grubb 2007-07-26 20:18:44 UTC 
More info about the bug:

As jnemmers, I create a file in /home/jnemmers:
[jnemmers@ThinClientTest ~]$ date > file; ls -Z file
-rw-rw-r--  jnemmers jnemmers user_u:object_r:user_home_t      file

Then, I verify that I can read said file as root:
[root@ThinClientTest ~]# cat /home/jnemmers/file
Thu Jul 26 14:35:01 EDT 2007

But it seems that when I attempt to create an audit watch on that  
file, I get AVC denials:
[root@ThinClientTest ~]# auditctl -w /home/jnemmers/file
Error sending add rule data request (Permission denied)

and from the Audit log:
type=AVC msg=audit(1185475033.137:1228): avc:  denied   
{ dac_override } for  pid=27209 comm="auditctl" capability=1  
scontext=root:system_r:auditctl_t:s0-s0:c0.c1023  
tcontext=root:system_r:auditctl_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1185475033.137:1228): avc:  denied   
{ dac_read_search } for  pid=27209 comm="auditctl" capability=2  
scontext=root:system_r:auditctl_t:s0-s0:c0.c1023  
tcontext=root:system_r:auditctl_t:s0-s0:c0.c1023 tclass=capability
type=CONFIG_CHANGE msg=audit(1185475033.137:1229): auid=0  
subj=root:system_r:auditctl_t:s0-s0:c0.c1023 op=add rule key=(null)  
list=4 res=0
type=SYSCALL msg=audit(1185475033.137:1228): arch=40000003  
syscall=102 success=yes exit=1076 a0=b a1=bfc7bc90 a2=805d4c4  
a3=97a6008 items=0 ppid=26853 pid=27209 auid=0 uid=0 gid=0 euid=0  
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 comm="auditctl" exe="/ 
sbin/auditctl" subj=root:system_r:auditctl_t:s0-s0:c0.c1023 key=(null)
Comment 3 Daniel Walsh 2007-07-27 09:47:59 UTC 
Fixed in selinux-policy-2.4.6-81
Comment 9 Eduard Benes 2007-08-28 14:40:55 UTC 
With the current policy (84), I'm still getting AVC denials when setting 
watches on file in user home dir. This seems to be present only with audit-
1.5.5-7 (no AVC with 1.3.1-1):

.qa.[root@pipa03 ~]# auditctl -W /home/foo/file
.qa.[root@pipa03 ~]# date
Tue Aug 28 13:12:14 CEST 2007
.qa.[root@pipa03 ~]# auditctl -w /home/foo/file
.qa.[root@pipa03 ~]#  ausearch --start 13:12:15 -sv no -c auditctl
----
time->Tue Aug 28 13:12:33 2007
type=SYSCALL msg=audit(1188299553.731:268): arch=40000003 syscall=195 
success=no exit=-13 a0=bf907b71 a1=bf906140 a2=368ff4 a3=3 items=0 ppid=3399 
pid=38
90 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 
comm="auditctl" exe="/sbin/auditctl" subj=root:system_r:auditctl_t:s0-s0:c0.c1
023 key=(null)
type=AVC msg=audit(1188299553.731:268): avc:  denied  { getattr } for  pid=3890 
comm="auditctl" path="/home/foo/file" dev=sda2 ino=29392920 scontext=root
:system_r:auditctl_t:s0-s0:c0.c1023 tcontext=user_u:object_r:user_home_t:s0 
tclass=file
.qa.[root@pipa03 ~]# cat /home/foo/file
Tue Aug 28 12:46:12 CEST 2007
.qa.[root@pipa03 ~]# ausearch --start  13:12:14 -m PATH -f "/home/foo/file"
----
time->Tue Aug 28 13:14:49 2007
type=PATH msg=audit(1188299689.104:270): item=0 name="/home/foo/file" 
inode=29392920 dev=08:02 mode=0100664 ouid=501 ogid=501 rdev=00:00 
obj=user_u:objec
t_r:user_home_t:s0
type=CWD msg=audit(1188299689.104:270):  cwd="/root"
type=SYSCALL msg=audit(1188299689.104:270): arch=40000003 syscall=5 success=yes 
exit=3 a0=bfe81b7d a1=8000 a2=0 a3=8000 items=1 ppid=3399 pid=3898 auid=0
 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="cat" 
exe="/bin/cat" subj=root:system_r:unconfined_t:s0-s0:c0.c1023 key=(null)
.qa.[root@pipa03 ~]#  sestatus && rpm -qa | grep selinux-policy
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        targeted
selinux-policy-mls-2.4.6-84.el5.noarch
selinux-policy-strict-2.4.6-84.el5.noarch
selinux-policy-2.4.6-84.el5.noarch
selinux-policy-targeted-2.4.6-84.el5.noarch
selinux-policy-devel-2.4.6-84.el5.noarch
Comment 10 Daniel Walsh 2007-08-28 17:46:10 UTC 
Fixed in selinux-policy-2.4.6-85
Comment 14 errata-xmlrpc 2007-11-07 16:40:56 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0544.html