Bug 250337

Summary: brctl generates a SELinux avc denial
Product: [Fedora] Fedora Reporter: Jeroen Beerstra <jeroen>
Component: bridge-utilsAssignee: David Woodhouse <dwmw2>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 7CC: triage
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-06-17 02:02:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jeroen Beerstra 2007-07-31 21:27:42 UTC 
Description of problem:

During boot a avc related to /usr/sbin/brctl is generated, apparently it tries
to search /.

Version-Release number of selected component (if applicable):

bridge-utils-1.1-2
selinux-policy-targeted-2.6.4-28.fc7

How reproducible:


Steps to Reproduce:
1. Boot system
  
Actual results:

a SELinux avc denial is generatied

Expected results:

Brctl should not do anything it's not supposed to do or SELinux should allow
this opperation.

Additional info:

$ ls -aZ /
drwxr-xr-x  root root system_u:object_r:root_t         .
drwxr-xr-x  root root system_u:object_r:root_t         ..
-rw-r--r--  root root system_u:object_r:etc_runtime_t  .autofsck
drwxr-xr-x  root root system_u:object_r:default_t      backup
drwxr-xr-x  root root system_u:object_r:bin_t          bin
drwxr-xr-x  root root system_u:object_r:boot_t         boot
drwxr-xr-x  root root system_u:object_r:default_t      crypto
drwxr-xr-x  root root system_u:object_r:default_t      data
drwxr-xr-x  root root system_u:object_r:device_t       dev
drwxr-xr-x  root root system_u:object_r:default_t      dvdtmp
drwxr-xr-x  root root system_u:object_r:etc_t          etc
drwxr-xr-x  root root system_u:object_r:default_t      extra
drwxr-xr-x  root root system_u:object_r:default_t      extra2
drwxr-xr-x  root root system_u:object_r:home_root_t    home
drwxr-xr-x  root root system_u:object_r:lib_t          lib
drwxr-xr-x  root root system_u:object_r:lib_t          lib64
drwx------  root root system_u:object_r:lost_found_t   lost+found
drwxr-xr-x  root root system_u:object_r:mnt_t          media
drwxr-xr-x  root root system_u:object_r:autofs_t       misc
drwxr-xr-x  root root system_u:object_r:mnt_t          mnt
drwxr-xr-x  root root system_u:object_r:autofs_t       net
drwxr-xr-x  root root system_u:object_r:usr_t          opt
dr-xr-xr-x  root root system_u:object_r:proc_t         proc
drwx------  root root root:object_r:user_home_dir_t    root
drwxr-xr-x  root root system_u:object_r:bin_t          sbin
drwxr-xr-x  root root system_u:object_r:security_t     selinux
drwxr-xr-x  root root system_u:object_r:default_t      share
drwxr-xr-x  root root system_u:object_r:var_t          srv
drwxr-xr-x  root root system_u:object_r:sysfs_t        sys
drwxrwxrwt  root root system_u:object_r:tmp_t          tmp
drwxr-xr-x  root root system_u:object_r:usr_t          usr
drwxr-xr-x  root root system_u:object_r:var_t          var
drwxr-xr-x  root root system_u:object_r:default_t      .vmware

Summary
    SELinux is preventing /usr/sbin/brctl (brctl_t) "search" to / (sysfs_t).

Detailed Description
    SELinux denied access requested by /usr/sbin/brctl. It is not expected that
    this access is required by /usr/sbin/brctl and this access may signal an
    intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for /, restorecon -v / If this does
    not work, there is currently no automatic way to allow this access. Instead,
    you can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                system_u:system_r:brctl_t
Target Context                system_u:object_r:sysfs_t
Target Objects                / [ dir ]
Affected RPM Packages         bridge-utils-1.1-2
                              [application]filesystem-2.4.6-1.fc7 [target]
Policy RPM                    selinux-policy-2.6.4-28.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     neo.lokaal.net
Platform                      Linux neo.lokaal.net 2.6.22.1-33.fc7 #1 SMP Mon
                              Jul 23 16:59:15 EDT 2007 x86_64 x86_64
Alert Count                   3
First Seen                    ma 30 jul 2007 16:13:29 CEST
Last Seen                     di 31 jul 2007 23:03:42 CEST
Local ID                      4150b53c-f790-4caf-af17-e291bbd6da4a
Line Numbers                  

Raw Audit Messages            

avc: denied { search } for comm="brctl" dev=sysfs egid=0 euid=0
exe="/usr/sbin/brctl" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/" pid=3124
scontext=system_u:system_r:brctl_t:s0 sgid=0 subj=system_u:system_r:brctl_t:s0
suid=0 tclass=dir tcontext=system_u:object_r:sysfs_t:s0 tty=(none) uid=0
Comment 1 Bug Zapper 2008-05-14 13:47:19 UTC 
This message is a reminder that Fedora 7 is nearing the end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 7. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '7'.

Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 7's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 7 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug. If you are unable to change the version, please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. If possible, it is recommended that you try the newest available Fedora distribution to see if your bug still exists.

Please read the Release Notes for the newest Fedora distribution to make sure it will meet your needs:
http://docs.fedoraproject.org/release-notes/

The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 3 Bug Zapper 2008-06-17 02:02:21 UTC 
Fedora 7 changed to end-of-life (EOL) status on June 13, 2008. 
Fedora 7 is no longer maintained, which means that it will not 
receive any further security or bug fix updates. As a result we 
are closing this bug. 

If you can reproduce this bug against a currently maintained version 
of Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.