Bug 433607

Summary: SELinux doesn't allow uux to be run from cron
Product: [Fedora] Fedora Reporter: Nils Philippsen <nphilipp>
Component: selinux-policyAssignee: Radek Vokál <rvokal>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 8Keywords: Regression
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-11-17 22:03:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nils Philippsen 2008-02-20 10:31:54 UTC 
With the update to selinux-policy-3.0.8-84.fc8, I get AVC denials for uux which
is run by uucico which I run from a cronjob:

--- 8< ---
Summary
    SELinux is preventing /usr/bin/uux (uux_t) "read write" to anon_inode
    (anon_inodefs_t).

Detailed Description
    SELinux denied access requested by /usr/bin/uux. It is not expected that
    this access is required by /usr/bin/uux and this access may signal an
    intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for anon_inode, restorecon -v
    anon_inode If this does not work, there is currently no automatic way to
    allow this access. Instead,  you can generate a local policy module to allow
    this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
    Or you can disable SELinux protection altogether. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                system_u:system_r:uux_t:s0
Target Context                system_u:object_r:anon_inodefs_t:s0
Target Objects                anon_inode [ file ]
Affected RPM Packages         uucp-1.07-16.fc8 [application]
Policy RPM                    selinux-policy-3.0.8-84.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     wombat
Platform                      Linux wombat 2.6.23.15-137.fc8 #1 SMP Sun Feb 10
                              17:03:13 EST 2008 x86_64 x86_64
Alert Count                   120
First Seen                    Tue 22 Jan 2008 09:19:20 AM CET
Last Seen                     Wed 20 Feb 2008 11:17:45 AM CET
Local ID                      c1b9dd66-db33-4b2a-8949-a9b8d4cb22ed
Line Numbers                  

Raw Audit Messages            

avc: denied { read write } for comm=uux dev=anon_inodefs egid=14 euid=10
exe=/usr/bin/uux exit=0 fsgid=14 fsuid=10 gid=14 items=0
path=anon_inode:[eventpoll] pid=8519 scontext=system_u:system_r:uux_t:s0 sgid=14
subj=system_u:system_r:uux_t:s0 suid=10 tclass=file
tcontext=system_u:object_r:anon_inodefs_t:s0 tty=(none) uid=10
--- >8 ---
Comment 1 Josef Kubin 2008-02-20 13:25:45 UTC 
I'll fix it.
Comment 4 Daniel Walsh 2008-02-26 22:48:57 UTC 
You can allow this for now by executing 

# audit2allow -M mypol -i /var/log/audit/audit.log 
# semodule -i mypol.pp

Fixed in selinux-policy-3.0.8-89.fc8
Comment 5 Tony Fu 2008-10-06 01:27:29 UTC 
User jkubin's account has been closed
Comment 6 Daniel Walsh 2008-11-17 22:03:07 UTC 
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.