Bug 442054

Summary: audit + prelude AVCs
Product: [Fedora] Fedora Reporter: LC Bruzenak <lenny>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: dwalsh, jkubin, sgrubb
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-04-14 18:01:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
audisp-prelude avc
none
ausearch avc
none
prelude avc none

Description LC Bruzenak 2008-04-11 14:38:13 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.4) Gecko/20070607 Swiftweasel/2.0.0.4

Description of problem:
Rawhide (F9) with:

policycoreutils-2.0.46-2.fc9.i386
selinux-policy-3.3.1-32.fc9.noarch
selinux-policy-devel-3.3.1-32.fc9.noarch
policycoreutils-newrole-2.0.46-2.fc9.i386
selinux-policy-mls-3.3.1-32.fc9.noarch
selinux-policy-targeted-3.3.1-32.fc9.noarch
checkpolicy-2.0.13-1.fc9.i386
hack-policy-1.0.0-18.noarch
policycoreutils-gui-2.0.46-2.fc9.i386

audit-1.7.1-1.fc9.i386

prelude-manager-0.9.11-1.fc9.i386
libprelude-0.9.16.2-2.fc9.i386
prelude-lml-0.9.11-2.fc9.i386

After booting, starting up application see a number of AVCs in audit (attached).

I am using relaying from this machine to another; this is different from Steve G.'s testing. 

Version-Release number of selected component (if applicable):
selinux-policy-mls-3.3.1-32.fc9.noarch

How reproducible:
Always


Steps to Reproduce:
1.Boot
2.Start application
3.run "ausearch --start today -m avc -x prelude"

Actual Results:
Saw the attached AVC list in the ausearch results.

Expected Results:
Hopefully no AVCs related to prelude/audit.

Additional info:
I can add any relevant information needed on request (audit rules, etc.) but didn't want to clog this bz with irrelevant info.
Attached files are results of:
prelude.avc : ausearch --start today -m avc -x prelude > prelude.avc
ausearch.avc : ausearch --start today -m avc -x ausearch > ausearch.avc
audisp-prelude.avc : ausearch --start today -m avc -x audisp-prelude > audisp-prelude.avc
Comment 1 LC Bruzenak 2008-04-11 14:39:45 UTC 
Created attachment 302128 [details]
audisp-prelude avc
Comment 2 LC Bruzenak 2008-04-11 14:40:15 UTC 
Created attachment 302129 [details]
ausearch avc
Comment 3 LC Bruzenak 2008-04-11 14:40:35 UTC 
Created attachment 302130 [details]
prelude avc
Comment 4 Daniel Walsh 2008-04-14 17:59:47 UTC 
This looks like a labeling problem.  prelude-manager is running as initrc_t
rather then the correct context.  What is it labeled?

Also staff_t should not be allowed to look at audit data, so the second avc's
are caused by you not transitioning to sysadm_r:sysadm_t
Comment 5 Daniel Walsh 2008-04-14 18:01:07 UTC 
The other problem is prelude policy is not included in mls policy.  I will add
and update 

Fixed in selinux-policy-3.3.1-35.fc9
Comment 6 LC Bruzenak 2008-04-14 20:28:23 UTC 
(In reply to comment #4)
> This looks like a labeling problem.  prelude-manager is running as initrc_t
> rather then the correct context.  What is it labeled?
> 
> Also staff_t should not be allowed to look at audit data, so the second avc's
> are caused by you not transitioning to sysadm_r:sysadm_t
> 
prelude-manager is labeled:
[lenny@sun ~]$ ls -alZ /usr/bin/prelude-manager
-rwxr-xr-x  root root system_u:object_r:bin_t:SystemLow /usr/bin/prelude-manager
[lenny@sun ~]$ ps -eadflZ | grep prelude-manager
system_u:system_r:initrc_t:SystemLow-SystemHigh 1 S root 2082 1  0 80 0 - 8864
sys_po 12:03 ?     00:00:01 prelude-manager -d
user_u:user_r:user_t:SystemLow  0 S lenny     3514  3473  0  80   0 -  1041
pipe_w 15:28 pts/1    00:00:00 grep prelude-manager