Bug 443282

Summary: SELinux is preventing rm (hald_t) "rmdir" to ./storage (var_run_t).
Product: [Fedora] Fedora Reporter: Matěj Cepl <mcepl>
Component: halAssignee: David Zeuthen <davidz>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: rawhideCC: dwalsh, mcepl, mclasen, pertusus
Target Milestone: ---Keywords: SELinux
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-04-20 11:00:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matěj Cepl 2008-04-20 06:26:59 UTC 
Description of problem:
SELinux denied access requested by rm. It is not expected that this access is
required by rm and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.


More information:

Kontext zdroje                system_u:system_r:hald_t
Kontext cíle                 system_u:object_r:var_run_t
Objekty cíle                 ./storage [ dir ]
Zdroj                         rm
Cesta zdroje                  /bin/rm
Port                          <Neznámé>
Počítač                    viklef
RPM balíčky zdroje          coreutils-6.10-18.fc9
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.3.1-35.fc9
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     catchall_file
Název počítače            viklef
Platforma                     Linux viklef 2.6.25-1.fc9.i686 #1 SMP Thu Apr 17
                              01:47:10 EDT 2008 i686 i686
Počet uporoznění           1
Poprvé viděno               Ne 20. duben 2008, 08:11:36 CEST
Naposledy viděno             Ne 20. duben 2008, 08:11:36 CEST
Místní ID                   d0adbb7c-8b6c-449f-af8e-e17f73a0b2b3
Čísla řádků              

Původní zprávy auditu      

host=viklef type=AVC msg=audit(1208671896.435:42): avc:  denied  { rmdir } for 
pid=9182 comm="rm" name="storage" dev=dm-0 ino=1275335
scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:var_run_t:s0
tclass=dir

host=viklef type=SYSCALL msg=audit(1208671896.435:42): arch=40000003 syscall=301
success=no exit=-13 a0=ffffff9c a1=8874150 a2=200 a3=8874150 items=2 ppid=8641
pid=9182 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm="rm" exe="/bin/rm"
subj=system_u:system_r:hald_t:s0 key=(null)

host=viklef type=CWD msg=audit(1208671896.435:42): cwd="/usr/lib/hal/scripts"

host=viklef type=PATH msg=audit(1208671896.435:42): item=0
name="/var/run/pm-utils/" inode=1275120 dev=fd:00 mode=040755 ouid=0 ogid=0
rdev=00:00 obj=system_u:object_r:var_run_t:s0

host=viklef type=PATH msg=audit(1208671896.435:42): item=1
name="/var/run/pm-utils/storage" inode=1275335 dev=fd:00 mode=040755 ouid=0
ogid=0 rdev=00:00 obj=system_u:object_r:var_run_t:s0

Version-Release number of selected component (if applicable):
hal-0.5.11-0.6.rc2.fc9.i386
selinux-policy-targeted-3.3.1-35.fc9.noarch
kernel-2.6.25-1.fc9.i686

How reproducible:
Happened once (and I am not sure when; will try suspend/resume)
Comment 1 Matěj Cepl 2008-04-20 07:04:58 UTC 
OK, so this is suspend/resume in the Permissive mode:


Souhrn:

SELinux is preventing rm (hald_t) "rmdir" to ./storage (var_run_t).

Podrobný popis:

[SELinux je v uvolněném režimu, operace by byla odmítnuta, ale byla povolena
kvůli uvolněnému režimu.]

SELinux denied access requested by rm. It is not expected that this access is
required by rm and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Povolení přístupu:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./storage,

restorecon -v './storage'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                system_u:system_r:hald_t
Kontext cíle                 system_u:object_r:var_run_t
Objekty cíle                 ./storage [ dir ]
Zdroj                         rm
Cesta zdroje                  /bin/rm
Port                          <Neznámé>
Počítač                    viklef
RPM balíčky zdroje          coreutils-6.10-18.fc9
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.3.1-35.fc9
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Permissive
Název zásuvného modulu     catchall_file
Název počítače            viklef
Platforma                     Linux viklef 2.6.25-1.fc9.i686 #1 SMP Thu Apr 17
                              01:47:10 EDT 2008 i686 i686
Počet uporoznění           1
Poprvé viděno               Ne 20. duben 2008, 08:55:42 CEST
Naposledy viděno             Ne 20. duben 2008, 08:55:42 CEST
Místní ID                   8d4a088f-d50c-4b5e-a1cc-9937be01ee69
Čísla řádků              

Původní zprávy auditu      

host=viklef type=AVC msg=audit(1208674542.225:55): avc:  denied  { rmdir } for 
pid=12575 comm="rm" name="storage" dev=dm-0 ino=1275335
scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:var_run_t:s0
tclass=dir

host=viklef type=SYSCALL msg=audit(1208674542.225:55): arch=40000003 syscall=301
success=yes exit=0 a0=ffffff9c a1=8540150 a2=200 a3=8540150 items=2 ppid=12084
pid=12575 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="rm" exe="/bin/rm"
subj=system_u:system_r:hald_t:s0 key=(null)

host=viklef type=CWD msg=audit(1208674542.225:55): cwd="/usr/lib/hal/scripts"

host=viklef type=PATH msg=audit(1208674542.225:55): item=0
name="/var/run/pm-utils/" inode=1275120 dev=fd:00 mode=040755 ouid=0 ogid=0
rdev=00:00 obj=system_u:object_r:var_run_t:s0

host=viklef type=PATH msg=audit(1208674542.225:55): item=1
name="/var/run/pm-utils/storage" inode=1275335 dev=fd:00 mode=040755 ouid=0
ogid=0 rdev=00:00 obj=system_u:object_r:var_run_t:s0
Comment 2 Daniel Walsh 2008-04-20 11:00:30 UTC 
This is a labeling problem on /var/run/pm-utils

restorecon -R -v /var/run/pm-utils

Will fix it.  If it comes back afterwards then some tool is creating this
directory without labeling it correctly.
Comment 3 Matěj Cepl 2008-04-21 05:41:27 UTC 
Restorecon did actually nothing (see below) and if I am not greatly mistaken,
the label is still the same as before (well, there is no
/var/run/pm-utils/storage at all currently, it is probably created just during
suspend):

[root@viklef ~]# restorecon -R -v /var/run/pm-utils/
[root@viklef ~]# ls -lZ /var/run/pm-utils/
drwxr-xr-x  root root system_u:object_r:var_run_t      locks
[root@viklef ~]# 

Will try another suspend.
Comment 4 Daniel Walsh 2008-04-21 17:09:45 UTC 
Which policy do you have installed.

selinux-policy-3.3.1-35 has

+/var/run/pm-utils(/.*)?				gen_context(system_u:object_r:hald_var_run_t,s0)


Which means these files should be labeled hald_var_run_t
Comment 5 Matěj Cepl 2008-04-22 13:44:03 UTC 
OK, then it is probably really NOTABUG. No idea.