Bug 456036

Summary: SELinux is preventing gam_server (unlabed_t) "getattr" to inotify (inotifyfs_t)
Product: [Fedora] Fedora Reporter: Philip Heuer <pheuer>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: high Docs Contact:
Priority: low    
Version: 9CC: ofeeley
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 79 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-07-28 20:23:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
audit log #1
none
audit log #2
none
audit log #3
none
v3.3.1-79 audit log #1
none
v3.3.1-79 audit log #2
none
v3.3.1-79 audit log #3
none
v3.3.1-79 setroubleshoot output ("getattr" AVC denial) none

Description Philip Heuer 2008-07-21 02:37:04 UTC 
Description of problem:

Updating to selinux-policy-targeted-3.3.1-78.fc9.noarch causes AVC denials for
gam_server accesses to /proc/sys/fs/inotify (read and getattr). The volume of
AVC denials appears to cause 100% CPU and heavy disk utilization on my system.

Version-Release number of selected component (if applicable):
3.3.1-78.fc9

How reproducible:

Always

Steps to Reproduce:
1. update from selinux-policy-targeted-3.3.1-74.fc9.noarch to
   selinux-policy-targeted-3.3.1-78.fc9.noarch
  
Actual results:

An abnormally high volume of AVC denials occur almost to the point of a local DOS.

Expected results:

no AVC denials against gam_server

Additional info:

I was running KDE with gkrellm, kmix, kpowersave, NetworkManager Applet,
Klipper, New Device Notifier, konsole, and setroubleshoot. All packages were up
to date as of Mon Jul 21 02:08:11 UTC 2008. 'ls -Z /proc/sys/fs/inotify'
displayed '?' as the label in both versions. /usr/libexec/gam_server had the
label 'system_u:object_r:gamin_exec_t:s0' in both versions. Using
'/sbin/restorecon -v /proc/sys/fs/inotify' had no effect in either version.

To eliminate the high disk activity, use kill -9 on all instances of gam_server.
If setroubleshoot is installed, the high CPU will stop after it catches up.

Output of setroubleshoot:

Summary:

SELinux is preventing gam_server (unlabeled_t) "getattr" to inotify
(inotifyfs_t).

Detailed Description:

SELinux denied access requested by gam_server. It is not expected that this
access is required by gam_server and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for inotify,

restorecon -v 'inotify'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:object_r:unlabeled_t:s0
Target Context                system_u:object_r:inotifyfs_t:s0
Target Objects                inotify [ dir ]
Source                        gam_server
Source Path                   /usr/libexec/gam_server
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           gamin-0.1.9-5.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-78.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.25.10-86.fc9.i686
                              #1 SMP Mon Jul 7 20:46:03 EDT 2008 i686 athlon
Alert Count                   45685
First Seen                    Fri 18 Jul 2008 10:18:09 PM CDT
Last Seen                     Sun 20 Jul 2008 08:13:05 PM CDT
Local ID                      ad55592b-12ac-4d67-a498-e1b9916c3b37
Line Numbers                  

Raw Audit Messages            

host=localhost.localdomain type=AVC msg=audit(1216602785.549:754316): avc: 
denied  { getattr } for  pid=2726 comm="gam_server" path="inotify" dev=inotifyfs
ino=1 scontext=system_u:object_r:unlabeled_t:s0
tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir

host=localhost.localdomain type=SYSCALL msg=audit(1216602785.549:754316):
arch=40000003 syscall=54 success=no exit=-13 a0=3 a1=541b a2=bf8cdc74 a3=805347d
items=0 ppid=1 pid=2726 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gam_server"
exe="/usr/libexec/gam_server" subj=system_u:object_r:unlabeled_t:s0 key=(null)
Comment 1 Philip Heuer 2008-07-21 02:37:05 UTC 
Created attachment 312223 [details]
audit log #1
Comment 2 Philip Heuer 2008-07-21 02:41:30 UTC 
Created attachment 312224 [details]
audit log #2
Comment 3 Philip Heuer 2008-07-21 02:46:08 UTC 
Created attachment 312225 [details]
audit log #3
Comment 4 Oisin C. Feeley 2008-07-21 19:29:56 UTC 
I'm getting this too, even after killing all instances of gam_server as
suggested by Philip above.

Just out of interest I decided to leave things chugging away and I now see 19000
odd denials of each of:

gam_server (unlabeled_t) "getattr" to inotify (inotifyfs_t)

and


gam_server (unlabeled_t) "read" to inotify (inotifyfs_t)

Also does the suggested fix "restorecon -v 'inotify'" make much sense given that
it should be an absolute path to the directory and obviously from the full
message SELinux is aware that it is a directory [dir] ?
Comment 5 Daniel Walsh 2008-07-24 11:57:33 UTC 
Fixed in selinux-policy-3.3.1-79.fc9
Comment 6 Philip Heuer 2008-07-25 01:44:11 UTC 
Created attachment 312604 [details]
v3.3.1-79 audit log #1
Comment 7 Philip Heuer 2008-07-25 01:46:19 UTC 
Created attachment 312605 [details]
v3.3.1-79 audit log #2
Comment 8 Philip Heuer 2008-07-25 01:48:04 UTC 
Created attachment 312606 [details]
v3.3.1-79 audit log #3
Comment 9 Philip Heuer 2008-07-25 02:02:49 UTC 
Created attachment 312608 [details]
v3.3.1-79 setroubleshoot output ("getattr" AVC denial)

If it helps, v3.3.1-74 did not have this issue.
Comment 10 Daniel Walsh 2008-07-25 02:38:30 UTC 
Just kill the gam_server,  All updates to 79 will not cause the problem.  The
problem was a removal of a role for gam_server in policy 78.  This was fixed in
79 and would only happen if you had a gam_server running by the system.  Once
you kill the gam_server the problem should not come back.
Comment 11 Philip Heuer 2008-07-27 14:50:50 UTC 
Thanks. That fixed the problem.