Bug 505993

Summary: SELinux is preventing privoxy (privoxy_t) "read|open" proc_t
Product: [Fedora] Fedora Reporter: Allen Kistler <ackistler>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 11CC: dwalsh, jkubin, maurizio.antillon, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.6.12-53.fc11.noarch Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-06-28 21:39:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Allen Kistler 2009-06-15 06:33:05 UTC
Description of problem:
AVC denial records appear in audit log when running and using privoxy.
Enforcing the denials doesn't appear to stop anything from working.

Version-Release number of selected component (if applicable):
selinux-policy-3.6.12-39.fc11.noarch
privoxy-3.0.10-3.fc11.i586

How reproducible:
Always

Steps to Reproduce:
1. Run privoxy & configure a web browser to use it
2. Visit some web pages
3. Look in the audit log
  
Actual results:
AVC denial records (see below)

Expected results:
No denial records

Additional info:

In enforcing mode ...

node=ack602 type=AVC msg=audit(1245045463.517:300): avc:  denied  { read } for  pid=3514 comm="privoxy" name="stat" dev=proc ino=4026531985 scontext=unconfined_u:system_r:privoxy_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file

In permissive mode, there's one more ...

node=ack602 type=AVC msg=audit(1245045719.467:315): avc:  denied  { open } for  pid=3570 comm="privoxy" name="stat" dev=proc ino=4026531985 scontext=unconfined_u:system_r:privoxy_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file

I've also seen this one, but I can't reproduce it.  Except for /proc/cpuinfo in the place of /proc/stat, it's the same, anyway ...

node=ack602 type=AVC msg=audit(1245045463.551:301): avc:  denied  { read } for  pid=3514 comm="privoxy" name="cpuinfo" dev=proc ino=4026531980 scontext=unconfined_u:system_r:privoxy_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file

Comment 1 Daniel Walsh 2009-06-15 19:23:02 UTC
You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
	
Fixed in selinux-policy-3.6.12-52.fc11.noarch

Comment 2 Allen Kistler 2009-06-15 21:20:10 UTC
(In reply to comment #1)
> You can add these rules for now using
> 
> # grep avc /var/log/audit/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp

I "dontaudit" (rather than "allow") them in my local policy.
It seems to work fine so far.

> Fixed in selinux-policy-3.6.12-52.fc11.noarch  

According to koji:
State           failed
Started         Mon, 15 Jun 2009 20:07:44 UTC
Completed       Mon, 15 Jun 2009 20:09:40 UTC
Task            build (dist-f11-updates-candidate,
                       /cvs/pkgs:rpms/selinux-policy/F-11:
                                 selinux-policy-3_6_12-52_fc11)

51 was the same.

Comment 3 Daniel Walsh 2009-06-16 13:40:12 UTC
Usually when I say it is fixed, I have not completed the build yet.  Not sure why privoxy wants to read cpuinfo, but does not seem like a big security risc to allow it.

52 is now built I believe.  I will put an update into testing by the end of the week.

Comment 4 Allen Kistler 2009-06-21 08:32:31 UTC
Fix confirmed in selinux-policy-3.6.12-53.fc11.noarch, currently in testing

Comment 5 Allen Kistler 2009-06-28 21:39:21 UTC
selinux-policy-3.6.12-53.fc11.noarch is in updates.  Closing.