Bug 569572
Summary: | SELinux is preventing Samba (/usr/sbin/smbd) "getattr" access to /sys/kernel/debug | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Dave Jones <davej> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 12 | CC: | drepper, dwalsh, eparis, gdeschner, jlayton, jmoskovc, mgrepl, pfrields, sdsmall, ssorce |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.6.32-99.fc12 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-03-12 04:24:16 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Dave Jones
2010-03-01 18:15:05 UTC
In case you care, that is a stat() syscall. No idea why it would try to access /sys/kernel/debug, maybe some library is doing it behind our back ? What were you doing when that happened ? Any chance abrt is doing something to make applications gather debug info. (I might be showing my ignorance here...) Very similar to #569723 (In reply to comment #3) > Any chance abrt is doing something to make applications gather debug info. (I > might be showing my ignorance here...) Unlikely, abrt kicks in only of the app crashes and it's not linked with the app, it uses /proc/sys/kernel/core_pattern to detect/save coredumps, so there is no way how abrt could influence compiled app behaviour. Jirka This access seems to be growing. So I guess it would be a good idea to know what is causing it. +kernel_search_debugfs(bluetooth_t) +kernel_read_debugfs(NetworkManager_t) +kernel_search_debugfs(rgmanager_t) kernel_search_debugfs(iscsid_t) kernel_mount_debugfs(insmod_t) kernel_read_debugfs(insmod_t) +kernel_search_debugfs(mount_t) +kernel_search_debugfs(ifconfig_t) Could this be something all domains need? I'd dontaudit it rather than allow it unless it is shown to truly be needed. Can the bug reporter run this on his system: find /lib64 /usr/lib64 -type f -exec strings -f {} \; | grep /sys/kernel/debug (replace lib64 with lib if on x86_32 of course). On my system, I get one hit on libpcap, which appears to be trying to access /sys/kernel/debug/usbmon. Do all of those programs link against it? this is a mount point, so it oculd be something which runs all mount points... Ah, good observation. In which case dontaudit should be sufficient. Looking at samba source code, it runs through the mount table via getmntent() and calls stat() on each mnt_dir in a couple of places. If it fails, it just skips that mount. Ok I will add kernel_dontaudit_search_debugfs(domain) Do stop these from popping up randomly. Miroslav can you add this to F12. Fixed in selinux-policy-3.6.32-97.fc12 selinux-policy-3.6.32-99.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-99.fc12 selinux-policy-3.6.32-99.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-99.fc12 selinux-policy-3.6.32-99.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. |