Bug 619285

Summary: staff_u user cannot run "Applications -> System Tools -> SELinux Audit Log Analysis"
Product: Red Hat Enterprise Linux 6 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: low    
Version: 6.0Keywords: RHELNAK
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-07-29 13:44:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
AVCs caught during the action
none
screenshot taken immediately after the action none

Description Milos Malik 2010-07-29 07:28:03 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.7.19-34.el6.noarch
selinux-policy-3.7.19-34.el6.noarch

How reproducible:
always

Steps to Reproduce:
1. useradd -Z staff_u somebody
2. passwd somebody
3. log in as somebody via GDM
4. run Applications -> System Tools -> SELinux Audit Log Analysis
5. ausearch -m avc -ts recent | audit2allow

#============= staff_consolehelper_t ==============
allow staff_consolehelper_t fonts_t:dir getattr;
allow staff_consolehelper_t home_root_t:dir search;
allow staff_consolehelper_t pam_var_run_t:dir getattr;
allow staff_consolehelper_t self:shm create;
allow staff_consolehelper_t staff_dbusd_t:unix_stream_socket connectto;
allow staff_consolehelper_t usr_t:file { read getattr };

Actual results:


Expected results:
Comment 2 RHEL Program Management 2010-07-29 07:48:05 UTC 
This issue has been proposed when we are only considering blocker
issues in the current Red Hat Enterprise Linux release.

** If you would still like this issue considered for the current
release, ask your support representative to file as a blocker on
your behalf. Otherwise ask that it be considered for the next
Red Hat Enterprise Linux release. **
Comment 3 Milos Malik 2010-07-29 09:22:05 UTC 
Created attachment 435233 [details]
AVCs caught during the action
Comment 4 Milos Malik 2010-07-29 09:24:45 UTC 
Created attachment 435234 [details]
screenshot taken immediately after the action
Comment 5 Milos Malik 2010-07-29 09:30:16 UTC 
The same problem arises if the user runs Applications -> System Tools -> SELinux Policy Generation Tool .
Comment 6 Milos Malik 2010-07-29 09:55:04 UTC 
I know that staff_u user is not able to run some programs, but the user should be at least allowed to read the message in the window (see the attached screenshot).
Comment 7 Daniel Walsh 2010-07-29 13:34:38 UTC 
It is questionable whether a staff_t user should be able to look at log files.  The selinux policy generation is also tough.  The problem is these tools have  not been dbus-ified so it is not likely that these will work or should work in RHEL6.
Comment 8 RHEL Program Management 2010-07-29 13:44:40 UTC 
Development Management has reviewed and declined this request.  You may appeal
this decision by reopening this request.