Bug 660348

Summary:	SELinux impedisce l'accesso /bin/bash "read" on /var/log/pm-suspend.log.
Product:	[Fedora] Fedora	Reporter:	Alex <a.delachenal>
Component:	selinux-policy	Assignee:	Miroslav Grepl <mgrepl>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	medium	Docs Contact:
Priority:	low
Version:	14	CC:	a.delachenal, dwalsh, mgrepl, renich
Target Milestone:	---	Keywords:	Reopened
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:	setroubleshoot_trace_hash:affaa73c0bfc501db5a2e52530017e8f1fca53aa340223972ef9ecdb38e4dd61
Fixed In Version:	selinux-policy-3.9.7-18.fc14	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2010-12-21 23:59:18 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Alex 2010-12-06 15:54:54 UTC

Sommario:

SELinux impedisce l'accesso /bin/bash "read" on /var/log/pm-suspend.log.

Descrizione dettagliata:

[SELinux è in modalità permissiva. Questo accesso non è stato negato.]

SELinux ha negato l'accesso richiesto da dhclient-script. Non è previsto che
questo accesso venga richiesto da dhclient-script, e tale accesso può segnalare
un tentativo di intrusione. È anche possibile che questo sia provocato dalla
specifica versione o dalla configurazione dell'applicazione per richiedere un
ulteriore accesso.

Abilitazione accesso in corso:

E' possibile generare un modulo di politica locale per consentire questo accesso
- consultare le FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385)
Inviare un bug report.

Informazioni aggiuntive:

Contesto della sorgente       system_u:system_r:dhcpc_t:s0-s0:c0.c1023
Contesto target               system_u:object_r:hald_log_t:s0
Oggetti target                /var/log/pm-suspend.log [ file ]
Sorgente                      dhclient-script
Percorso della sorgente       /bin/bash
Porta                         <Sconosciuto>
Host                          (rimosso)
Sorgente Pacchetti RPM        bash-4.1.7-3.fc14
Pacchetti RPM target          pm-utils-1.3.1-4.fc14
RPM della policy              selinux-policy-3.9.7-12.fc14
Selinux abilitato             True
Tipo di policy                targeted
Modalità Enforcing            Permissive
Nome plugin                   catchall
Host Name                     (rimosso)
Piattaforma                   Linux (rimosso) 2.6.35.6-48.fc14.x86_64 #1 SMP
                              Fri Oct 22 15:36:08 UTC 2010 x86_64 x86_64
Conteggio avvisi              2
Primo visto                   lun 06 dic 2010 03:45:48 CET
Ultimo visto                  lun 06 dic 2010 16:45:46 CET
ID locale                     21c25643-18c5-4359-a46d-44d1cab95ef0
Numeri di linea               

Messaggi Raw Audit            

node=(rimosso) type=AVC msg=audit(1291650346.454:32): avc:  denied  { read } for  pid=3833 comm="dhclient-script" name="pm-suspend.log" dev=sdc2 ino=786997 scontext=system_u:system_r:dhcpc_t:s0-s0:c0.c1023 tcontext=system_u:object_r:hald_log_t:s0 tclass=file

node=(rimosso) type=SYSCALL msg=audit(1291650346.454:32): arch=c000003e syscall=2 success=yes exit=4 a0=1533a00 a1=0 a2=1b6 a3=0 items=0 ppid=3832 pid=3833 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dhclient-script" exe="/bin/bash" subj=system_u:system_r:dhcpc_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  catchall,dhclient-script,dhcpc_t,hald_log_t,file,read
audit2allow suggests:

#============= dhcpc_t ==============
allow dhcpc_t hald_log_t:file read;

Comment 1 Miroslav Grepl 2010-12-06 16:35:31 UTC

Please update selinux-policy

# yum update selinux-policy

Comment 2 Alex 2010-12-13 02:29:01 UTC

followed your suggestion, thx, but it popped out again...

my only 'fault' was to try launching a .DOC executable file by clicking on the right mouse button (in Nautilus), where it reads something like "Open with Wine Load Windows Programs" (sorry, but my menus are in Italian)

Comment 3 Miroslav Grepl 2010-12-13 09:26:27 UTC

You can dontaudit it for now using

# grep dhcpc /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp

Comment 4 Miroslav Grepl 2010-12-15 14:09:58 UTC

Fixed in selinux-policy-3.9.7-17.fc14

Comment 5 Fedora Update System 2010-12-16 15:54:32 UTC

selinux-policy-3.9.7-18.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-18.fc14

Comment 6 Fedora Update System 2010-12-17 08:36:43 UTC

selinux-policy-3.9.7-18.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-18.fc14

Comment 7 Fedora Update System 2010-12-21 23:58:36 UTC

selinux-policy-3.9.7-18.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.