Bug 690141

Summary: SELinux is preventing /usr/sbin/asterisk from 'search' accesses on the directory /home.
Product: [Fedora] Fedora Reporter: Paulo Fidalgo <paulo.fidalgo.pt>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 14CC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:b8898d1154f228fe66b4a3c3a5dfad889c510c8e21d84c739b53dcd94ee5da35
Fixed In Version: selinux-policy-3.9.7-42.fc14 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-07-12 05:16:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
ls oputput
none
mypol.te
none
avcs.gz file as requested none

Description Paulo Fidalgo 2011-03-23 12:24:53 UTC
SELinux is preventing /usr/sbin/asterisk from 'search' accesses on the directory /home.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that asterisk should be allowed search access on the home directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep asterisk /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:system_r:asterisk_t:s0
Target Context                system_u:object_r:home_root_t:s0
Target Objects                /home [ dir ]
Source                        asterisk
Source Path                   /usr/sbin/asterisk
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           asterisk-1.6.2.17-1.fc14
Target RPM Packages           filesystem-2.4.35-1.fc14
Policy RPM                    selinux-policy-3.9.7-37.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 2.6.35.11-83.fc14.x86_64 #1 SMP Mon Feb
                              7 07:06:44 UTC 2011 x86_64 x86_64
Alert Count                   2
First Seen                    Wed 23 Mar 2011 12:21:13 PM WET
Last Seen                     Wed 23 Mar 2011 12:25:10 PM WET
Local ID                      c8c1e7cd-4cc5-4f6f-8474-270243cdf9b4

Raw Audit Messages
type=AVC msg=audit(1300883110.394:22615): avc:  denied  { search } for  pid=2202 comm="asterisk" name="home" dev=sda1 ino=798 scontext=unconfined_u:system_r:asterisk_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir


type=SYSCALL msg=audit(1300883110.394:22615): arch=x86_64 syscall=stat success=no exit=EACCES a0=7fff78159af0 a1=7fff781588b0 a2=7fff781588b0 a3=8 items=0 ppid=2194 pid=2202 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm=asterisk exe=/usr/sbin/asterisk subj=unconfined_u:system_r:asterisk_t:s0 key=(null)

Hash: asterisk,asterisk_t,home_root_t,dir,search

audit2allow

#============= asterisk_t ==============
allow asterisk_t home_root_t:dir search;

audit2allow -R

#============= asterisk_t ==============
allow asterisk_t home_root_t:dir search;

Comment 1 Daniel Walsh 2011-03-23 13:33:57 UTC
Were you sitting in your homedir as root when you restarted this asterisk service?

Comment 2 Paulo Fidalgo 2011-03-23 14:18:10 UTC
Hi!
I was, as root, at /etc/asterisk.

I've already added some rules, as suggested by SELinux Troubleshooter.

I've tried to see the contentes of the generated files using:

grep asterisk /var/log/audit/audit.log | audit2allow -M mypol


but they are binary files.

I remember having troubles because asterisk wants to chown files on /etc/asterisk

Comment 3 Daniel Walsh 2011-03-23 18:29:16 UTC
When you run audit2allow -M mypol it also creates a mypol.te file with all the rules it wants to add.

Comment 4 Daniel Walsh 2011-03-23 18:29:28 UTC
ls -lZ /etc/asterisk

Comment 5 Paulo Fidalgo 2011-03-23 18:39:28 UTC
Created attachment 487115 [details]
ls oputput

Comment 6 Paulo Fidalgo 2011-03-23 18:43:20 UTC
Created attachment 487119 [details]
mypol.te

Comment 7 Paulo Fidalgo 2011-03-23 18:44:02 UTC
I've uploaded the output files.

Comment 8 Daniel Walsh 2011-03-23 20:08:45 UTC
Strange te rules.  Can you attach a compresses audit.log you used to create these avcs.

Actually just execute 

ausearch -m avc | gzip -c > /tmp/avcs.gz
and attach that file.

Why would asterisk be chown a file?

Comment 9 Paulo Fidalgo 2011-04-07 09:10:36 UTC
Created attachment 490499 [details]
avcs.gz file as requested

Sorry for the late reply, but here is the requested file.

Comment 10 Daniel Walsh 2011-04-07 13:53:24 UTC
Miroslav I have added changes to F15 policy can you back port setroubleshoot and astirisk policy to F13, F14, RHEL6.

I think the pppd one is bogus.  Not sure what caused it other then probably restarting it while sitting in the downloads directory.

Comment 11 Miroslav Grepl 2011-05-27 09:25:30 UTC
It was fixed in F13/RHEL6.

Fixed in selinux-policy-3.9.7-42.fc14

Comment 12 Fedora Update System 2011-05-27 15:45:17 UTC
selinux-policy-3.9.7-42.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-42.fc14

Comment 13 Fedora Update System 2011-05-27 20:27:14 UTC
Package selinux-policy-3.9.7-42.fc14:
* should fix your issue,
* was pushed to the Fedora 14 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.7-42.fc14'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-42.fc14
then log in and leave karma (feedback).

Comment 14 Fedora Update System 2011-07-12 05:14:36 UTC
selinux-policy-3.9.7-42.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.