| Summary: | SELinux is preventing /sbin/setfiles from 'read' accesses on the fichier /var/lib/libvirt/images/debian-6.0.1a-amd64-netinst.iso. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Nicolas Sapa <redhat> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 14 | CC: | dwalsh, eparis, mgrepl, sdsmall |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:2c415653bd95d1f31af04b98755275cd045691a8b6631ef6c95b48bec81f38a7 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-04-26 14:43:33 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
I was doing a restorecon -R -vv /var/lib/libvirt/images/debian-6.0.1a-amd64-netinst.iso in order to get access to this ISO in libvirt when i got this AVC. The correct context for this file was restored despite this AVC. Strange I have no idea why setfiles/restorecon would be trying to read the file? It shouldn't. I can't seem to reproduce here. $ rpm -q policycoreutils selinux-policy-targeted policycoreutils-2.0.85-19.fc14.x86_64 selinux-policy-targeted-3.9.7-37.fc14.noarch $ uname -r 2.6.35.11-83.fc14.x86_64 $ su # chcon -t user_home_t /var/lib/libvirt/images/ubuntu.img # restorecon -R -vv /var/lib/libvirt/images/ubuntu.img restorecon reset /var/lib/libvirt/images/ubuntu.img context system_u:object_r:user_home_t:s0->system_u:object_r:virt_image_t:s0 # ausearch -m AVC -ts recent -i <no matches> setfiles/restorecon should only lstat(), getxattr() and setxattr() the file. If applied recursively to a directory, it should read the directory, of course, and if applied to a symlink, it will read the symlink in order to expand the real path, but it shouldn't try to read the individual files themselves. It does use fts(3) to walk the file tree, so I suppose if something changed in glibc implementation of fts (e.g. open O_RDONLY followed by fstat rather than just stat), that could affect things. $ rpm -q glibc glibc-2.13-1.x86_64 It could be a leak or a redirection of stdin. Although that access should be blocked at exec time. I 've found the cause:
One of the administrators had aliased a little too heavily (without reading the man ...).
I had:
alias restorecon='restorecon -f'
---
[root@Gallifrey images]# find . -iname "*FR*" > /root/fr.list
[root@Gallifrey images]# restorecon -f /root/fr.list -vv -R
Unable to open /root/fr.list: Permission denied
type=AVC msg=audit(1303810910.572:215): avc: denied { read } for pid=4355 comm="restorecon" name="fr.list" dev=dm-1 ino=10102 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
type=SYSCALL msg=audit(1303810910.572:215): arch=x86_64 syscall=open success=no exit=EACCES a0=7fffca238837 a1=0 a2=1b6 a3=0 items=0 ppid=4048 pid=4355 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts12 ses=2 comm=restorecon exe=/sbin/setfiles subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)
---
So this is not a bug? |
SELinux is preventing /sbin/setfiles from 'read' accesses on the fichier /var/lib/libvirt/images/debian-6.0.1a-amd64-netinst.iso. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that setfiles should be allowed read access on the debian-6.0.1a-amd64-netinst.iso file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep restorecon /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c102 3 Target Context system_u:object_r:virt_image_t:s0 Target Objects /var/lib/libvirt/images/debian-6.0.1a- amd64-netinst.iso [ file ] Source restorecon Source Path /sbin/setfiles Port <Inconnu> Host (removed) Source RPM Packages policycoreutils-2.0.85-19.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.7-37.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.35.11-83.fc14.x86_64 #1 SMP Mon Feb 7 07:06:44 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen ven. 01 avril 2011 12:16:34 CEST Last Seen ven. 01 avril 2011 12:16:34 CEST Local ID 60c9bed4-5a94-4fd2-94d8-e538c19951d4 Raw Audit Messages type=AVC msg=audit(1301652994.903:1337): avc: denied { read } for pid=7299 comm="restorecon" path="/var/lib/libvirt/images/debian-6.0.1a-amd64-netinst.iso" dev=dm-1 ino=1453715 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_image_t:s0 tclass=file type=SYSCALL msg=audit(1301652994.903:1337): arch=x86_64 syscall=read success=no exit=EACCES a0=4 a1=7fe0298be000 a2=1000 a3=88f447d7d69683d3 items=0 ppid=7269 pid=7299 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=restorecon exe=/sbin/setfiles subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null) Hash: restorecon,setfiles_t,virt_image_t,file,read audit2allow #============= setfiles_t ============== allow setfiles_t virt_image_t:file read; audit2allow -R #============= setfiles_t ============== allow setfiles_t virt_image_t:file read;