Bug 696921

Summary: SELinux is preventing systemd-kmsg-sy from 'search' accesses on the directory 22673.
Product: [Fedora] Fedora Reporter: rvcsaba
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 15CC: dwalsh, johannbg, lpoetter, metherid, mgrepl, mschmidt, notting, plautrba
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:ddb89f2053587fdbfc5d15a3e9417d0166972be6f19683c57756fc41d5a23291
Fixed In Version: selinux-policy-3.9.16-18.fc15 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-02 03:39:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description rvcsaba 2011-04-15 10:07:57 UTC 
SELinux is preventing systemd-kmsg-sy from 'search' accesses on the directory 22673.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that systemd-kmsg-sy should be allowed search access on the 22673 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep systemd-kmsg-sy /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:syslogd_t:s0
Target Context                system_u:system_r:system_cronjob_t:s0-s0:c0.c1023
Target Objects                22673 [ dir ]
Source                        systemd-kmsg-sy
Source Path                   systemd-kmsg-sy
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-15.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 2.6.38.3-15.rc1.fc15.x86_64 #1 SMP Wed
                              Apr 13 18:48:28 UTC 2011 x86_64 x86_64
Alert Count                   2
First Seen                    Thu 14 Apr 2011 12:18:21 PM CEST
Last Seen                     Fri 15 Apr 2011 11:51:18 AM CEST
Local ID                      df650ee3-6c06-492f-873a-00774d9b9036

Raw Audit Messages
type=AVC msg=audit(1302861078.237:103): avc:  denied  { search } for  pid=455 comm="systemd-kmsg-sy" name="22673" dev=proc ino=168446 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 tclass=dir


Hash: systemd-kmsg-sy,syslogd_t,system_cronjob_t,dir,search

audit2allow

#============= syslogd_t ==============
allow syslogd_t system_cronjob_t:dir search;

audit2allow -R

#============= syslogd_t ==============
allow syslogd_t system_cronjob_t:dir search;


-------------------------------------------------

(I use rkhunter.)
Comment 1 Daniel Walsh 2011-04-15 12:53:22 UTC 
Lennart, any reason systemd-kmsg-sy would want to look at random processes?  Can I dontaudit this?
Comment 2 Lennart Poettering 2011-04-18 16:03:23 UTC 
Hmm, which directory would that be? "22673" sounds like a directory in /proc?

systemd-kmsg-syslogd tries to figure out the name of a process that logs to syslog, to show it next to the message. We use SCM_CREDENTIALS to figure out the PID of the logging client, and then read /proc/%lu/comm with that. This probably explains the access in question.
Comment 3 Daniel Walsh 2011-04-18 19:32:57 UTC 
Miroslav lets add

domain_read_all_domains_state(syslogd_t)
Comment 4 Miroslav Grepl 2011-04-19 10:29:37 UTC 
Fixed in selinux-policy-3.9.16-16.fc15
Comment 5 Fedora Update System 2011-04-21 15:04:55 UTC 
selinux-policy-3.9.16-16.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-16.fc15
Comment 6 Fedora Update System 2011-04-22 00:16:06 UTC 
Package selinux-policy-3.9.16-16.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-16.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-16.fc15
then log in and leave karma (feedback).
Comment 7 Fedora Update System 2011-04-28 19:06:44 UTC 
Package selinux-policy-3.9.16-18.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-18.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-18.fc15
then log in and leave karma (feedback).
Comment 8 Fedora Update System 2011-05-02 03:38:20 UTC 
selinux-policy-3.9.16-18.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.