Bug 709080
Summary: | enforcing MLS: lvmdump causes AVCs | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Milos Malik <mmalik> | |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
Severity: | medium | Docs Contact: | ||
Priority: | medium | |||
Version: | 5.7 | CC: | agk, dwalsh, dwysocha, heinzm, jbrassow, mbroz, prajnoha, prockai, thornber, zkabelac | |
Target Milestone: | rc | |||
Target Release: | --- | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | selinux-policy-2.4.6-309.el5 | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 709388 (view as bug list) | Environment: | ||
Last Closed: | 2011-07-21 09:20:41 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 709388 |
Description
Milos Malik
2011-05-30 14:42:03 UTC
This is a leak. lvmdump runs in sysadm_t domain but then executes dmsetup which has a transition to lvm_t. Is this always created in /root? No, the lvmdump directory/file is created in current working directory. Not only dmsetup also it runs lvm. (And some other programs to parse output) It should be very similar to sos report - how it is handled there? There is option for directory, default should be $HOME/lvmdump-$HOSTNAME-$NOW/ What's the problem with creating directory in $HOME? or it is broken somehow? You are right. I see it in /usr/sbin/lvmdump bash script. "append" is caused by 2>> \"$log\ which could be allowed by allow lvm_t sysadm_home_t:file append; But we don't want to allow "write" access to /root directory and this is caused by --- log "\"$DMSETUP\" info -c > \"$dir/dmsetup_info\" 2>> \"$log\"" log "\"$DMSETUP\" table > \"$dir/dmsetup_table\" 2>> \"$log\"" log "\"$DMSETUP\" status > \"$dir/dmsetup_status\" 2>> \"$log\"" log "\"$DMSETUP\" ls --tree > \"$dir/dmsetup_ls_tree\" 2>> \"$log\"" -- which could be fixed by log "\"$DMSETUP\" info -c | cat > \"$dir/dmsetup_ls_tree\" 2>> \"$log\"" or just append log "\"$DMSETUP\" info -c >> \"$dir/dmsetup_ls_tree\" 2>> \"$log\"" Why is append different here? (It creates new file). Not sure what you think. $log file is created by script running as sysadm_t. $dir/dmsetup_ls_tree" is not log file, it is separate per-command report file. And this file is created by dmsetup. For log file we are appending output already but only stderr go there. Anyway, if it is not selinux policy problem but only patch for lvmdump, please reassign it to lvm2 package, I'll fix it. If you use script redirection, the shell is actually creating opening the file and handing the file descriptor to the app running within the shell. If an confined app is handed an open file descriptor like > "$dir/dmsetup_ls_tree" it will require the ability to write to the open file. Write allows the confined domain, the ability to truncate the file. If you open the file with >> "$dir/dmsetup_ls_tree", the shell will hand the confined domain the ability to append only, and this will block the ability to truncate. We have a rather large rule that allows confined domains to append to home directory content but not write. (In reply to comment #8) > $dir/dmsetup_ls_tree" is not log file, it is separate per-command report file. > And this file is created by dmsetup. > Oops, I read $dir/$dmsetup_ls_tree. I think append should be sufficient throughout the script. There is small change needed in selinux-policy too. Actually I just tested new build selinux-policy-mls-2.4.6-308.el5 and it has already fix included. Returning it back to selinux-policy component. The lvmdump script part is addressed by bug #709388. Fixed in selinux-policy-2.4.6-309.el5 An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-1069.html An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-1069.html |