Bug 755794

Summary: selinux alerts should report absolute filenames
Product: [Fedora] Fedora Reporter: Ralf Corsepius <rc040203>
Component: setroubleshootAssignee: Daniel Walsh <dwalsh>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-11-23 16:43:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Ralf Corsepius 2011-11-22 03:58:49 UTC
Description of problem:

I am facing selinux alerts of this kind:
"SELinux is preventing /usr/sbin/ypbind from 'read, write' accesses on the file ypbind.pid."

This behavior leaves users clueless about which file the alert actually is referring to and is not helpful.


Version-Release number of selected component (if applicable):
setroubleshoot-3.0.41-1.fc16.x86_64

How reproducible:
No idea - Produce an alert :-)

Steps to Reproduce:
No idea - The alert doesn't provide sufficient infos to be able to provide a reproducer.


Actual results:
c.f. above. The alert is referring to a filename.

Expected results:
SELinux to produce human-understandable alerts.


Additional info:
The corresponding sealert also doesn't contain more info:

# sealert -l 011cc86d-9bb3-4d75-ab56-b1a8803a87fd
SELinux is preventing /usr/sbin/ypbind from 'read, write' accesses on the file ypbind.pid.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that ypbind should be allowed read write access on the ypbind.pid file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep ypbind /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Comment 1 Daniel Walsh 2011-11-23 16:43:07 UTC
Sadly this is a kernel issue.  Because of performance issues under certain workloads the kernel can not reconstruct the path.  If  you want to turn on full auditing, you can add line like

-w /etc/shadow -p w

to /etc/audit/audit.rules

Then next time you boot, the kernel should assemble the full path.   I would doubt you would notice the loss in performance, but it is considered too big an impact to turn on in general.