| Summary: | xguest_u is allowed to run "getsebool -a" but guest_u is not | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Milos Malik <mmalik> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED NOTABUG | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.2 | CC: | dwalsh |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-12-08 11:32:41 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
Milos Malik
2011-12-06 09:12:03 UTC
Following AVC appears when dontaudit rules are turned off:
----
time->Tue Dec 6 03:52:34 2011
type=SYSCALL msg=audit(1323161554.372:485625): arch=c000003e syscall=2 success=no exit=-13 a0=7fffb5e0e210 a1=90800 a2=3199008260 a3=fffffff6 items=0 ppid=12741 pid=12768 auid=504 uid=504 gid=505 euid=504 suid=504 fsuid=504 egid=505 sgid=505 fsgid=505 tty=pts0 ses=25366 comm="getsebool" exe="/usr/sbin/getsebool" subj=guest_u:guest_r:guest_t:s0 key=(null)
type=AVC msg=audit(1323161554.372:485625): avc: denied { read } for pid=12768 comm="getsebool" name="booleans" dev=selinuxfs ino=21 scontext=guest_u:guest_r:guest_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=dir
----
The reason for this is that restorecond is running for the xguest user to make sure content in his homedir is labeled correctly. I believe it needs to read security_t content in order for it to get the labels right. guest_t does not run restorecond so it does not need this access. Yes, this is correct. We have in the policy
seutil_exec_restorecond($1_t)
seutil_read_file_contexts($1_t)
seutil_read_default_contexts($1_t)
|