Bug 760462

Summary: xguest_u is allowed to run "getsebool -a" but guest_u is not
Product: Red Hat Enterprise Linux 6 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.2CC: dwalsh
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-08 11:32:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Milos Malik 2011-12-06 09:12:03 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-124.el6.noarch
selinux-policy-targeted-3.7.19-124.el6.noarch

How reproducible:
always

Steps to Reproduce:
1. create a xguest_u user
2. log in as this user
3. run "getsebool -a"
4. create a guest_u user
5. log in as this user
6. run "getsebool -a"

Actual results:
* "getsebool -a" executed by xguest_u user prints all booleans
* "getsebool -a" executed by guest_u user prints following message:
getsebool:  Unable to get boolean names:  Permission denied

Expected results:
* the output of "getsebool -a" should be the same in both cases
Comment 1 Milos Malik 2011-12-06 09:20:39 UTC 
Following AVC appears when dontaudit rules are turned off:
----
time->Tue Dec  6 03:52:34 2011
type=SYSCALL msg=audit(1323161554.372:485625): arch=c000003e syscall=2 success=no exit=-13 a0=7fffb5e0e210 a1=90800 a2=3199008260 a3=fffffff6 items=0 ppid=12741 pid=12768 auid=504 uid=504 gid=505 euid=504 suid=504 fsuid=504 egid=505 sgid=505 fsgid=505 tty=pts0 ses=25366 comm="getsebool" exe="/usr/sbin/getsebool" subj=guest_u:guest_r:guest_t:s0 key=(null)
type=AVC msg=audit(1323161554.372:485625): avc:  denied  { read } for  pid=12768 comm="getsebool" name="booleans" dev=selinuxfs ino=21 scontext=guest_u:guest_r:guest_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=dir
----
Comment 2 Daniel Walsh 2011-12-07 15:22:16 UTC 
The reason for this is that restorecond is running for the xguest user to make sure content in his homedir is labeled correctly.  I believe it needs to read security_t content in order for it to get the labels right.  guest_t does not run restorecond so it does  not need this access.
Comment 3 Miroslav Grepl 2011-12-07 15:49:28 UTC 
Yes, this is correct. We have in the policy

    seutil_exec_restorecond($1_t)
    seutil_read_file_contexts($1_t)
    seutil_read_default_contexts($1_t)