Bug 760990

Summary: SELinux is preventing /usr/bin/gok from read access on /var subdirectories
Product: Red Hat Enterprise Linux 6 Reporter: Matthew Mosesohn <mmosesoh>
Component: gokAssignee: Matthias Clasen <mclasen>
Status: CLOSED WONTFIX QA Contact: Desktop QE <desktop-qa-list>
Severity: low Docs Contact:
Priority: low    
Version: 6.3CC: dwalsh, ksrot, mclasen, mmalik, msanders, pertusus, tpelka, tsmetana, wendellcraigbaker
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-138.el6 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 697207 Environment:
Last Closed: 2017-12-06 10:48:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 697207    
Bug Blocks: 670971    
Attachments:
Description Flags
generated AVCs none

Description Matthew Mosesohn 2011-12-07 14:40:29 UTC 
This is occuring on RHEL 6.2.  

SELinux is preventing /usr/bin/gok from read access on the directory /var/cvs.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that gok should be allowed read access on the cvs directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep gok /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


+++ This bug was initially created as a clone of Bug #697207 +++

Created attachment 492629 [details]
sudo sealert  -l 82c72044-db37-4c34-b62c-0fd3f2ca4205

Description of problem:

gok seems to need access to some places that selinux doesn't expect

Version-Release number of selected component (if applicable):

$ rpm -q -f /usr/bin/gok
gok-2.30.1-1.fc14.i686


How reproducible:

very

Steps to Reproduce:
1. reboot
2. start up gok (accessibility, on screen keyboard)
3. see messages in /var/log/messages
  
Actual results:

messages ... shown

Expected results:

no messages

Additional info:



from /var/log/messages

Apr 16 13:33:36 pert setroubleshoot: SELinux is preventing /usr/bin/gok from rea
d access on the directory /var/games. For complete SELinux messages. run sealert -l 384cb886-46a9-4cf7-92d2-d72d9e72ee32
Apr 16 13:33:36 pert setroubleshoot: SELinux is preventing /usr/bin/gok from read access on the directory /var/yp. For complete SELinux messages. run sealert -l 237e8dae-b133-4c66-9c96-54e78f8b1934
Apr 16 13:33:37 pert setroubleshoot: SELinux is preventing /usr/bin/gok from read access on the directory /var/www. For complete SELinux messages. run sealert -l 25cfa985-f3d7-4be3-b4ab-4bfc126b7e7b
Apr 16 13:33:37 pert setroubleshoot: SELinux is preventing /usr/bin/gok from read access on the directory /var/racoon. For complete SELinux messages. run sealert -l 82c72044-db37-4c34-b62c-0fd3f2ca4205
Apr 16 13:33:48 pert setroubleshoot: SELinux is preventing /usr/bin/gok from read access on the directory /var/games. For complete SELinux messages. run sealert -l 384cb886-46a9-4cf7-92d2-d72d9e72ee32
Apr 16 13:33:49 pert setroubleshoot: SELinux is preventing /usr/bin/gok from read access on the directory /var/yp. For complete SELinux messages. run sealert -l 237e8dae-b133-4c66-9c96-54e78f8b1934
Apr 16 13:33:49 pert setroubleshoot: SELinux is preventing /usr/bin/gok from read access on the directory /var/www. For complete SELinux messages. run sealert -l 25cfa985-f3d7-4be3-b4ab-4bfc126b7e7b
Apr 16 13:33:50 pert setroubleshoot: SELinux is preventing /usr/bin/gok from read access on the directory /var/racoon. For complete SELinux messages. run sealert -l 82c72044-db37-4c34-b62c-0fd3f2ca4205

--- Additional comment from wendellcraigbaker on 2011-04-16 16:57:00 EDT ---

Created attachment 492630 [details]
sudo sealert -l 25cfa985-f3d7-4be3-b4ab-4bfc126b7e7b

--- Additional comment from wendellcraigbaker on 2011-04-16 16:57:33 EDT ---

Created attachment 492631 [details]
sudo sealert -l 237e8dae-b133-4c66-9c96-54e78f8b1934

--- Additional comment from wendellcraigbaker on 2011-04-16 16:58:29 EDT ---

Created attachment 492632 [details]
sudo sealert -l 384cb886-46a9-4cf7-92d2-d72d9e72ee32
Comment 1 David Zeuthen 2011-12-07 15:42:43 UTC 
Can't really do anything about SELinux policy, sorry. Reassigning.
Comment 2 Matthew Mosesohn 2011-12-07 15:56:07 UTC 
This was added to selinux-policy in Fedora already in this change entry:
* Tue Dec 21 2010 Miroslav Grepl <mgrepl> 3.9.12-1
- Update to upstream
- Fixes for systemd policy
- Fixes for passenger policy
- Allow staff users to run mysqld in the staff_t domain, akonadi needs this
- Add bin_t label for /usr/share/kde4/apps/kajongg/kajongg.py
- auth_use_nsswitch does not need avahi to read passwords,needed for resolving data
- Dontaudit (xdm_t) gok attempting to list contents of /var/account
- Telepathy domains need to read urand
- Need interface to getattr all file classes in a mock library for setroubleshoot
Comment 3 Miroslav Grepl 2011-12-09 10:56:29 UTC 
Yes, we don't audit some gok accesses. But still this covers a behaviour so why gok is listing the contents of /var?
Comment 4 Karel Srot 2012-01-06 09:12:18 UTC 
> Yes, we don't audit some gok accesses. But still this covers a behaviour so why
> gok is listing the contents of /var?

David, any update?
Comment 10 Milos Malik 2012-02-27 15:15:10 UTC 
Created attachment 566069 [details]
generated AVCs
Comment 11 Milos Malik 2012-02-27 15:23:38 UTC 
Reproduced on my RHEL-6.3 virtual machine.

# rpm -qa selinux-policy\*
selinux-policy-3.7.19-137.el6.noarch
selinux-policy-targeted-3.7.19-137.el6.noarch
selinux-policy-minimum-3.7.19-137.el6.noarch
selinux-policy-mls-3.7.19-137.el6.noarch
selinux-policy-doc-3.7.19-137.el6.noarch
# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted
# 

How to Reproduce:
1) boot into runlevel 5
2) switch to graphical screen where GDM is visible
3) open "Universal Access Preferences" window --> select "Use on-screen keyboard" --> click on "Close"
4) get rid of gok process
5) ausearch -m avc -m user_avc -m selinux_err -tc recent
Comment 12 Daniel Walsh 2012-02-27 16:45:06 UTC 
So the gok command is going out and randomly listing lots of directories?
Comment 17 Daniel Walsh 2012-02-28 19:49:05 UTC 
Looks like in Fedora we have allowed it to list all of these directories probably would have been better to dontaudit.

files_dontaudit_list_non_security(xdm_t)
Comment 19 Suzanne Logcher 2012-05-14 19:02:25 UTC 
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 22 Jan Kurik 2017-12-06 10:48:29 UTC 
Red Hat Enterprise Linux 6 is in the Production 3 Phase. During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available.

The official life cycle policy can be reviewed here:

http://redhat.com/rhel/lifecycle

This issue does not meet the inclusion criteria for the Production 3 Phase and will be marked as CLOSED/WONTFIX. If this remains a critical requirement, please contact Red Hat Customer Support to request a re-evaluation of the issue, citing a clear business justification. Note that a strong business justification will be required for re-evaluation. Red Hat Customer Support can be contacted via the Red Hat Customer Portal at the following URL:

https://access.redhat.com/