Bug 773197

Summary: denial on cvs search in user's home directory
Product: Red Hat Enterprise Linux 6 Reporter: Petr Sklenar <psklenar>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.2CC: dwalsh, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-01-11 10:12:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Petr Sklenar 2012-01-11 08:23:01 UTC 
Description of problem:
denial on cvs search in user's home directory

Version-Release number of selected component (if applicable):
# rpm -q cvs selinux-policy
cvs-1.11.23-11.el6_0.1.i686
selinux-policy-3.7.19-126.el6.noarch


How reproducible:
deterministic

Steps to Reproduce:
1. set up CVS server
2. cvs -d ":pserver:bz538376-14857:redhat@<IP of HOST>:/var/cvs" commit -m test
  
Actual results:
AVC denial
# type=AVC msg=audit(1326269693.725:281399): avc:  denied  { search } for  pid=18869 comm="cvs" name="bz538376-14857" dev=dm-0 ino=314158 scontext=unconfined_u:system_r:cvs_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1326269693.793:281400): avc:  denied  { search } for  pid=18869 comm="cvs" name="bz538376-14857" dev=dm-0 ino=314158 scontext=unconfined_u:system_r:cvs_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir

# find / -mount -inum 314158
/home/bz538376-14857
# ls -Zd /home/bz538376-14857
drwx------. bz538376-14857 bz538376-14857 unconfined_u:object_r:user_home_dir_t:s0 /home/bz538376-14857


Expected results:
no denial,
cvs can search for user setting in his/her home
or there is a boolean which can enable it

Additional info:
# getsebool -a | grep cvs
allow_cvs_read_shadow --> on
Comment 2 Petr Sklenar 2012-01-11 08:27:36 UTC 
I just found that there is boolean on rhel5 which helps there.

setsebool cvs_disable_trans on

When I tried that on rhel5 then this boolean will help and denial is not there.
Its not on rhel6, so adding keyword Regression.
Comment 4 Milos Malik 2012-01-11 08:43:24 UTC 
There are many *_disable_trans booleans in RHEL-5, but these booleans were intentionally not implemented in RHEL-6, because they serve another purpose. I'm going to remove Regression keyword, because this is a regular bug.
Comment 6 Milos Malik 2012-01-11 09:55:50 UTC 
I see the same AVC in https://bugzilla.redhat.com/show_bug.cgi?id=768312#c6. Could we mark this bug as duplicate?
Comment 7 Petr Sklenar 2012-01-11 10:12:03 UTC 
(In reply to comment #6)
> I see the same AVC in https://bugzilla.redhat.com/show_bug.cgi?id=768312#c6.
> Could we mark this bug as duplicate?

I see this is that search. I thing its the same. I am closing this bug as dupe of 768312

*** This bug has been marked as a duplicate of bug 768312 ***
Comment 8 Miroslav Grepl 2012-01-11 10:32:51 UTC 
We don't audit it in RHEL5. 

Is this really needed? Are you getting more AVC msgs in permissive mode?
Comment 9 Petr Sklenar 2012-01-11 10:44:22 UTC 
(In reply to comment #8)
> Is this really needed? Are you getting more AVC msgs in permissive mode?
There is the same amount of denials in permissive mode.

All of them looks like Comment 0 : avc:  denied  { search } for  pid=19270 comm="cvs" 
I hope its going to be fixed by bug 768312, is it?