Bug 887999

Summary: SELinux is preventing /usr/bin/df from 'getattr' accesses on the directory /sys/kernel/config.
Product: [Fedora] Fedora Reporter: Colin J Thomson <colin.thomson>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17CC: bugzilla.redhat, desktop7.org, dominick.grift, dwalsh, laurent.rineau__fedora, long, mgrepl, mmarzantowicz, reiber, sc1.bugzilla.redhat, sjoerd, subscribed-lists, tadp, uckelman, vendor-redhat
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:468f00e2dc3e420c6c733665e3fd1d7c1c31a7accebe7f3dbe40f1088f087f57
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-01-07 03:57:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: type
none
File: hashmarkername none

Description Colin J Thomson 2012-12-17 19:37:31 UTC 
Description of problem:
I was writing a .img file to an SD card using the Fedora Arm installer.
Writing fails and the partitions get corrupted on the SD card, probably not related though.


Additional info:
libreport version: 2.0.18
kernel:         3.6.10-2.fc17.x86_64

description:
:SELinux is preventing /usr/bin/df from 'getattr' accesses on the directory /sys/kernel/config.
:
:*****  Plugin restorecon (99.5 confidence) suggests  *************************
:
:If you want to fix the label. 
:/sys/kernel/config default label should be sysfs_t.
:Then you can run restorecon.
:Do
:# /sbin/restorecon -v /sys/kernel/config
:
:*****  Plugin catchall (1.49 confidence) suggests  ***************************
:
:If you believe that df should be allowed getattr access on the config directory by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep df /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:logwatch_t:s0-s0:c0.c1023
:Target Context                system_u:object_r:configfs_t:s0
:Target Objects                /sys/kernel/config [ dir ]
:Source                        df
:Source Path                   /usr/bin/df
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           coreutils-8.15-9.fc17.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-161.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.6.10-2.fc17.x86_64 #1 SMP Tue
:                              Dec 11 18:07:34 UTC 2012 x86_64 x86_64
:Alert Count                   2
:First Seen                    2012-12-17 19:05:04 GMT
:Last Seen                     2012-12-17 19:05:04 GMT
:Local ID                      8882973e-aa99-4e3e-b603-1d21826cadb7
:
:Raw Audit Messages
:type=AVC msg=audit(1355771104.80:101): avc:  denied  { getattr } for  pid=21264 comm="df" path="/sys/kernel/config" dev="configfs" ino=8850 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:configfs_t:s0 tclass=dir
:
:
:type=SYSCALL msg=audit(1355771104.80:101): arch=x86_64 syscall=stat success=no exit=EACCES a0=1c3c350 a1=7fff4923e960 a2=7fff4923e960 a3=10 items=0 ppid=21262 pid=21264 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=6 comm=df exe=/usr/bin/df subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)
:
:Hash: df,logwatch_t,configfs_t,dir,getattr
:
:audit2allow
:
:#============= logwatch_t ==============
:allow logwatch_t configfs_t:dir getattr;
:
:audit2allow -R
:
:#============= logwatch_t ==============
:allow logwatch_t configfs_t:dir getattr;
:
Comment 1 Colin J Thomson 2012-12-17 19:37:35 UTC 
Created attachment 665065 [details]
File: type
Comment 2 Colin J Thomson 2012-12-17 19:37:38 UTC 
Created attachment 665066 [details]
File: hashmarkername
Comment 3 Daniel Walsh 2012-12-17 21:50:17 UTC 
F18 has this access.

sesearch -A -s logwatch_t -t configfs_t 
Found 2 semantic av rules:
   allow logwatch_t filesystem_type : filesystem getattr ; 
   allow logwatch_t filesystem_type : dir getattr ;
Comment 4 Miroslav Grepl 2012-12-18 11:37:45 UTC 
Yes, it has been added to F18.
Comment 5 long 2012-12-19 16:26:39 UTC 
no idea, some cron job?

Package: (null)
OS Release: Fedora release 17 (Beefy Miracle)
Comment 6 Colin J Thomson 2012-12-19 20:27:20 UTC 
OK, it seems it had nothing to do with writing to my SD card as I first reported. It happens daily after some cron job (I guess) has run. The denied access time stamp matches the arrival of my Logwatch mail.
Comment 7 Dagan McGregor 2012-12-23 07:33:22 UTC 
This keeps randomly appearing and I don't know why. It must have been triggered by a recent package update.

Package: (null)
OS Release: Fedora release 17 (Beefy Miracle)
Comment 8 Miroslav Grepl 2012-12-27 10:23:03 UTC 
Backported from F17.

commit 284deb98af22ca002444458298246f9e99cd2c3c
Author: Miroslav Grepl <mgrepl>
Date:   Thu Dec 27 11:20:37 2012 +0100

    Allow logwatch to getattr on all dirs
Comment 9 Mateusz Marzantowicz 2012-12-28 10:43:54 UTC 
It happens randomly but always after new log in.

Package: (null)
OS Release: Fedora release 17 (Beefy Miracle)
Comment 10 Paul Reiber 2012-12-30 00:25:14 UTC 
Brand new Fedora 17 install

Package: (null)
OS Release: Fedora release 17 (Beefy Miracle)
Comment 11 Lorenzo Calabrese 2012-12-31 10:40:53 UTC 
Nota Bene : !!! the command does the job just RIGHT !!!
the issue is about the selinux comming up with a violation/detection warning, ONLY.
But since "df" is a base command it should yes be allowed to oper
And in the past SElinux was not raising up detection with this command...

1. Opened konsole
2. sudo df -f /

or / and 

1. opened the konsole
2. su
3. df -f / 

It happen the same 
- if konsole is openned for a while
- if df receive otther parameters


Package: (null)
OS Release: Fedora release 17 (Beefy Miracle)
Comment 12 Miroslav Grepl 2013-01-02 12:05:43 UTC 
*** Bug 890528 has been marked as a duplicate of this bug. ***
Comment 13 Laurent Rineau 2013-01-03 07:52:59 UTC 
I have the issue on Fedora 16. Will it be backported to F16 too?
Comment 14 Miroslav Grepl 2013-01-03 10:02:53 UTC 
Yes.
Comment 15 Fedora Update System 2013-01-03 13:05:56 UTC 
selinux-policy-3.10.0-166.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/FEDORA-2012-20544/selinux-policy-3.10.0-166.fc17
Comment 16 Fedora Update System 2013-01-05 06:38:04 UTC 
Package selinux-policy-3.10.0-166.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-166.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-20544/selinux-policy-3.10.0-166.fc17
then log in and leave karma (feedback).
Comment 17 Sjoerd Mullender 2013-01-06 10:34:55 UTC 
This happens when logwatch does its thing.

Package: (null)
OS Release: Fedora release 17 (Beefy Miracle)
Comment 18 Fedora Update System 2013-01-07 03:57:54 UTC 
selinux-policy-3.10.0-166.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.