Bug 887999
Summary: | SELinux is preventing /usr/bin/df from 'getattr' accesses on the directory /sys/kernel/config. | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Colin J Thomson <colin.thomson> | ||||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
Severity: | unspecified | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | 17 | CC: | bugzilla.redhat, desktop7.org, dominick.grift, dwalsh, laurent.rineau__fedora, long, mgrepl, mmarzantowicz, reiber, sc1.bugzilla.redhat, sjoerd, subscribed-lists, tadp, uckelman, vendor-redhat | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | x86_64 | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | abrt_hash:468f00e2dc3e420c6c733665e3fd1d7c1c31a7accebe7f3dbe40f1088f087f57 | ||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2013-01-07 03:57:52 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Colin J Thomson
2012-12-17 19:37:31 UTC
Created attachment 665065 [details]
File: type
Created attachment 665066 [details]
File: hashmarkername
F18 has this access. sesearch -A -s logwatch_t -t configfs_t Found 2 semantic av rules: allow logwatch_t filesystem_type : filesystem getattr ; allow logwatch_t filesystem_type : dir getattr ; Yes, it has been added to F18. no idea, some cron job? Package: (null) OS Release: Fedora release 17 (Beefy Miracle) OK, it seems it had nothing to do with writing to my SD card as I first reported. It happens daily after some cron job (I guess) has run. The denied access time stamp matches the arrival of my Logwatch mail. This keeps randomly appearing and I don't know why. It must have been triggered by a recent package update. Package: (null) OS Release: Fedora release 17 (Beefy Miracle) Backported from F17. commit 284deb98af22ca002444458298246f9e99cd2c3c Author: Miroslav Grepl <mgrepl> Date: Thu Dec 27 11:20:37 2012 +0100 Allow logwatch to getattr on all dirs It happens randomly but always after new log in. Package: (null) OS Release: Fedora release 17 (Beefy Miracle) Brand new Fedora 17 install Package: (null) OS Release: Fedora release 17 (Beefy Miracle) Nota Bene : !!! the command does the job just RIGHT !!! the issue is about the selinux comming up with a violation/detection warning, ONLY. But since "df" is a base command it should yes be allowed to oper And in the past SElinux was not raising up detection with this command... 1. Opened konsole 2. sudo df -f / or / and 1. opened the konsole 2. su 3. df -f / It happen the same - if konsole is openned for a while - if df receive otther parameters Package: (null) OS Release: Fedora release 17 (Beefy Miracle) *** Bug 890528 has been marked as a duplicate of this bug. *** I have the issue on Fedora 16. Will it be backported to F16 too? Yes. selinux-policy-3.10.0-166.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/FEDORA-2012-20544/selinux-policy-3.10.0-166.fc17 Package selinux-policy-3.10.0-166.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-166.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-20544/selinux-policy-3.10.0-166.fc17 then log in and leave karma (feedback). This happens when logwatch does its thing. Package: (null) OS Release: Fedora release 17 (Beefy Miracle) selinux-policy-3.10.0-166.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. |