Bug 954075

Summary: audit2allow generating AVC's , but are not being reported
Product: [Fedora] Fedora Reporter: Niki Guldbrand <niki.guldbrand>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 18CC: dominick.grift, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-27 23:53:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Niki Guldbrand 2013-04-20 13:06:57 UTC 
Description of problem:

I can see in my audit log that I'm getting some AVC denial's about audit2allow not being granted access to a file /var/lib/sepolgen/perm_map.
And these aren't being reported like the rest I normally get via email from the system.

I have removed all custom policy fixes, and done a relabel on boot, but they showed up before that too...

Version-Release number of selected component (if applicable):
Policy RPM                    selinux-policy-3.11.1-91.fc18.noarch

How reproducible:
Always...

Steps to Reproduce:
1. Generate an AVC denial
2. Watch the dispatcher do it's thing
3. Examine the audit log, and see the denials
  
Actual results:

# ausearch -ts 14:00:00 -m AVC | grep audit2allow
type=SYSCALL msg=audit(1366460130.791:127): arch=40000003 syscall=5 success=yes exit=3 a0=9132f10 a1=8000 a2=1b6 a3=9134798 items=0 ppid=1666 pid=1677 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="audit2allow" exe="/usr/bin/python2.7" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1366460130.791:127): avc:  denied  { open } for  pid=1677 comm="audit2allow" path="/var/lib/sepolgen/interface_info" dev="dm-1" ino=525984 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1366460130.791:127): avc:  denied  { read } for  pid=1677 comm="audit2allow" name="interface_info" dev="dm-1" ino=525984 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1366460138.361:128): arch=40000003 syscall=5 success=yes exit=3 a0=97d41b0 a1=8000 a2=1b6 a3=ce12380 items=0 ppid=1666 pid=1677 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="audit2allow" exe="/usr/bin/python2.7" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1366460138.361:128): avc:  denied  { open } for  pid=1677 comm="audit2allow" path="/var/lib/sepolgen/perm_map" dev="dm-1" ino=526828 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1366460138.361:128): avc:  denied  { read } for  pid=1677 comm="audit2allow" name="perm_map" dev="dm-1" ino=526828 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file

Expected results:

No AVC denials

Additional info:

# ausearch -ts 14:00:00 -m AVC | grep audit2allow | audit2allow -m mypol -R

policy_module(mypol, 1.0)

require {
	type setroubleshootd_t;
}

#============= setroubleshootd_t ==============
files_read_var_lib_files(setroubleshootd_t)


# ausearch -ts 14:00:00 -m AVC | grep audit2allow | audit2allow -m mypol

module mypol 1.0;

require {
	type setroubleshootd_t;
	type var_lib_t;
	class file { read open };
}

#============= setroubleshootd_t ==============
allow setroubleshootd_t var_lib_t:file { read open };
Comment 1 Miroslav Grepl 2013-04-23 09:01:22 UTC 
Ok, this is not a problem with sealert but with "email_alert".

/usr/lib64/python2.7/site-packages/setroubleshoot/server.py:                email_alert(siginfo, to_addrs)
Comment 2 Daniel Walsh 2013-04-23 17:12:29 UTC 
Miroslav, Would details trigger it also?  Bugreport?  Or are these only happening in the user session?

I was thinking we should label this content as something other then var_lib_t, but I am not sure what?
Comment 3 Miroslav Grepl 2013-04-24 10:31:13 UTC 
Yes, I was also thinking about a new labeling. Details should be ok.
Comment 4 Daniel Walsh 2013-04-24 17:45:11 UTC 
86a0f3d735701d8429a530493d0c67c31bb9ad21 fixes this in git.
Comment 5 Fedora Update System 2013-04-26 13:06:04 UTC 
selinux-policy-3.11.1-92.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-92.fc18
Comment 6 Fedora Update System 2013-04-27 00:16:33 UTC 
Package selinux-policy-3.11.1-92.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-92.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-6769/selinux-policy-3.11.1-92.fc18
then log in and leave karma (feedback).
Comment 7 Fedora Update System 2013-04-27 23:53:24 UTC 
selinux-policy-3.11.1-92.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.