Bug 998763
| Summary: | sosreport avcs | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | David Highley <david.m.highley> | ||||||
| Component: | selinux-policy-targeted | Assignee: | Miroslav Grepl <mgrepl> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Ben Levenson <benl> | ||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 19 | CC: | dwalsh | ||||||
| Target Milestone: | --- | Keywords: | Reopened | ||||||
| Target Release: | --- | ||||||||
| Hardware: | x86_64 | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | selinux-policy-3.12.1-74.8.fc19 | Doc Type: | Bug Fix | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2013-09-30 00:35:26 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
Dan added fixes. selinux-policy-3.12.1-73.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-73.fc19 Package selinux-policy-3.12.1-73.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-73.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-15219/selinux-policy-3.12.1-73.fc19 then log in and leave karma (feedback). selinux-policy-3.12.1-73.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. Created attachment 792705 [details]
Reboot avcs
Still not completely fixed. On a reboot see the attached avc.
rpm -q selinux-policy
selinux-policy-3.12.1-73.fc19.noarch
After updating to selinux-policy-3.12.1-74.2.fc19.noarch, still see on reboot:
time->Fri Sep 13 00:22:06 2013
type=SYSCALL msg=audit(1379056926.562:14297): arch=c000003e syscall=2 success=no exit=-13 a0=6417ae0 a1=0 a2=1b6 a3=3 items=0 ppid=1 pid=2005 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="sosreport" exe="/usr/bin/python2.7" subj=system_u:system_r:sosreport_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1379056926.562:14297): avc: denied { read } for pid=2005 comm="sosreport" name="opasswd" dev="dm-1" ino=134335364 scontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file
Does it actually need to read this or should we dontaudit it? I would not be crazy about a tool that reads shadow files. My thinking is to do a dontaudit which is what we did for our local policy. We do not like all these applications trying to read the shadow file. e4b4ac7e56882e004325ecda13656678baf59249 fixes this in git. Back ported. selinux-policy-3.12.1-74.8.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.8.fc19 Package selinux-policy-3.12.1-74.8.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.8.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-17739/selinux-policy-3.12.1-74.8.fc19 then log in and leave karma (feedback). selinux-policy-3.12.1-74.8.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. |
Created attachment 788276 [details] bzip2 of avcs for sosreport violations Description of problem: Lots of avcs for sosreports Version-Release number of selected component (if applicable): selinux-policy-targeted-3.12.1-69.fc19.noarc How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: Created local policy for now. Note that we chose not to let it read the shadow file. module my_sosreport 1.0; require { type sosreport_t; type abrt_var_run_t; type configfs_t; type devpts_t; type initctl_t; type lvm_var_run_t; type pstorefs_t; type shadow_t; type var_run_t; type automount_var_run_t; type dovecot_var_run_t; type systemd_logind_inhibit_var_run_t; class sock_file { write }; class chr_file { getattr }; class dir { getattr write add_name }; class fifo_file { getattr }; class capability { sys_ptrace }; class netlink_kobject_uevent_socket { create }; class rawip_socket { create getopt }; class file { getattr read }; class netlink_kobject_uevent_socket { bind setopt }; } #============= sosreport_t ============== allow sosreport_t abrt_var_run_t:sock_file write; allow sosreport_t configfs_t:dir getattr; allow sosreport_t devpts_t:chr_file getattr; allow sosreport_t initctl_t:fifo_file getattr; allow sosreport_t lvm_var_run_t:fifo_file getattr; allow sosreport_t pstorefs_t:dir getattr; allow sosreport_t self:capability sys_ptrace; allow sosreport_t self:netlink_kobject_uevent_socket create; allow sosreport_t self:rawip_socket create; allow sosreport_t shadow_t:file getattr; allow sosreport_t var_run_t:dir { write add_name }; allow sosreport_t automount_var_run_t:fifo_file getattr; allow sosreport_t dovecot_var_run_t:fifo_file getattr; allow sosreport_t self:netlink_kobject_uevent_socket { bind setopt }; allow sosreport_t self:rawip_socket getopt; allow sosreport_t systemd_logind_inhibit_var_run_t:fifo_file getattr; dontaudit sosreport_t shadow_t:file read;