1003289 – switching to root from a confined user generates a lot of AVC

Bug 1003289 - switching to root from a confined user generates a lot of AVC

Summary: switching to root from a confined user generates a lot of AVC

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	19
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	low
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-09-01 17:34 UTC by Alphonse Steiner
Modified:	2013-09-14 06:37 UTC (History)
CC List:	2 users (show)
Fixed In Version:	selinux-policy-3.12.1-74.3.fc19
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-09-14 02:31:00 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Alphonse Steiner 2013-09-01 17:34:08 UTC

Description of problem:
I am currently logged on my system as seuser staff_u. When I need root privileges, I change the role to sysadm_r and use the classic command "su -".
This last command takes a while and generate a lot of denials (I have counted 3089 AVC). I have used audit2allow to generate dontaudit rules:

#============= sysadm_su_t ==============
dontaudit sysadm_su_t admin_home_t:dir write;
dontaudit sysadm_su_t apm_bios_t:chr_file getattr;
dontaudit sysadm_su_t autofs_device_t:chr_file getattr;
dontaudit sysadm_su_t clock_device_t:chr_file getattr;
dontaudit sysadm_su_t event_device_t:chr_file getattr;
dontaudit sysadm_su_t fixed_disk_device_t:blk_file getattr;
dontaudit sysadm_su_t framebuf_device_t:chr_file getattr;
dontaudit sysadm_su_t fuse_device_t:chr_file getattr;
dontaudit sysadm_su_t gpmctl_t:sock_file getattr;
dontaudit sysadm_su_t init_t:dir search;
dontaudit sysadm_su_t initctl_t:fifo_file getattr;
dontaudit sysadm_su_t kmsg_device_t:chr_file getattr;
dontaudit sysadm_su_t kvm_device_t:chr_file getattr;
dontaudit sysadm_su_t loop_control_device_t:chr_file getattr;
dontaudit sysadm_su_t lvm_control_t:chr_file getattr;
dontaudit sysadm_su_t mei_device_t:chr_file getattr;
dontaudit sysadm_su_t memory_device_t:chr_file getattr;
dontaudit sysadm_su_t netcontrol_device_t:chr_file getattr;
dontaudit sysadm_su_t nvram_device_t:chr_file getattr;
dontaudit sysadm_su_t ppp_device_t:chr_file getattr;
dontaudit sysadm_su_t printer_device_t:chr_file getattr;
dontaudit sysadm_su_t proc_kcore_t:file getattr;
dontaudit sysadm_su_t ptmx_t:chr_file getattr;
dontaudit sysadm_su_t removable_device_t:blk_file getattr;
dontaudit sysadm_su_t scsi_generic_device_t:chr_file getattr;
dontaudit sysadm_su_t tty_device_t:chr_file getattr;
dontaudit sysadm_su_t usbmon_device_t:chr_file getattr;
dontaudit sysadm_su_t v4l_device_t:chr_file getattr;
dontaudit sysadm_su_t vhost_device_t:chr_file getattr;
dontaudit sysadm_su_t watchdog_device_t:chr_file getattr;
dontaudit sysadm_su_t wireless_device_t:chr_file getattr;
dontaudit sysadm_su_t xserver_misc_device_t:chr_file getattr;


It works fine with them.

Version in use: selinux-policy-targeted-3.12.1-73.fc19.noarch

Comment 1 Daniel Walsh 2013-09-04 18:43:50 UTC

5bf08c2d0bc4ce026376ee96b2a5e6bc2f214a39 fixes this in git.

Comment 2 Miroslav Grepl 2013-09-09 18:10:01 UTC

Has been back ported.

Lukas,
is this a part of the latest update?

Comment 3 Alphonse Steiner 2013-09-12 07:17:31 UTC

selinux-policy-targeted-3.12.1-74.2.fc19.noarch fixes almost all the denials.
Here the remaining ones:

#============= sysadm_su_t ==============
dontaudit sysadm_su_t admin_home_t:dir write;
dontaudit sysadm_su_t gpmctl_t:sock_file getattr;
dontaudit sysadm_su_t init_t:dir search;
dontaudit sysadm_su_t initctl_t:fifo_file getattr;
dontaudit sysadm_su_t proc_kcore_t:file getattr;

Comment 4 Lukas Vrabec 2013-09-12 08:11:55 UTC

Miroslav, 

Fix was included in 3.12.1-74.2.fc19

Comment 5 Fedora Update System 2013-09-12 09:09:48 UTC

selinux-policy-3.12.1-74.3.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.3.fc19

Comment 6 Fedora Update System 2013-09-13 00:58:58 UTC

Package selinux-policy-3.12.1-74.3.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.3.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-16580/selinux-policy-3.12.1-74.3.fc19
then log in and leave karma (feedback).

Comment 7 Alphonse Steiner 2013-09-13 17:36:31 UTC

Too late to give a good karma, but comment #3 is still valid.

Comment 8 Fedora Update System 2013-09-14 02:31:00 UTC

selinux-policy-3.12.1-74.3.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Alphonse Steiner 2013-09-14 06:37:14 UTC

It is too early to close, there are still some denials:

#============= sysadm_su_t ==============
dontaudit sysadm_su_t admin_home_t:dir write;
dontaudit sysadm_su_t gpmctl_t:sock_file getattr;
dontaudit sysadm_su_t init_t:dir search;
dontaudit sysadm_su_t initctl_t:fifo_file getattr;
dontaudit sysadm_su_t proc_kcore_t:file getattr;

Note You need to log in before you can comment on or make changes to this bug.