Bug 1003289 - switching to root from a confined user generates a lot of AVC
Summary: switching to root from a confined user generates a lot of AVC
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 19
Hardware: Unspecified
OS: Unspecified
unspecified
low
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-09-01 17:34 UTC by Alphonse Steiner
Modified: 2013-09-14 06:37 UTC (History)
2 users (show)

Fixed In Version: selinux-policy-3.12.1-74.3.fc19
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-09-14 02:31:00 UTC
Type: Bug


Attachments (Terms of Use)

Description Alphonse Steiner 2013-09-01 17:34:08 UTC
Description of problem:
I am currently logged on my system as seuser staff_u. When I need root privileges, I change the role to sysadm_r and use the classic command "su -".
This last command takes a while and generate a lot of denials (I have counted 3089 AVC). I have used audit2allow to generate dontaudit rules:

#============= sysadm_su_t ==============
dontaudit sysadm_su_t admin_home_t:dir write;
dontaudit sysadm_su_t apm_bios_t:chr_file getattr;
dontaudit sysadm_su_t autofs_device_t:chr_file getattr;
dontaudit sysadm_su_t clock_device_t:chr_file getattr;
dontaudit sysadm_su_t event_device_t:chr_file getattr;
dontaudit sysadm_su_t fixed_disk_device_t:blk_file getattr;
dontaudit sysadm_su_t framebuf_device_t:chr_file getattr;
dontaudit sysadm_su_t fuse_device_t:chr_file getattr;
dontaudit sysadm_su_t gpmctl_t:sock_file getattr;
dontaudit sysadm_su_t init_t:dir search;
dontaudit sysadm_su_t initctl_t:fifo_file getattr;
dontaudit sysadm_su_t kmsg_device_t:chr_file getattr;
dontaudit sysadm_su_t kvm_device_t:chr_file getattr;
dontaudit sysadm_su_t loop_control_device_t:chr_file getattr;
dontaudit sysadm_su_t lvm_control_t:chr_file getattr;
dontaudit sysadm_su_t mei_device_t:chr_file getattr;
dontaudit sysadm_su_t memory_device_t:chr_file getattr;
dontaudit sysadm_su_t netcontrol_device_t:chr_file getattr;
dontaudit sysadm_su_t nvram_device_t:chr_file getattr;
dontaudit sysadm_su_t ppp_device_t:chr_file getattr;
dontaudit sysadm_su_t printer_device_t:chr_file getattr;
dontaudit sysadm_su_t proc_kcore_t:file getattr;
dontaudit sysadm_su_t ptmx_t:chr_file getattr;
dontaudit sysadm_su_t removable_device_t:blk_file getattr;
dontaudit sysadm_su_t scsi_generic_device_t:chr_file getattr;
dontaudit sysadm_su_t tty_device_t:chr_file getattr;
dontaudit sysadm_su_t usbmon_device_t:chr_file getattr;
dontaudit sysadm_su_t v4l_device_t:chr_file getattr;
dontaudit sysadm_su_t vhost_device_t:chr_file getattr;
dontaudit sysadm_su_t watchdog_device_t:chr_file getattr;
dontaudit sysadm_su_t wireless_device_t:chr_file getattr;
dontaudit sysadm_su_t xserver_misc_device_t:chr_file getattr;


It works fine with them.

Version in use: selinux-policy-targeted-3.12.1-73.fc19.noarch

Comment 1 Daniel Walsh 2013-09-04 18:43:50 UTC
5bf08c2d0bc4ce026376ee96b2a5e6bc2f214a39 fixes this in git.

Comment 2 Miroslav Grepl 2013-09-09 18:10:01 UTC
Has been back ported.

Lukas,
is this a part of the latest update?

Comment 3 Alphonse Steiner 2013-09-12 07:17:31 UTC
selinux-policy-targeted-3.12.1-74.2.fc19.noarch fixes almost all the denials.
Here the remaining ones:

#============= sysadm_su_t ==============
dontaudit sysadm_su_t admin_home_t:dir write;
dontaudit sysadm_su_t gpmctl_t:sock_file getattr;
dontaudit sysadm_su_t init_t:dir search;
dontaudit sysadm_su_t initctl_t:fifo_file getattr;
dontaudit sysadm_su_t proc_kcore_t:file getattr;

Comment 4 Lukas Vrabec 2013-09-12 08:11:55 UTC
Miroslav, 

Fix was included in 3.12.1-74.2.fc19

Comment 5 Fedora Update System 2013-09-12 09:09:48 UTC
selinux-policy-3.12.1-74.3.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.3.fc19

Comment 6 Fedora Update System 2013-09-13 00:58:58 UTC
Package selinux-policy-3.12.1-74.3.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.3.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-16580/selinux-policy-3.12.1-74.3.fc19
then log in and leave karma (feedback).

Comment 7 Alphonse Steiner 2013-09-13 17:36:31 UTC
Too late to give a good karma, but comment #3 is still valid.

Comment 8 Fedora Update System 2013-09-14 02:31:00 UTC
selinux-policy-3.12.1-74.3.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Alphonse Steiner 2013-09-14 06:37:14 UTC
It is too early to close, there are still some denials:

#============= sysadm_su_t ==============
dontaudit sysadm_su_t admin_home_t:dir write;
dontaudit sysadm_su_t gpmctl_t:sock_file getattr;
dontaudit sysadm_su_t init_t:dir search;
dontaudit sysadm_su_t initctl_t:fifo_file getattr;
dontaudit sysadm_su_t proc_kcore_t:file getattr;


Note You need to log in before you can comment on or make changes to this bug.