Bug 1003289 - switching to root from a confined user generates a lot of AVC
switching to root from a confined user generates a lot of AVC
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
19
Unspecified Unspecified
unspecified Severity low
: ---
: ---
Assigned To: Miroslav Grepl
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-09-01 13:34 EDT by Alphonse Steiner
Modified: 2013-09-14 02:37 EDT (History)
2 users (show)

See Also:
Fixed In Version: selinux-policy-3.12.1-74.3.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-09-13 22:31:00 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Alphonse Steiner 2013-09-01 13:34:08 EDT
Description of problem:
I am currently logged on my system as seuser staff_u. When I need root privileges, I change the role to sysadm_r and use the classic command "su -".
This last command takes a while and generate a lot of denials (I have counted 3089 AVC). I have used audit2allow to generate dontaudit rules:

#============= sysadm_su_t ==============
dontaudit sysadm_su_t admin_home_t:dir write;
dontaudit sysadm_su_t apm_bios_t:chr_file getattr;
dontaudit sysadm_su_t autofs_device_t:chr_file getattr;
dontaudit sysadm_su_t clock_device_t:chr_file getattr;
dontaudit sysadm_su_t event_device_t:chr_file getattr;
dontaudit sysadm_su_t fixed_disk_device_t:blk_file getattr;
dontaudit sysadm_su_t framebuf_device_t:chr_file getattr;
dontaudit sysadm_su_t fuse_device_t:chr_file getattr;
dontaudit sysadm_su_t gpmctl_t:sock_file getattr;
dontaudit sysadm_su_t init_t:dir search;
dontaudit sysadm_su_t initctl_t:fifo_file getattr;
dontaudit sysadm_su_t kmsg_device_t:chr_file getattr;
dontaudit sysadm_su_t kvm_device_t:chr_file getattr;
dontaudit sysadm_su_t loop_control_device_t:chr_file getattr;
dontaudit sysadm_su_t lvm_control_t:chr_file getattr;
dontaudit sysadm_su_t mei_device_t:chr_file getattr;
dontaudit sysadm_su_t memory_device_t:chr_file getattr;
dontaudit sysadm_su_t netcontrol_device_t:chr_file getattr;
dontaudit sysadm_su_t nvram_device_t:chr_file getattr;
dontaudit sysadm_su_t ppp_device_t:chr_file getattr;
dontaudit sysadm_su_t printer_device_t:chr_file getattr;
dontaudit sysadm_su_t proc_kcore_t:file getattr;
dontaudit sysadm_su_t ptmx_t:chr_file getattr;
dontaudit sysadm_su_t removable_device_t:blk_file getattr;
dontaudit sysadm_su_t scsi_generic_device_t:chr_file getattr;
dontaudit sysadm_su_t tty_device_t:chr_file getattr;
dontaudit sysadm_su_t usbmon_device_t:chr_file getattr;
dontaudit sysadm_su_t v4l_device_t:chr_file getattr;
dontaudit sysadm_su_t vhost_device_t:chr_file getattr;
dontaudit sysadm_su_t watchdog_device_t:chr_file getattr;
dontaudit sysadm_su_t wireless_device_t:chr_file getattr;
dontaudit sysadm_su_t xserver_misc_device_t:chr_file getattr;


It works fine with them.

Version in use: selinux-policy-targeted-3.12.1-73.fc19.noarch
Comment 1 Daniel Walsh 2013-09-04 14:43:50 EDT
5bf08c2d0bc4ce026376ee96b2a5e6bc2f214a39 fixes this in git.
Comment 2 Miroslav Grepl 2013-09-09 14:10:01 EDT
Has been back ported.

Lukas,
is this a part of the latest update?
Comment 3 Alphonse Steiner 2013-09-12 03:17:31 EDT
selinux-policy-targeted-3.12.1-74.2.fc19.noarch fixes almost all the denials.
Here the remaining ones:

#============= sysadm_su_t ==============
dontaudit sysadm_su_t admin_home_t:dir write;
dontaudit sysadm_su_t gpmctl_t:sock_file getattr;
dontaudit sysadm_su_t init_t:dir search;
dontaudit sysadm_su_t initctl_t:fifo_file getattr;
dontaudit sysadm_su_t proc_kcore_t:file getattr;
Comment 4 Lukas Vrabec 2013-09-12 04:11:55 EDT
Miroslav, 

Fix was included in 3.12.1-74.2.fc19
Comment 5 Fedora Update System 2013-09-12 05:09:48 EDT
selinux-policy-3.12.1-74.3.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.3.fc19
Comment 6 Fedora Update System 2013-09-12 20:58:58 EDT
Package selinux-policy-3.12.1-74.3.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.3.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-16580/selinux-policy-3.12.1-74.3.fc19
then log in and leave karma (feedback).
Comment 7 Alphonse Steiner 2013-09-13 13:36:31 EDT
Too late to give a good karma, but comment #3 is still valid.
Comment 8 Fedora Update System 2013-09-13 22:31:00 EDT
selinux-policy-3.12.1-74.3.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Alphonse Steiner 2013-09-14 02:37:14 EDT
It is too early to close, there are still some denials:

#============= sysadm_su_t ==============
dontaudit sysadm_su_t admin_home_t:dir write;
dontaudit sysadm_su_t gpmctl_t:sock_file getattr;
dontaudit sysadm_su_t init_t:dir search;
dontaudit sysadm_su_t initctl_t:fifo_file getattr;
dontaudit sysadm_su_t proc_kcore_t:file getattr;

Note You need to log in before you can comment on or make changes to this bug.