Bug 1007663 - selinux AVC when mgetty tries to open log file
Summary: selinux AVC when mgetty tries to open log file
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 19
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-09-13 04:37 UTC by Gabriel Ramirez
Modified: 2013-10-14 17:21 UTC (History)
1 user (show)

Fixed In Version: selinux-policy-3.12.1-74.9.fc19
Clone Of:
Environment:
Last Closed: 2013-10-14 06:59:46 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Gabriel Ramirez 2013-09-13 04:37:33 UTC
Description of problem:

I'm using  mgetty to monitor a usb modem /dev/ttyACM0 over caller id information in Fedora 19 x86_64

after update to these rpms:

selinux-policy-3.12.1-74.2.fc19.noarch
selinux-policy-devel-3.12.1-74.2.fc19.noarch
selinux-policy-targeted-3.12.1-74.2.fc19.noarch

the following selinux is generated:

type=AVC msg=audit(1378997528.877:20510): avc:  denied  { open } for  pid=2278 comm="mgetty" path="/var/log/mgetty.ttyACM0.log" dev="md114" ino=137 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file

the log file name /var/log/mgetty.ttyACM0.log is created automatically by the mgetty process and according to man 8 mgetty DIAGNOSTICS section shows:

If  mgetty doesn't work the way it should, the main source of diagnostic data is the log file.  It can be found in "/var/log/mgetty.ttyxx.log"  

the /etc/selinux/targeted/contexts/files/file_contexts  shows a regex of:
/var/log/mgetty\.log.*  --      system_u:object_r:getty_log_t:s0
but it don't apply to "/var/log/mgetty.ttyACM0.log"

I executed:

semanage fcontext -a --seuser system_u -t getty_log_t '/var/log/mgetty.*\.log.*'
restorecon -RFv /var/log/mgetty.ttyACM0.log
 and that fixed the AVC

Version-Release number of selected component (if applicable):

selinux-policy-3.12.1-74.2.fc19.noarch
selinux-policy-devel-3.12.1-74.2.fc19.noarch
selinux-policy-targeted-3.12.1-74.2.fc19.noarch


thanks in advance,

Gabriel

Comment 1 Daniel Walsh 2013-09-16 18:20:41 UTC
This looks like the log file is being created by some other process other then getty_t?  If getty_t process creates a file in /var/log it will be labeled getty_log_t according to policy.

Any chance the init script is creating this file?

Comment 2 Gabriel Ramirez 2013-09-17 01:58:53 UTC

systemctl stop mgetty
I will remove the local selinux rule
semanage fcontext -d --seuser system_u -t getty_log_t '/var/log/mgetty.*\.log.*'
and the log
cd /var/log/
mv mgetty.ttyACM0.log mgetty.ttyACM0.log.old
cd /tmp
systemctl start mgetty 
cd /var/log

ls -Zlh /var/log/mgetty.ttyACM0.log*
-rw-r--r--. 1 system_u:object_r:getty_log_t:s0 root root 1.9K Sep 16 20:34 /var/log/mgetty.ttyACM0.log
-rw-r--r--. 1 system_u:object_r:getty_log_t:s0 root root 112K Sep 15 03:46 /var/log/mgetty.ttyACM0.log.1
-rw-r--r--. 1 system_u:object_r:getty_log_t:s0 root root 108K Sep  8 04:02 /var/log/mgetty.ttyACM0.log.2
-rw-r--r--. 1 system_u:object_r:getty_log_t:s0 root root  94K Sep  1 04:40 /var/log/mgetty.ttyACM0.log.3
-rw-r--r--. 1 system_u:object_r:getty_log_t:s0 root root  32K Sep 16 20:27 /var/log/mgetty.ttyACM0.log.old

and Dan you are right the file is created correctly now, the avc appeared after updating the selinux-policy but before rebooting the machine so  at that time I tried restorecon -RFv /var/log/mgetty* but the file contexts didn't change so reported the bug, maybe I needed to reboot the machine first before report the AVC

so I'm closing the bug thanks, and thanks for your work in selinux, in earlier Fedora realases I have many custom allow selinux rules but now only have one

Gabriel

Comment 3 Gabriel Ramirez 2013-09-24 02:52:29 UTC
I updated to: 
selinux-policy-3.12.1-74.4.fc19.noarch
selinux-policy-devel-3.12.1-74.4.fc19.noarch
selinux-policy-targeted-3.12.1-74.4.fc19.noarch

and that triggered the bug because the update reset the log file context to:

ls -lZ /var/log/mgetty.ttyACM0.log*
-rw-r--r--. root root system_u:object_r:var_log_t:s0 /var/log/mgetty.ttyACM0.log
-rw-r--r--. root root system_u:object_r:var_log_t:s0 /var/log/mgetty.ttyACM0.log.1
-rw-r--r--. root root system_u:object_r:var_log_t:s0 /var/log/mgetty.ttyACM0.log.2

if I remove the /var/log/mgetty.ttyACM0.log and start
systemctl start mgetty
the log file is created correctly ls -lZ /var/log/mgetty.ttyACM0.log*

-rw-r--r--. root root system_u:object_r:getty_log_t:s0 /var/log/mgetty.ttyACM0.log
-rw-r--r--. root root system_u:object_r:var_log_t:s0 /var/log/mgetty.ttyACM0.log.1

but if I do restorecon -RFv /var/log/mgetty.ttyACM0.log*

restorecon reset /var/log/mgetty.ttyACM0.log context system_u:object_r:getty_log_t:s0->system_u:object_r:var_log_t:s0


thanks, 

Gabriel

Comment 4 Miroslav Grepl 2013-09-30 14:29:44 UTC
commit 5daf31839f67b838ee23c91847b4d0b4bd70de4e
Author: Miroslav Grepl <mgrepl>
Date:   Mon Sep 30 16:17:29 2013 +0200

    Fix labeling for mgetty.* logs

Comment 5 Fedora Update System 2013-10-08 20:47:43 UTC
selinux-policy-3.12.1-74.9.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.9.fc19

Comment 6 Fedora Update System 2013-10-10 01:14:42 UTC
Package selinux-policy-3.12.1-74.9.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.9.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-18701/selinux-policy-3.12.1-74.9.fc19
then log in and leave karma (feedback).

Comment 7 Fedora Update System 2013-10-14 06:59:46 UTC
selinux-policy-3.12.1-74.9.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2013-10-14 17:21:50 UTC
selinux-policy-3.12.1-74.9.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.