Bug 1007663 - selinux AVC when mgetty tries to open log file
selinux AVC when mgetty tries to open log file
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
19
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Ben Levenson
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-09-13 00:37 EDT by Gabriel Ramirez
Modified: 2013-10-14 13:21 EDT (History)
1 user (show)

See Also:
Fixed In Version: selinux-policy-3.12.1-74.9.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-10-14 02:59:46 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Gabriel Ramirez 2013-09-13 00:37:33 EDT
Description of problem:

I'm using  mgetty to monitor a usb modem /dev/ttyACM0 over caller id information in Fedora 19 x86_64

after update to these rpms:

selinux-policy-3.12.1-74.2.fc19.noarch
selinux-policy-devel-3.12.1-74.2.fc19.noarch
selinux-policy-targeted-3.12.1-74.2.fc19.noarch

the following selinux is generated:

type=AVC msg=audit(1378997528.877:20510): avc:  denied  { open } for  pid=2278 comm="mgetty" path="/var/log/mgetty.ttyACM0.log" dev="md114" ino=137 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file

the log file name /var/log/mgetty.ttyACM0.log is created automatically by the mgetty process and according to man 8 mgetty DIAGNOSTICS section shows:

If  mgetty doesn't work the way it should, the main source of diagnostic data is the log file.  It can be found in "/var/log/mgetty.ttyxx.log"  

the /etc/selinux/targeted/contexts/files/file_contexts  shows a regex of:
/var/log/mgetty\.log.*  --      system_u:object_r:getty_log_t:s0
but it don't apply to "/var/log/mgetty.ttyACM0.log"

I executed:

semanage fcontext -a --seuser system_u -t getty_log_t '/var/log/mgetty.*\.log.*'
restorecon -RFv /var/log/mgetty.ttyACM0.log
 and that fixed the AVC

Version-Release number of selected component (if applicable):

selinux-policy-3.12.1-74.2.fc19.noarch
selinux-policy-devel-3.12.1-74.2.fc19.noarch
selinux-policy-targeted-3.12.1-74.2.fc19.noarch


thanks in advance,

Gabriel
Comment 1 Daniel Walsh 2013-09-16 14:20:41 EDT
This looks like the log file is being created by some other process other then getty_t?  If getty_t process creates a file in /var/log it will be labeled getty_log_t according to policy.

Any chance the init script is creating this file?
Comment 2 Gabriel Ramirez 2013-09-16 21:58:53 EDT

systemctl stop mgetty@ttyACM0.service3s
I will remove the local selinux rule
semanage fcontext -d --seuser system_u -t getty_log_t '/var/log/mgetty.*\.log.*'
and the log
cd /var/log/
mv mgetty.ttyACM0.log mgetty.ttyACM0.log.old
cd /tmp
systemctl start mgetty@ttyACM0.service 
cd /var/log

ls -Zlh /var/log/mgetty.ttyACM0.log*
-rw-r--r--. 1 system_u:object_r:getty_log_t:s0 root root 1.9K Sep 16 20:34 /var/log/mgetty.ttyACM0.log
-rw-r--r--. 1 system_u:object_r:getty_log_t:s0 root root 112K Sep 15 03:46 /var/log/mgetty.ttyACM0.log.1
-rw-r--r--. 1 system_u:object_r:getty_log_t:s0 root root 108K Sep  8 04:02 /var/log/mgetty.ttyACM0.log.2
-rw-r--r--. 1 system_u:object_r:getty_log_t:s0 root root  94K Sep  1 04:40 /var/log/mgetty.ttyACM0.log.3
-rw-r--r--. 1 system_u:object_r:getty_log_t:s0 root root  32K Sep 16 20:27 /var/log/mgetty.ttyACM0.log.old

and Dan you are right the file is created correctly now, the avc appeared after updating the selinux-policy but before rebooting the machine so  at that time I tried restorecon -RFv /var/log/mgetty* but the file contexts didn't change so reported the bug, maybe I needed to reboot the machine first before report the AVC

so I'm closing the bug thanks, and thanks for your work in selinux, in earlier Fedora realases I have many custom allow selinux rules but now only have one

Gabriel
Comment 3 Gabriel Ramirez 2013-09-23 22:52:29 EDT
I updated to: 
selinux-policy-3.12.1-74.4.fc19.noarch
selinux-policy-devel-3.12.1-74.4.fc19.noarch
selinux-policy-targeted-3.12.1-74.4.fc19.noarch

and that triggered the bug because the update reset the log file context to:

ls -lZ /var/log/mgetty.ttyACM0.log*
-rw-r--r--. root root system_u:object_r:var_log_t:s0 /var/log/mgetty.ttyACM0.log
-rw-r--r--. root root system_u:object_r:var_log_t:s0 /var/log/mgetty.ttyACM0.log.1
-rw-r--r--. root root system_u:object_r:var_log_t:s0 /var/log/mgetty.ttyACM0.log.2

if I remove the /var/log/mgetty.ttyACM0.log and start
systemctl start mgetty@ttyACM0.service
the log file is created correctly ls -lZ /var/log/mgetty.ttyACM0.log*

-rw-r--r--. root root system_u:object_r:getty_log_t:s0 /var/log/mgetty.ttyACM0.log
-rw-r--r--. root root system_u:object_r:var_log_t:s0 /var/log/mgetty.ttyACM0.log.1

but if I do restorecon -RFv /var/log/mgetty.ttyACM0.log*

restorecon reset /var/log/mgetty.ttyACM0.log context system_u:object_r:getty_log_t:s0->system_u:object_r:var_log_t:s0


thanks, 

Gabriel
Comment 4 Miroslav Grepl 2013-09-30 10:29:44 EDT
commit 5daf31839f67b838ee23c91847b4d0b4bd70de4e
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Mon Sep 30 16:17:29 2013 +0200

    Fix labeling for mgetty.* logs
Comment 5 Fedora Update System 2013-10-08 16:47:43 EDT
selinux-policy-3.12.1-74.9.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.9.fc19
Comment 6 Fedora Update System 2013-10-09 21:14:42 EDT
Package selinux-policy-3.12.1-74.9.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.9.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-18701/selinux-policy-3.12.1-74.9.fc19
then log in and leave karma (feedback).
Comment 7 Fedora Update System 2013-10-14 02:59:46 EDT
selinux-policy-3.12.1-74.9.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2013-10-14 13:21:50 EDT
selinux-policy-3.12.1-74.9.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.