Bug 1026077 - SELinux prevents tor from searching in /sys/devices/system/cpu directory
SELinux prevents tor from searching in /sys/devices/system/cpu directory
Status: CLOSED DUPLICATE of bug 1026078
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.5
All Linux
medium Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-11-03 07:53 EST by Milos Malik
Modified: 2013-12-12 10:21 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-11-05 08:14:26 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Milos Malik 2013-11-03 07:53:58 EST
Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-231.el6.noarch
selinux-policy-doc-3.7.19-231.el6.noarch
selinux-policy-minimum-3.7.19-231.el6.noarch
selinux-policy-mls-3.7.19-231.el6.noarch
selinux-policy-targeted-3.7.19-231.el6.noarch
tor-0.2.3.25-6.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. get a RHEL-6.5 machine where targeted policy is active
2. service tor start
3. search for AVCs

Actual results (enforcing mode):
----
type=PATH msg=audit(11/03/2013 13:50:13.204:634) : item=0 name=/sys/devices/system/cpu inode=1 dev=00:00 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=NORMAL 
type=CWD msg=audit(11/03/2013 13:50:13.204:634) :  cwd=/ 
type=SYSCALL msg=audit(11/03/2013 13:50:13.204:634) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=7fd3ccf58351 a1=90800 a2=fffffffffff5c454 a3=7fd3ccdfc240 items=1 ppid=1 pid=7505 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=9 comm=tor exe=/usr/bin/tor subj=unconfined_u:system_r:tor_t:s0 key=(null) 
type=AVC msg=audit(11/03/2013 13:50:13.204:634) : avc:  denied  { search } for  pid=7505 comm=tor name=/ dev=sysfs ino=1 scontext=unconfined_u:system_r:tor_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir 
----

Expected results:
 * no AVCs
Comment 1 Milos Malik 2013-11-03 07:55:46 EST
Actual results (permissive mode):
----
type=PATH msg=audit(11/03/2013 13:54:37.470:637) : item=0 name=/sys/devices/system/cpu inode=22 dev=00:00 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=NORMAL 
type=CWD msg=audit(11/03/2013 13:54:37.470:637) :  cwd=/ 
type=SYSCALL msg=audit(11/03/2013 13:54:37.470:637) : arch=x86_64 syscall=open success=yes exit=3 a0=7f3576206351 a1=90800 a2=fffffffffff5c454 a3=7f35760aa240 items=1 ppid=1 pid=7579 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=9 comm=tor exe=/usr/bin/tor subj=unconfined_u:system_r:tor_t:s0 key=(null) 
type=AVC msg=audit(11/03/2013 13:54:37.470:637) : avc:  denied  { open } for  pid=7579 comm=tor name=cpu dev=sysfs ino=22 scontext=unconfined_u:system_r:tor_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir 
type=AVC msg=audit(11/03/2013 13:54:37.470:637) : avc:  denied  { read } for  pid=7579 comm=tor name=cpu dev=sysfs ino=22 scontext=unconfined_u:system_r:tor_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir 
type=AVC msg=audit(11/03/2013 13:54:37.470:637) : avc:  denied  { search } for  pid=7579 comm=tor name=/ dev=sysfs ino=1 scontext=unconfined_u:system_r:tor_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir 
----
Comment 2 Daniel Walsh 2013-11-04 12:05:16 EST
Strange I just saw a bugzilla like this for httpd_sys_script_t which was using perl.
Comment 3 Miroslav Grepl 2013-11-05 08:14:26 EST

*** This bug has been marked as a duplicate of bug 1026078 ***

Note You need to log in before you can comment on or make changes to this bug.