Bug 1026077 - SELinux prevents tor from searching in /sys/devices/system/cpu directory
Summary: SELinux prevents tor from searching in /sys/devices/system/cpu directory
Keywords:
Status: CLOSED DUPLICATE of bug 1026078
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.5
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-11-03 12:53 UTC by Milos Malik
Modified: 2013-12-12 15:21 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-11-05 13:14:26 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Milos Malik 2013-11-03 12:53:58 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-231.el6.noarch
selinux-policy-doc-3.7.19-231.el6.noarch
selinux-policy-minimum-3.7.19-231.el6.noarch
selinux-policy-mls-3.7.19-231.el6.noarch
selinux-policy-targeted-3.7.19-231.el6.noarch
tor-0.2.3.25-6.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. get a RHEL-6.5 machine where targeted policy is active
2. service tor start
3. search for AVCs

Actual results (enforcing mode):
----
type=PATH msg=audit(11/03/2013 13:50:13.204:634) : item=0 name=/sys/devices/system/cpu inode=1 dev=00:00 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=NORMAL 
type=CWD msg=audit(11/03/2013 13:50:13.204:634) :  cwd=/ 
type=SYSCALL msg=audit(11/03/2013 13:50:13.204:634) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=7fd3ccf58351 a1=90800 a2=fffffffffff5c454 a3=7fd3ccdfc240 items=1 ppid=1 pid=7505 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=9 comm=tor exe=/usr/bin/tor subj=unconfined_u:system_r:tor_t:s0 key=(null) 
type=AVC msg=audit(11/03/2013 13:50:13.204:634) : avc:  denied  { search } for  pid=7505 comm=tor name=/ dev=sysfs ino=1 scontext=unconfined_u:system_r:tor_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir 
----

Expected results:
 * no AVCs
Comment 1 Milos Malik 2013-11-03 12:55:46 UTC 
Actual results (permissive mode):
----
type=PATH msg=audit(11/03/2013 13:54:37.470:637) : item=0 name=/sys/devices/system/cpu inode=22 dev=00:00 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=NORMAL 
type=CWD msg=audit(11/03/2013 13:54:37.470:637) :  cwd=/ 
type=SYSCALL msg=audit(11/03/2013 13:54:37.470:637) : arch=x86_64 syscall=open success=yes exit=3 a0=7f3576206351 a1=90800 a2=fffffffffff5c454 a3=7f35760aa240 items=1 ppid=1 pid=7579 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=9 comm=tor exe=/usr/bin/tor subj=unconfined_u:system_r:tor_t:s0 key=(null) 
type=AVC msg=audit(11/03/2013 13:54:37.470:637) : avc:  denied  { open } for  pid=7579 comm=tor name=cpu dev=sysfs ino=22 scontext=unconfined_u:system_r:tor_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir 
type=AVC msg=audit(11/03/2013 13:54:37.470:637) : avc:  denied  { read } for  pid=7579 comm=tor name=cpu dev=sysfs ino=22 scontext=unconfined_u:system_r:tor_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir 
type=AVC msg=audit(11/03/2013 13:54:37.470:637) : avc:  denied  { search } for  pid=7579 comm=tor name=/ dev=sysfs ino=1 scontext=unconfined_u:system_r:tor_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir 
----
Comment 2 Daniel Walsh 2013-11-04 17:05:16 UTC 
Strange I just saw a bugzilla like this for httpd_sys_script_t which was using perl.
Comment 3 Miroslav Grepl 2013-11-05 13:14:26 UTC 

*** This bug has been marked as a duplicate of bug 1026078 ***
Note You need to log in before you can comment on or make changes to this bug.