Hide Forgot
Description of problem: * be careful - the scenario causes a reboot of your machine Version-Release number of selected component (if applicable): selinux-policy-3.12.1-103.el7.noarch selinux-policy-devel-3.12.1-103.el7.noarch selinux-policy-doc-3.12.1-103.el7.noarch selinux-policy-minimum-3.12.1-103.el7.noarch selinux-policy-mls-3.12.1-103.el7.noarch selinux-policy-targeted-3.12.1-103.el7.noarch watchdog-5.13-9.el7.x86_64 How reproducible: always Steps to Reproduce: 1. get a RHEL-7.0 machine with targeted policy 2. add following line to /etc/watchdog.conf test-binary = 1 3. service watchdog restart 4. search for AVCs Actual results (enforcing mode): ---- type=PATH msg=audit(11/21/2013 18:49:23.503:534) : item=0 name=/etc/passwd inode=9326547 dev=fd:03 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:passwd_file_t:s0 objtype=NORMAL type=CWD msg=audit(11/21/2013 18:49:23.503:534) : cwd=/ type=SYSCALL msg=audit(11/21/2013 18:49:23.503:534) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7fbbd799141a a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x0 items=1 ppid=2524 pid=2526 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sh exe=/usr/bin/bash subj=system_u:system_r:watchdog_t:s0 key=(null) type=AVC msg=audit(11/21/2013 18:49:23.503:534) : avc: denied { read } for pid=2526 comm=sh name=passwd dev="vda3" ino=9326547 scontext=system_u:system_r:watchdog_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file ---- Expected results: * no AVCs
Actual results (permissive mode): ---- type=PATH msg=audit(11/21/2013 18:57:53.770:564) : item=0 name=/etc/passwd inode=9326547 dev=fd:03 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:passwd_file_t:s0 objtype=NORMAL type=CWD msg=audit(11/21/2013 18:57:53.770:564) : cwd=/ type=SYSCALL msg=audit(11/21/2013 18:57:53.770:564) : arch=x86_64 syscall=open success=yes exit=1 a0=0x7f4bd0b3b41a a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x0 items=1 ppid=2933 pid=2935 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sh exe=/usr/bin/bash subj=system_u:system_r:watchdog_t:s0 key=(null) type=AVC msg=audit(11/21/2013 18:57:53.770:564) : avc: denied { open } for pid=2935 comm=sh path=/etc/passwd dev="vda3" ino=9326547 scontext=system_u:system_r:watchdog_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file type=AVC msg=audit(11/21/2013 18:57:53.770:564) : avc: denied { read } for pid=2935 comm=sh name=passwd dev="vda3" ino=9326547 scontext=system_u:system_r:watchdog_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file ---- type=SYSCALL msg=audit(11/21/2013 18:57:53.770:565) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x1 a1=0x7fff2e6d8da0 a2=0x7fff2e6d8da0 a3=0x0 items=0 ppid=2933 pid=2935 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sh exe=/usr/bin/bash subj=system_u:system_r:watchdog_t:s0 key=(null) type=AVC msg=audit(11/21/2013 18:57:53.770:565) : avc: denied { getattr } for pid=2935 comm=sh path=/etc/passwd dev="vda3" ino=9326547 scontext=system_u:system_r:watchdog_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file ----
Already added to Fedora.
This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request.