Bug 1119082 - bugs in the current policy
Summary: bugs in the current policy
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.0
Hardware: Unspecified
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-07-13 22:09 UTC by Levente Farkas
Modified: 2014-11-03 08:42 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-11-03 08:42:24 UTC


Attachments (Terms of Use)

Description Levente Farkas 2014-07-13 22:09:29 UTC
i collect a few bug in the current rhel-7 policyes:

restorecond (from policycoreutils-restorecond) can't write it's own pid into restorecond.pid:
#============= restorecond_t ==============
allow restorecond_t var_run_t:file write;

postfix can't read local .forward files eg: /home/lfarkas/.forward even if i relabel the whole home:
#============= postfix_local_t ==============
allow postfix_local_t home_root_t:file getattr;

shorewall can't write it's log files shorewall-init.log:
#============= shorewall_t ==============
allow shorewall_t var_log_t:file { write setattr };

nsd can't patch it's zona files from /etc/cron.hourly/nsd:
#============= nsd_crond_t ==============
allow nsd_crond_t nsd_conf_t:file write;
allow nsd_crond_t nsd_var_run_t:file getattr;

Comment 2 Miroslav Grepl 2014-07-16 10:04:28 UTC
Could you attach raw AVC msgs? Thank you.

Comment 3 Levente Farkas 2014-07-16 10:25:52 UTC
nsd:
-----------------------------------
type=USER_START msg=audit(1405328461.099:687): pid=3170 uid=0 auid=0 ses=83 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="root
" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_REFR msg=audit(1405328461.099:688): pid=3170 uid=0 auid=0 ses=83 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe=
"/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=AVC msg=audit(1405328683.006:689): avc:  denied  { write } for  pid=3229 comm="nsd-patch" name="client.lenux.hu" dev="dm-0" ino=606618 scontext=system_u
:system_r:nsd_crond_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:nsd_conf_t:s0 tclass=file
type=SYSCALL msg=audit(1405328683.006:689): arch=c000003e syscall=2 success=no exit=-13 a0=7f73bd1b84c8 a1=241 a2=1b6 a3=3 items=0 ppid=3207 pid=3229 auid=0 
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=83 comm="nsd-patch" exe="/usr/sbin/nsd-patch" subj=system_u:system_r:nsd_crond_t:s0-s0
:c0.c1023 key=(null)
type=AVC msg=audit(1405328683.015:690): avc:  denied  { getattr } for  pid=3207 comm="nsdc" path="/run/nsd/nsd.pid" dev="tmpfs" ino=61687 scontext=system_u:s
ystem_r:nsd_crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nsd_var_run_t:s0 tclass=file
-----------------------------------

shorewall:
-----------------------------------
type=AVC msg=audit(1405287844.415:38): avc:  denied  { write } for  pid=897 comm="touch" name="shorewall-init.log" dev="dm-0" ino=67760217 scontext=system_u:
system_r:shorewall_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1405287844.415:38): arch=c000003e syscall=2 success=no exit=-13 a0=7fff7bc94f3c a1=941 a2=1b6 a3=7fff7bc935b0 items=0 ppid=892 pid=897
 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="touch" exe="/usr/bin/touch" subj=system_u:system_r:s
horewall_t:s0 key=(null)
type=AVC msg=audit(1405287844.415:39): avc:  denied  { write } for  pid=897 comm="touch" name="shorewall-init.log" dev="dm-0" ino=67760217 scontext=system_u:
system_r:shorewall_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1405287844.415:39): arch=c000003e syscall=280 success=no exit=-13 a0=ffffffffffffff9c a1=7fff7bc94f3c a2=0 a3=0 items=0 ppid=892 pid=8
97 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="touch" exe="/usr/bin/touch" subj=system_u:system_r
:shorewall_t:s0 key=(null)
type=AVC msg=audit(1405287844.432:40): avc:  denied  { setattr } for  pid=898 comm="chmod" name="shorewall-init.log" dev="dm-0" ino=67760217 scontext=system_
u:system_r:shorewall_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1405287844.432:40): arch=c000003e syscall=268 success=no exit=-13 a0=ffffffffffffff9c a1=244d0f0 a2=180 a3=7fffb03f7a90 items=0 ppid=8
92 pid=898 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="chmod" exe="/usr/bin/chmod" subj=system_u:
system_r:shorewall_t:s0 key=(null)
type=AVC msg=audit(1405287844.449:41): avc:  denied  { write } for  pid=906 comm="touch" name="shorewall-init.log" dev="dm-0" ino=67760217 scontext=system_u:
system_r:shorewall_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1405287844.449:41): arch=c000003e syscall=2 success=no exit=-13 a0=7fffc2eeaf3c a1=941 a2=1b6 a3=7fffc2eea840 items=0 ppid=903 pid=906
 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="touch" exe="/usr/bin/touch" subj=system_u:system_r:s
horewall_t:s0 key=(null)
type=AVC msg=audit(1405287844.449:42): avc:  denied  { write } for  pid=906 comm="touch" name="shorewall-init.log" dev="dm-0" ino=67760217 scontext=system_u:
system_r:shorewall_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1405287844.449:42): arch=c000003e syscall=280 success=no exit=-13 a0=ffffffffffffff9c a1=7fffc2eeaf3c a2=0 a3=0 items=0 ppid=903 pid=9
06 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="touch" exe="/usr/bin/touch" subj=system_u:system_r
:shorewall_t:s0 key=(null)
type=AVC msg=audit(1405287844.450:43): avc:  denied  { setattr } for  pid=907 comm="chmod" name="shorewall-init.log" dev="dm-0" ino=67760217 scontext=system_
u:system_r:shorewall_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file
-----------------------------------

postfix/sendmail:
-----------------------------------
type=AVC msg=audit(1405285503.096:1035): avc:  denied  { getattr } for  pid=12642 comm="local" path="/home/tkocsis/.forward" dev="dm-1" ino=202233279 scontex
t=system_u:system_r:postfix_local_t:s0 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file
-----------------------------------

sshd:
-----------------------------------
type=SYSCALL msg=audit(1405275903.750:2136): arch=c000003e syscall=2 success=no exit=-13 a0=7f714744cb30 a1=800 a2=1 a3=7f71411822e0 items=0 ppid=13880 pid=1
3925 auid=4294967295 uid=0 gid=0 euid=1000 suid=0 fsuid=1000 egid=1000 sgid=0 fsgid=1000 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=syst
em_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=USER_AUTH msg=audit(1405275903.750:2137): pid=13925 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey acc
t="lfarkas" exe="/usr/sbin/sshd" hostname=? addr=178.164.244.222 terminal=ssh res=failed'
type=AVC msg=audit(1405275903.754:2138): avc:  denied  { read } for  pid=13925 comm="sshd" name="authorized_keys" dev="dm-1" ino=137204145 scontext=system_u:
system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file
type=SYSCALL msg=audit(1405275903.754:2138): arch=c000003e syscall=2 success=no exit=-13 a0=7f714744a480 a1=800 a2=1 a3=7f71411822e0 items=0 ppid=13880 pid=1
3925 auid=4294967295 uid=0 gid=0 euid=1000 suid=0 fsuid=1000 egid=1000 sgid=0 fsgid=1000 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" subj=syst
em_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=USER_AUTH msg=audit(1405275903.754:2139): pid=13925 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey acc
t="lfarkas" exe="/usr/sbin/sshd" hostname=? addr=178.164.244.222 terminal=ssh res=failed'
-----------------------------------

restorecond:
-----------------------------------
type=SERVICE_START msg=audit(1405287255.575:1074): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="restorecond" exe="
/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1405287255.584:1075): avc:  denied  { write } for  pid=13500 comm="restorecond" name="restorecond.pid" dev="tmpfs" ino=68412 scontext=system_u:system_r:restorecond_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1405287255.584:1075): arch=c000003e syscall=2 success=no exit=-13 a0=7f17e4cd8984 a1=20241 a2=1a4 a3=0 items=0 ppid=1 pid=13500 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecond" exe="/usr/sbin/restorecond" subj=system_u:system_r:restorecond_t:s0 key=(null)
-----------------------------------

Comment 4 Milos Malik 2014-10-23 11:59:49 UTC
It seems that you have some mislabeled files on your machine, Please run following command:

# restorecon -Rv /var /run

Please attach AVCs which happen from now on:

# ausearch -m avc -m user_avc -m selinux_err -i -ts today

Comment 5 Miroslav Grepl 2014-10-24 11:12:30 UTC
Also what does

$ restorecon -R -v /home

Comment 6 Levente Farkas 2014-10-31 20:56:54 UTC
it;s been a long time ago. it was during the rhel7 beta period i no longer can check that system anymore.


Note You need to log in before you can comment on or make changes to this bug.