Bug 1147698 - libStorageMgmt: SELinux is preventing /usr/bin/lsmd from getattr access on the file <foo>
Summary: libStorageMgmt: SELinux is preventing /usr/bin/lsmd from getattr access on th...
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: Unspecified
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1147699
TreeView+ depends on / blocked
 
Reported: 2014-09-29 21:58 UTC by Tony Asleson
Modified: 2014-10-02 11:29 UTC (History)
5 users (show)

Fixed In Version:
Clone Of:
: 1147699 (view as bug list)
Environment:
Last Closed: 2014-10-02 11:29:37 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Tony Asleson 2014-09-29 21:58:05 UTC 
Description of problem:

The libStorageMgmt daemon recursively walks the directory given to it looking for plug-ins (default /usr/bin).  During this process it is calling 'stat' on each item in the directory to see if an item is a directory, in which it recursively processes that directory as well.

Version-Release number of selected component (if applicable):

How reproducible:
Always

Steps to Reproduce:
1. sudo systemctl start libstoragemgmt-service

Actual results:
SELiux alerts


Expected results:
No selinux alerts


Additional info:
Comment 1 Lukas Vrabec 2014-09-30 07:11:36 UTC 
Could you paste AVCs?
Comment 2 Tony Asleson 2014-09-30 14:31:40 UTC 
(In reply to Lukas Vrabec from comment #1)
> Could you paste AVCs?

Sure

One of these is generated for every file in /usr/bin as lsmd is walking the directory looking for plug-ins.


SELinux is preventing /usr/bin/lsmd from getattr access on the file .

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that lsmd should be allowed getattr access on the  file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep lsmd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:lsmd_t:s0
Target Context                system_u:object_r:abrt_watch_log_exec_t:s0
Target Objects                 [ file ]
Source                        lsmd
Source Path                   /usr/bin/lsmd
Port                          <Unknown>
Host                          f20
Source RPM Packages           libstoragemgmt-1.0.0-1.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-179.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     f20
Platform                      Linux f20 3.15.7-200.fc20.x86_64 #1 SMP Mon Jul 28
                              18:50:26 UTC 2014 x86_64 x86_64
Alert Count                   1
First Seen                    2014-09-30 09:24:06 CDT
Last Seen                     2014-09-30 09:24:06 CDT
Local ID                      34c14fcc-7c36-4691-8e6a-ee4bc7c2146b

Raw Audit Messages
type=AVC msg=audit(1412087046.810:764): avc:  denied  { getattr } for  pid=26816 comm="lsmd" path="/usr/bin/abrt-watch-log" dev="sda3" ino=1045777 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:abrt_watch_log_exec_t:s0 tclass=file


type=SYSCALL msg=audit(1412087046.810:764): arch=x86_64 syscall=stat success=yes exit=0 a0=7f62d45bd050 a1=7fffb651a0b0 a2=7fffb651a0b0 a3=e items=0 ppid=1 pid=26816 auid=4294967295 uid=990 gid=985 euid=990 suid=990 fsuid=990 egid=985 sgid=985 fsgid=985 tty=(none) ses=4294967295 comm=lsmd exe=/usr/bin/lsmd subj=system_u:system_r:lsmd_t:s0 key=(null)

Hash: lsmd,lsmd_t,abrt_watch_log_exec_t,file,getattr
Comment 3 Miroslav Grepl 2014-10-02 11:29:37 UTC 
commit f763fb595f9ac5fedb6461b20804d2d6738abcae
Author: Miroslav Grepl <mgrepl>
Date:   Thu Oct 2 13:29:15 2014 +0200

    Allow lsmd to search own plguins.
Note You need to log in before you can comment on or make changes to this bug.