Hide Forgot
Description of problem: When KRB5_TRACE=/dev/stderr kinit admin is run, AVC denial is logget. Version-Release number of selected component (if applicable): krb5-workstation-1.14.3-8.fc24.x86_64 selinux-policy-3.13.1-191.14.fc24.noarch How reproducible: Deterministic. Steps to Reproduce: 1. dnf install krb5-workstation 2. KRB5_TRACE=/dev/stderr kinit admin This will fail with kinit: Configuration file does not specify default realm when parsing name admin but that does not matter. 3. grep AVC /var/log/audit/audit.log Actual results: type=AVC msg=audit(1473925602.153:178): avc: denied { create } for pid=21550 comm="kinit" name="2" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unconfined_t:s0 tclass=file permissive=0 Expected results: No AVC denial. Additional info: I've never seen encountered this issue before today.
Neither have I, nor do I know what could cause it. Perhaps selinux people can tell us more?
This is the same issue that we have been seeing with chrome, basic change to the kernel which is not checking on /proc for create access when an app does a create/write in an open call. Even though you are not allowed to create files in /proc. The next selinux-policy package has added a dontaudit rule for this.
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
Was this fix released?
$ sesearch -D -s unconfined_t -t unconfined_t -c file -p create Found 1 semantic av rules: dontaudit unconfined_t unconfined_t : file { create setattr relabelto } ; $ rpm -q selinux-policy selinux-policy-3.13.1-191.24.fc24.noarch Yes, it is.