Bug 1409774 - Selinux denies for sa1
Summary: Selinux denies for sa1
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.8
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: rc
: 6.9
Assignee: Lukas Vrabec
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-01-03 10:29 UTC by Supreet
Modified: 2020-02-14 18:24 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-01-04 15:16:20 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Supreet 2017-01-03 10:29:45 UTC
Description of problem:

Getting only AVC denials for sa1 file when running sa1 manually or when it runs via anacron.

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-292.el6.noarch   

Steps to Reproduce:
1. Run this command : /usr/lib64/sa/sa1 1 1
2. Check AVC logs 


Actual results:
type=USER_ACCT msg=audit(1482316321.113:139682): user pid=114180 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_ACQ msg=audit(1482316321.113:139683): user pid=114180 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=LOGIN msg=audit(1482316321.115:139684): pid=114180 uid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 old auid=4294967295 new auid=0 old ses=4294967295 new ses=12572
type=USER_START msg=audit(1482316321.120:139685): user pid=114180 uid=0 auid=0 ses=12572 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=AVC msg=audit(1482316321.128:139686): avc:  denied  { getattr } for  pid=114183 comm="sa1" path="/root" dev=dm-0 ino=1044482 scontext=system_u:system_r:sysstat_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
type=SYSCALL msg=audit(1482316321.128:139686): arch=c000003e syscall=4 success=no exit=-13 a0=2103f30 a1=7ffefd80c710 a2=7ffefd80c710 a3=3f6ef28f30 items=0 ppid=114182 pid=114183 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=12572 comm="sa1" exe="/bin/bash" subj=system_u:system_r:sysstat_t:s0-s0:c0.c1023 key=(null)

Expected results:
No messages

Comment 4 Lukas Vrabec 2017-01-04 15:16:20 UTC
Red Hat Enterprise Linux version 6 is in the Production 2 phase of its lifetime
and this bug doesn't meet the criteria for it, i.e. only high severity issues
will be fixed. Please see
https://access.redhat.com/support/policy/updates/errata/ for further
information.

This issue is fixed in Red Hat Enterprise Linux version 7.

You can fix this issue using local SELinux module. 

$ cat sysstat_custom.te
policy_module(sysstat_custom, 1.0)

gen_require(`
    type sysstat_t;
')

userdom_search_admin_dir(sysstat_t)

$ make -f /usr/share/selinux/devel/Makefile sysstat_custom.pp
# semodule -i sysstat_custom.pp


Note You need to log in before you can comment on or make changes to this bug.