Bug 145033 - Reading the SElinux config: ssh, dhcp, httpd
Reading the SElinux config: ssh, dhcp, httpd
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy-strict (Show other bugs)
rawhide
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-01-13 16:18 EST by Ivan Gyurdiev
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-01-20 13:24:59 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ivan Gyurdiev 2005-01-13 16:18:40 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041228 Firefox/1.0 Fedora/1.0-8

Description of problem:
Various things try to read the SElinux config and fail.

DHCP:
====
audit(1105648184.064:0): avc:  denied  { read } for  pid=2592
exe=/bin/cp name=config dev=dm-0 ino=669241
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:selinux_config_t tclass=file

audit(1105648184.064:0): avc:  denied  { getattr } for  pid=2592
exe=/bin/cp path=/etc/selinux/config dev=dm-0 ino=669241
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:selinux_config_t tclass=file

audit(1105648196.549:0): avc:  denied  { read } for  pid=2991
exe=/bin/cp name=config dev=dm-0 ino=669241
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:selinux_config_t tclass=file

audit(1105648196.549:0): avc:  denied  { getattr } for  pid=2991
exe=/bin/cp path=/etc/selinux/config dev=dm-0 ino=669241
scontext=system_u:system_r:dhcpc_t
tcontext=system_u:object_r:selinux_config_t tclass=file


HTTPD:
======
audit(1105648202.127:0): avc:  denied  { search } for  pid=3021
exe=/usr/sbin/httpd name=selinux dev=dm-0 ino=667342
scontext=system_u:system_r:httpd_t
tcontext=system_u:object_r:selinux_config_t tclass=dir

audit(1105648202.127:0): avc:  denied  { read } for  pid=3021
exe=/usr/sbin/httpd name=config dev=dm-0 ino=669241
scontext=system_u:system_r:httpd_t
tcontext=system_u:object_r:selinux_config_t tclass=file

audit(1105648202.128:0): avc:  denied  { getattr } for  pid=3021
exe=/usr/sbin/httpd path=/etc/selinux/config dev=dm-0 ino=669241
scontext=system_u:system_r:httpd_t
tcontext=system_u:object_r:selinux_config_t tclass=file

SSH:
====
audit(1105648224.294:0): avc:  denied  { read } for  pid=3654
exe=/usr/bin/ssh-agent name=config dev=dm-0 ino=669241
scontext=user_u:user_r:user_ssh_agent_t
tcontext=system_u:object_r:selinux_config_t tclass=file

audit(1105648224.294:0): avc:  denied  { getattr } for  pid=3654
exe=/usr/bin/ssh-agent path=/etc/selinux/config dev=dm-0 ino=669241
scontext=user_u:user_r:user_ssh_agent_t
tcontext=system_u:object_r:selinux_config_t tclass=file

Version-Release number of selected component (if applicable):
selinux-policy-strict-1.21.1-1

How reproducible:
Always

Steps to Reproduce:
1. Boot with strict policy

Additional info:
Comment 1 Daniel Walsh 2005-01-18 16:47:52 EST
Are you running in permissive mode.  I believe most of these would be
prevented in enforcing mode.  Putting the code in enforcing will might
cause a dontaudit to happen which causes the application to go a
different code patch.  So for instance if I do a ls
/etc/selinux/targeted/ I might get a Denial of search on the directory
and ls will stop.  But in permissive mode, I would get the search
denial plus all the reads of the files under neath it.  So we only
care about AVC messages in enforcing mode.
Comment 2 Ivan Gyurdiev 2005-01-18 17:10:26 EST
This is in permissive mode.
I'll try enforcing too, but last time I did this 
X wouldn't start - will investigate and close bug if necessary.

Comment 3 Ivan Gyurdiev 2005-01-20 13:24:59 EST
Closing bug, will reopen if I see it again.
With execmod changes that I added to X I can now run in enforcing,
and I see very few denials.


Note You need to log in before you can comment on or make changes to this bug.