Bug 1534182 - aide requires "map" privilege
Summary: aide requires "map" privilege
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 27
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-01-13 21:42 UTC by Alan Hamilton
Modified: 2019-04-29 09:19 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.13.1-283.24.fc27 selinux-policy-3.13.1-284.37.fc27
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-08-08 15:34:16 UTC


Attachments (Terms of Use)

Description Alan Hamilton 2018-01-13 21:42:11 UTC
Description of problem:
When running from cron/anacron, all aide checks fail with avc violations:
type=AVC msg=audit(1515754088.650:51467): avc:  denied  { map } for  pid=10774 comm="aide" path="/usr/share/doc/kbd/ANSI-dvorak.gif" dev="xvda1" ino=402604 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0

This occurs for every file checked.

Version-Release number of selected component (if applicable):
aide-0.16-4.fc27.x86_64
selinux-policy-3.13.1-283.21.fc27.noarch

How reproducible:
Whenever aide is run confined. Unconfined runs and runs with setenforce 0 succeeed.

Steps to Reproduce:
1. Set up aide to scan the filesystem for changes.
2. Schedule aide to run in anacron

Actual results:
The run returns access denied for all files, and the above AVC message for each file checked.

Expected results:
A summary of changed files.

Additional info:
This appears releated to the upstream selinux change https://github.com/SELinuxProject/selinux-kernel/commit/6941857e82ae3da11373c9d80d75cdc10a5caafc which broke out the "map" privilege from the "read" privilege. Since aide mmaps the files it checks, it needs "map all files" in addition to "read all files".

Comment 1 Fedora Update System 2018-01-30 16:40:25 UTC
selinux-policy-3.13.1-283.24.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a144eca5a8

Comment 2 Fedora Update System 2018-01-31 22:44:30 UTC
selinux-policy-3.13.1-283.24.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a144eca5a8

Comment 3 John Horne 2018-02-02 12:20:04 UTC
I'm still seeing a lot of AVC denials for aide. This is just a short copy/paste taken from the audit log file:

==================
type=AVC msg=audit(1517573596.990:90842): avc:  denied  { map } for  pid=20120 comm="aide" path="/usr/sbin/grub2-set-default" dev="sda5" ino=3408710 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bootloader_exec_t:s0 tclass=file permissive=0
type=AVC msg=audit(1517573596.990:90843): avc:  denied  { map } for  pid=20120 comm="aide" path="/usr/sbin/rtcwake" dev="sda5" ino=3414137 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0
type=AVC msg=audit(1517573596.990:90844): avc:  denied  { map } for  pid=20120 comm="aide" path="/usr/sbin/selinuxenabled" dev="sda5" ino=3420379 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0
type=AVC msg=audit(1517573596.990:90845): avc:  denied  { map } for  pid=20120 comm="aide" path="/usr/sbin/btrfs-map-logical" dev="sda5" ino=3409700 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0
type=AVC msg=audit(1517573596.990:90846): avc:  denied  { map } for  pid=20120 comm="aide" path="/usr/sbin/smartctl" dev="sda5" ino=3460902 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fsadm_exec_t:s0 tclass=file permissive=0
type=AVC msg=audit(1517573596.990:90847): avc:  denied  { map } for  pid=20120 comm="aide" path="/usr/sbin/chcpu" dev="sda5" ino=3431555 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0
type=AVC msg=audit(1517573596.993:90848): avc:  denied  { map } for  pid=20120 comm="aide" path="/var/spool/at/.SEQ" dev="sda5" ino=5638750 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_cron_spool_t:s0 tclass=file permissive=0
type=AVC msg=audit(1517573596.993:90849): avc:  denied  { map } for  pid=20120 comm="aide" path="/var/spool/cron/root" dev="sda5" ino=5767495 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_cron_spool_t:s0 tclass=file permissive=0
type=AVC msg=audit(1517573596.993:90850): avc:  denied  { map } for  pid=20120 comm="aide" path="/var/spool/cron/exim" dev="sda5" ino=5767452 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_cron_spool_t:s0 tclass=file permissive=0
type=AVC msg=audit(1517573596.993:90851): avc:  denied  { map } for  pid=20120 comm="aide" path="/var/spool/cron/john" dev="sda5" ino=5768173 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_cron_spool_t:s0 tclass=file permissive=0
==================


rpm -q selinux-policy
selinux-policy-3.13.1-283.24.fc27.noarch
rpm -q selinux-policy-targeted
selinux-policy-targeted-3.13.1-283.24.fc27.noarch

Comment 4 Alan Hamilton 2018-02-02 16:34:32 UTC
I'm still seeing the aide "map" avcs too.

Comment 5 Fedora Update System 2018-02-06 15:30:59 UTC
selinux-policy-3.13.1-283.24.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 6 John Horne 2018-02-06 16:08:29 UTC
A little bit confused why this has been marked as CLOSED when it still has problems. I included a comment on bodhi as well, but notice that the -1 karma I set has been omitted.
As per comments #2 and #5, problems still persist and I have made a note of them in this bug report. Can it be reopened?

Comment 7 Alan Hamilton 2018-02-06 16:15:00 UTC
Yes, it's still an issue. Reopening.

Comment 8 Alan Hamilton 2018-05-27 23:07:30 UTC
The bugfix added files_mmap_usr_files(aide_t) to aide's rights, but that only allows mmaping files labeled usr_t. Anything else will still fail.

Comment 9 Fedora Update System 2018-07-27 09:23:15 UTC
selinux-policy-3.13.1-284.37.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-4bb4de2d86

Comment 10 Fedora Update System 2018-07-27 15:39:21 UTC
selinux-policy-3.13.1-284.37.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-4bb4de2d86

Comment 11 Fedora Update System 2018-08-08 15:34:16 UTC
selinux-policy-3.13.1-284.37.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.