1554087 – minidlna service runs as unconfined_service_t because of wrong file context pattern

Bug 1554087 - minidlna service runs as unconfined_service_t because of wrong file context pattern

Summary: minidlna service runs as unconfined_service_t because of wrong file context p...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	27
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-03-11 11:29 UTC by Milos Malik
Modified:	2018-09-07 18:44 UTC (History)
CC List:	5 users (show)
Fixed In Version:	selinux-policy-3.13.1-283.28.fc27
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-03-20 18:17:26 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Milos Malik 2018-03-11 11:29:34 UTC

Description of problem:
SELinux policy defines following file context pattern:

# semanage fcontext -l | grep minidlna_exec_t
/usr/sbin/minidlna                                 regular file       system_u:object_r:minidlna_exec_t:s0 
#

but the minidlna package does not bring such a file. The package brings a /usr/sbin/minidlnad file which is labeled bin_t, but it should be labeled minidlna_exec_t.

Version-Release number of selected component (if applicable):
minidlna-1.2.1-1.fc27.x86_64
selinux-policy-3.13.1-283.26.fc27.noarch
selinux-policy-targeted-3.13.1-283.26.fc27.noarch

How reproducible:
 * always

Steps to Reproduce:
1. get a Fedora 27 machine (targeted policy is active)
2. install RPMfusion free repositories
3. install the minidlna package
4. start the minidlna service
5. search for SELinux denials

Actual results:
* the minidlna service runs as unconfined_service_t

Expected results:
* the minidlna service runs as minidlna_t and it does not trigger SELinux denials in default configuration

Additional info:
* if /usr/sbin/minidlnad is labeled minidlna_exec_t, then following SELinux denials appear in permissive mode:
----
time->Sun Mar 11 06:51:54 2018
type=AVC msg=audit(1520765514.286:329): avc:  denied  { read } for  pid=2051 comm="minidlnad" name="cpu" dev="sysfs" ino=33 scontext=system_u:system_r:minidlna_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=1
----
time->Sun Mar 11 06:51:54 2018
type=AVC msg=audit(1520765514.286:330): avc:  denied  { read } for  pid=2051 comm="minidlnad" name="meminfo" dev="sysfs" ino=660 scontext=system_u:system_r:minidlna_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
----
time->Sun Mar 11 06:51:54 2018
type=AVC msg=audit(1520765514.286:331): avc:  denied  { open } for  pid=2051 comm="minidlnad" path="/sys/devices/system/node/node0/meminfo" dev="sysfs" ino=660 scontext=system_u:system_r:minidlna_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
----
time->Sun Mar 11 06:51:54 2018
type=AVC msg=audit(1520765514.286:332): avc:  denied  { getattr } for  pid=2051 comm="minidlnad" path="/sys/devices/system/node/node0/meminfo" dev="sysfs" ino=660 scontext=system_u:system_r:minidlna_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
----
time->Sun Mar 11 06:51:54 2018
type=AVC msg=audit(1520765514.288:333): avc:  denied  { read } for  pid=2051 comm="minidlnad" name="unix" dev="proc" ino=4026532057 scontext=system_u:system_r:minidlna_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1
----
time->Sun Mar 11 06:51:54 2018
type=AVC msg=audit(1520765514.289:334): avc:  denied  { create } for  pid=2051 comm="minidlnad" scontext=system_u:system_r:minidlna_t:s0 tcontext=system_u:system_r:minidlna_t:s0 tclass=unix_dgram_socket permissive=1
----
time->Sun Mar 11 06:51:54 2018
type=AVC msg=audit(1520765514.289:335): avc:  denied  { ioctl } for  pid=2051 comm="minidlnad" path="socket:[25584]" dev="sockfs" ino=25584 ioctlcmd=0x8933 scontext=system_u:system_r:minidlna_t:s0 tcontext=system_u:system_r:minidlna_t:s0 tclass=unix_dgram_socket permissive=1
----

Comment 1 Fedora Update System 2018-03-12 18:12:49 UTC

selinux-policy-3.13.1-283.28.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-32ebae3424

Comment 2 Fedora Update System 2018-03-12 18:19:18 UTC

selinux-policy-3.13.1-283.28.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-32ebae3424

Comment 3 Fedora Update System 2018-03-14 01:35:52 UTC

selinux-policy-3.13.1-283.28.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-32ebae3424

Comment 4 Fedora Update System 2018-03-20 18:17:26 UTC

selinux-policy-3.13.1-283.28.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.