Bug 156334 - rhgb denied by rhgb_t with mounton to /etc/rhgb/temp
rhgb denied by rhgb_t with mounton to /etc/rhgb/temp
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy-strict (Show other bugs)
4
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-04-28 20:11 EDT by Che Gonzalez
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-04-29 13:50:27 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Che Gonzalez 2005-04-28 20:11:04 EDT
Description of problem:

At first, I thought of logging this bug in as an selinux bug since testing my
strict policy fails on the line "allow rhgb_t etc_t:dir mounton;".  However
after looking at the log entry below, I wondered if any process, other than some
remote workstation process, should have mounton anywhere near /etc.  

Apr 28 19:32:54 xix kernel: audit(1114716755.277:0): avc:  denied  { mounton }
for  path=/etc/rhgb/temp dev=dm-0 ino=17467378 scontext=system_u:system_r:rhgb_t
tcontext=system_u:object_r:etc_t tclass=dir

Version-Release number of selected component (if applicable):
rhgb-0.16.2-3

How reproducible:
On Boot

Steps to Reproduce:
1. Set selinux policy to strict and permissive
2. Reboot
3. See /var/log/messages for avc message of rhgb_t accessing /etc/rhgb/temp
  
Actual results:
rhgb_t attempts to access /etc/rhgb/temp

Expected results:
rhgb_t should access /tmp/rhgb

Additional info:
maybe a strict policy update is required for rhgb
Comment 1 David Zeuthen 2005-04-28 20:39:17 EDT
Reassigned to selinux-policy-strict.
Comment 2 Daniel Walsh 2005-04-29 13:50:27 EDT
/etc/rhgb/temp is mislabeled.  Should be mnt_t

restorecon -R -v /etc/rhgb

Note You need to log in before you can comment on or make changes to this bug.