1599382 – Aide unusable because of SELinux

Bug 1599382 - Aide unusable because of SELinux

Summary: Aide unusable because of SELinux

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	28
Hardware:	All
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1758140
TreeView+	depends on / blocked

Reported:	2018-07-09 16:18 UTC by Chirado OHG
Modified:	2019-10-03 18:12 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1758140 (view as bug list)
Environment:
Last Closed:	2018-09-11 16:54:58 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Chirado OHG 2018-07-09 16:18:23 UTC

Description of problem:
SELinux is preventing aide from checking hundreds of files.

Version-Release number of selected component (if applicable):
1. selinux-policy-targeted-3.14.1-32.fc28.noarch
2. aide-0.16-5

How reproducible:

Steps to Reproduce:
1. Initialise aide's database (i. e. /usr/sbin/aide -c /etc/aide.conf --init && /bin/cp -f /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz)

2. Let aide check the files against it's database (aide -c /etc/aide.conf -C)

Actual results:
A huge amount of errors like
type=AVC msg=audit(1529979348.821:429316): avc:  denied  { map } for  pid=27182 comm="aide" path="/usr/share/hwdata/oui.txt" dev="vda6" ino=107679 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=system_u:object_r:hwdata_t:s0 tclass=file permissive=0
...
type=AVC msg=audit(1529979652.040:430252): avc:  denied  { map } for  pid=27182 comm="aide" path="/usr/share/man/man0p/stdarg.h.0p.gz" dev="vda6" ino=90246 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=system_u:object_r:man_t:s0 tclass=file permissive=0
...
type=AVC msg=audit(1529979193.086:428622): avc:  denied  { map } for  pid=27182 comm="aide" path="/usr/sbin/rtkitctl" dev="vda6" ino=262735 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0
... ({ map } for files everywhere like /etc/, /usr/ and so on)

type=AVC msg=audit(1529978790.337:422685): avc:  denied  { getattr } for  pid=27182 comm="aide" path="/dev/vda" dev="devtmpfs" ino=12834 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=0
type=AVC msg=audit(1529978790.337:422686): avc:  denied  { getattr } for  pid=27182 comm="aide" path="/dev/uhid" dev="devtmpfs" ino=12017 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=system_u:object_r:uhid_device_t:s0 tclass=chr_file permissive=0
... ( { getattr } for files in /dev/ only)

Expected results:
SELinux should not prevent aide from checking the files

Additional info:

Comment 1 Fedora Update System 2018-07-30 10:08:54 UTC

selinux-policy-3.14.1-37.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-c2fc5a1fab

Comment 2 Fedora Update System 2018-07-30 19:38:56 UTC

selinux-policy-3.14.1-37.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-c2fc5a1fab

Comment 3 Chirado OHG 2018-08-01 15:11:55 UTC

With "selinux-policy-3.14.1-37.fc28" the problem is partly solved. All errors regarding "{ map }" are gone, but checking files in /dev/ still causes errors like 

type=AVC msg=audit(1533090165.658:1531523): avc:  denied  { getattr } for  pid=2521 comm="aide" path="/dev/tty4" dev="devtmpfs" ino=10404 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=0

AFAIK there's a interface call with could be used to allow aide_t to use { getattr } for files beiing located in /dev/. Is there any reason why this had not been done with "selinux-policy-3.14.1-37.fc28"? Am I missing something?

Comment 4 Fedora Update System 2018-08-01 17:41:57 UTC

selinux-policy-3.14.1-37.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 5 Chirado OHG 2018-08-02 11:37:21 UTC

 The problem still exists as mentioned ion comment 3.

Comment 6 Fedora Update System 2018-09-06 21:56:18 UTC

selinux-policy-3.14.1-42.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-2d1b09d217

Comment 7 Fedora Update System 2018-09-07 17:11:46 UTC

selinux-policy-3.14.1-42.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-2d1b09d217

Comment 8 Fedora Update System 2018-09-11 16:54:58 UTC

selinux-policy-3.14.1-42.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.