This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 172496 - (selinux) AVCs with targeted policy on clean system (some pam_abl related)
(selinux) AVCs with targeted policy on clean system (some pam_abl related)
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks: FC5Blocker
  Show dependency treegraph
 
Reported: 2005-11-05 04:15 EST by Nicolas Mailhot
Modified: 2007-11-30 17:11 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-12-13 10:06:53 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
selinux logs (4.40 KB, application/x-bzip2)
2005-11-05 04:22 EST, Nicolas Mailhot
no flags Details
More audit logs that show the problem (5.26 KB, text/plain)
2005-11-13 05:48 EST, Nicolas Mailhot
no flags Details
audit.log for selinux-policy-targeted-2.0.3-1 (3.25 KB, application/x-bzip2)
2005-11-22 15:10 EST, Nicolas Mailhot
no flags Details
Relevant parts from audit.log (5.70 KB, text/plain)
2005-11-22 15:26 EST, Robert Scheck
no flags Details
audit.log for selinux-policy-targeted-2.0.6-2 (3.47 KB, application/x-bzip2)
2005-11-29 16:25 EST, Nicolas Mailhot
no flags Details
Clean audit.log for selinux-policy-targeted-2.0.8-1 (30.39 KB, application/x-bzip)
2005-12-04 09:10 EST, Nicolas Mailhot
no flags Details

  None (edit)
Description Nicolas Mailhot 2005-11-05 04:15:25 EST
Description of problem:

I installed pam_abl following the readme instructions on a Fedora Devel system
(the /etc/pam.d/system-auth integration probably need some work to avoid silent
disabling BTW)

After 12h I check it and nothing been's blacklisted (not normal - my box is
attacked way more often than that)

/var/log/secure writes (several times) :

Nov  4 20:53:59 rousalka pam_abl[12575]: Permission denied (13) while opening or
creating database

Looking in /var/log/audit/audit.log I see many many /var/lib/abl/ related
messages (too many to exctract sanely, I'll just attach the whole log to this
message)

So it seems pam_abl is not selinux compatible right now. As they are both
security tools, this is somehow disquieting
Comment 1 Nicolas Mailhot 2005-11-05 04:22:01 EST
Created attachment 120753 [details]
selinux logs

selinux logs with pam_abl related messages
Comment 2 Nicolas Mailhot 2005-11-05 05:07:10 EST
Can /var/lib/abl/ access be added to the pam auth security context ? (if such a
thing exists)
Comment 3 Robert Scheck 2005-11-05 07:19:22 EST
I had to add the following rules (I know, my way is a very dirty hack) to make 
it working for login/su, saslauthd and ftpd.

allow sysadm_su_t var_lib_t:file { getattr read write };
dontaudit sysadm_su_t etc_runtime_t:file { getattr read };
allow saslauthd_t var_lib_t:file { getattr read write };
dontaudit saslauthd_t etc_runtime_t:file { getattr read };
allow saslauthd_t usr_t:lnk_file read;
dontaudit saslauthd_t tmp_t:dir getattr;
allow ftpd_t var_lib_t:file { getattr read write };
dontaudit ftpd_t etc_runtime_t:file { getattr read };
allow ftpd_t var_lib_t:dir search;

I guess, a more clean solution would be a pam auth security context (if 
existing) or a own label/file context for /var/lib/abl(/.*)?. Maybe somebody 
from the SELinux team knows even a better solution?!
Comment 4 Nicolas Mailhot 2005-11-05 08:10:16 EST
Whatever the solution is, it needs to be packaged somewhat (either in the
general policy or in pam_abl)

Right now installing on Fedora with default settings results in pam_abl being
silently disabled. So the package is very much crippleware at this stage (not
really your fault, I know)

Let's try to fix this before FC5
Comment 5 Daniel Walsh 2005-11-07 11:43:32 EST
Fixed in selinux-policy-targeted-1.27.2-16

Add new type for this dirctory var_auth_t, and allow authentication programs rw
access to files in the directory.
Comment 6 Nicolas Mailhot 2005-11-12 13:37:34 EST
Seems ok now but I'll test it a little bit more before closing
Comment 7 Robert Scheck 2005-11-12 18:44:22 EST
Switching from non-root user to root using "su -", I get "Permission denied (13) 
while opening or creating database" anyway. 
Comment 8 Nicolas Mailhot 2005-11-12 19:38:34 EST
This looks like the problem I had before.
I ran a few minutes in non-enforcing mode, perhaps it created the db at this time

Should probably nuke pam_abl files and check it can recreate them
Comment 9 Nicolas Mailhot 2005-11-13 05:46:19 EST
After more thorough testing it looks like you're right, the problem is not fixed
at all

After a fresh reboot /var/log/secure starts with

Nov 13 11:20:54 rousalka pam_abl[8271]: Permission denied (13) while opening or
creating database
Nov 13 11:20:54 rousalka pam_abl[8271]: Permission denied (13) while opening or
creating database

And dovecot for example can not access the db
Comment 10 Nicolas Mailhot 2005-11-13 05:48:32 EST
Created attachment 120999 [details]
More audit logs that show the problem
Comment 11 Robert Scheck 2005-11-13 06:47:39 EST
Seems to be a bigger problem which needs more time to get solved. Personally,
my server system is only running proftpd, saslauthd, "su" and imapd (uw-imap), 
where pam_abl problems are affected.

The problems, I have, are occurred with a vanilla version of selinux-targeted-
policy-1.27.2-19. For each program or daemon I where I get "Permission denied 
(13) while opening or creating database", the audit log is written below and my 
hack how it works for me.

ProFTPD:
> type=AVC msg=audit(1131736005.028:1735): avc:  denied  { search } for  
pid=7858 comm="proftpd" name="lib" dev=cciss/c0d0p2 ino=212993 scontext=root:
system_r:ftpd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
> type=SYSCALL msg=audit(1131736005.028:1735): arch=40000003 syscall=195 
success=no exit=-13 a0=8313700 a1=bfe12cdc a2=335ff4 a3=64 items=1 pid=7858 
auid=4294967295 uid=0 gid=99 euid=0 suid=0 fsuid=0 egid=0 sgid=99 fsgid=0 
comm="proftpd" exe="/usr/sbin/proftpd"
> type=CWD msg=audit(1131736005.028:1735):  cwd="/"
> type=PATH msg=audit(1131736005.028:1735): item=0 name="/var/lib/abl/hosts.db" 
flags=1  inode=212993 dev=68:02 mode=040755 ouid=0 ogid=0 rdev=00:00

-> allow ftpd_t var_lib_t:dir search; dontaudit ftpd_t etc_runtime_t:file { 
getattr read };

Saslauthd:
> type=AVC msg=audit(1131735915.090:1731): avc:  denied  { read } for  pid=23189 
comm="saslauthd" name="mtab" dev=cciss/c0d0p2 ino=262767 scontext=root:system_r:
saslauthd_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file
> type=SYSCALL msg=audit(1131735915.090:1731): arch=40000003 syscall=5 
success=no exit=-13 a0=fde117 a1=0 a2=1b6 a3=851be68 items=1 pid=23189 
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
comm="saslauthd" exe="/usr/sbin/saslauthd"
> type=CWD msg=audit(1131735915.090:1731):  cwd="/var/run/saslauthd"
> type=PATH msg=audit(1131735915.090:1731): item=0 name="/etc/mtab" flags=101  
inode=262767 dev=68:02 mode=0100644 ouid=0 ogid=0 rdev=00:00
> type=AVC msg=audit(1131735915.098:1732): avc:  denied  { getattr } for  
pid=23189 comm="saslauthd" name="tmp" dev=cciss/c0d0p2 ino=344065 scontext=root:
system_r:saslauthd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
> type=SYSCALL msg=audit(1131735915.098:1732): arch=40000003 syscall=195 
success=no exit=-13 a0=8c007b a1=bfb3b61c a2=fe9ff4 a3=64 items=1 pid=23189 
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
comm="saslauthd" exe="/usr/sbin/saslauthd"
> type=AVC_PATH msg=audit(1131735915.098:1732):  path="/var/tmp"
> type=CWD msg=audit(1131735915.098:1732):  cwd="/var/run/saslauthd"
> type=PATH msg=audit(1131735915.098:1732): item=0 name="/var/tmp" flags=1  
inode=344065 dev=68:02 mode=041777 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1131735915.102:1733): avc:  denied  { read } for  pid=23189 
comm="saslauthd" name="tmp" dev=cciss/c0d0p2 ino=361329 scontext=root:system_r:
saslauthd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=lnk_file
> type=SYSCALL msg=audit(1131735915.102:1733): arch=40000003 syscall=195 
success=no exit=-13 a0=8c0084 a1=bfb3b61c a2=fe9ff4 a3=64 items=1 pid=23189 
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
comm="saslauthd" exe="/usr/sbin/saslauthd"
> type=CWD msg=audit(1131735915.102:1733):  cwd="/var/run/saslauthd"
> type=PATH msg=audit(1131735915.102:1733): item=0 name="/usr/tmp" flags=1  
inode=360449 dev=68:02 mode=040755 ouid=0 ogid=0 rdev=00:00
> type=AVC msg=audit(1131735915.102:1734): avc:  denied  { getattr } for  
pid=23189 comm="saslauthd" name="tmp" dev=cciss/c0d0p2 ino=245761 scontext=root:
system_r:saslauthd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=SYSCALL msg=audit(1131735915.102:1734): arch=40000003 syscall=195 
success=no exit=-13 a0=8c0097 a1=bfb3b61c a2=fe9ff4 a3=64 items=1 pid=23189 
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
comm="saslauthd" exe="/usr/sbin/saslauthd"
> type=AVC_PATH msg=audit(1131735915.102:1734):  path="/tmp"
> type=CWD msg=audit(1131735915.102:1734):  cwd="/var/run/saslauthd"
> type=PATH msg=audit(1131735915.102:1734): item=0 name="/tmp" flags=1  
inode=245761 dev=68:02 mode=041777 ouid=0 ogid=0 rdev=00:00

-> allow saslauthd_t usr_t:lnk_file read; dontaudit saslauthd_t etc_runtime_t:
file { getattr read }; dontaudit saslauthd_t tmp_t:dir getattr;

"su":
> type=AVC msg=audit(1131736370.062:1736): avc:  denied  { read } for  pid=8459 
comm="su" name="mtab" dev=cciss/c0d0p2 ino=262767 scontext=user_u:system_r:
sysadm_su_t:s0-s0:c0.c255 tcontext=system_u:object_r:etc_runtime_t:s0 
tclass=file
> type=SYSCALL msg=audit(1131736370.062:1736): arch=40000003 syscall=5 
success=no exit=-13 a0=b03117 a1=0 a2=1b6 a3=9e945f0 items=1 pid=8459 auid=500 
uid=500 gid=100 euid=0 suid=0 fsuid=0 egid=100 sgid=100 fsgid=100 comm="su" 
exe="/bin/su"
> type=CWD msg=audit(1131736370.062:1736):  cwd="/home/robert"
> type=PATH msg=audit(1131736370.062:1736): item=0 name="/etc/mtab" flags=101  
inode=262767 dev=68:02 mode=0100644 ouid=0 ogid=0 rdev=00:00
> type=AVC msg=audit(1131736370.062:1737): avc:  denied  { search } for  
pid=8459 comm="su" name="abl" dev=cciss/c0d0p2 ino=262697 scontext=user_u:
system_r:sysadm_su_t:s0-s0:c0.c255 tcontext=system_u:object_r:var_auth_t:s0 
tclass=dir
> type=SYSCALL msg=audit(1131736370.062:1737): arch=40000003 syscall=195 
success=no exit=-13 a0=9e946a8 a1=bf97176c a2=b0eff4 a3=64 items=1 pid=8459 
auid=500 uid=500 gid=100 euid=0 suid=0 fsuid=0 egid=100 sgid=100 fsgid=100 
comm="su" exe="/bin/su"
> type=CWD msg=audit(1131736370.062:1737):  cwd="/home/robert"
> type=PATH msg=audit(1131736370.062:1737): item=0 name="/var/lib/abl/users.db" 
flags=1  inode=262697 dev=68:02 mode=040755 ouid=0 ogid=0 rdev=00:00

-> allow sysadm_su_t var_auth_t:file { getattr read write }; allow sysadm_su_t 
var_auth_t:dir search; dontaudit sysadm_su_t etc_runtime_t:file { getattr read 
};

Oh and my imapd (uw-imap) just works here with pam_abl without any problem, 
maybe it was a good reason for me to dislike dovecot ;-)
Comment 12 Alexander Dalloz 2005-11-13 12:21:44 EST
I'll as soon as possible update the package to the latest upstream version,
which should cover some dovecot issues, as the news file in the tarball states:

"2005/10/12 0.2.3 Integrated patches from Gilles Detillieux (fixed NULL pointer
dereference) and Steve Hsieh (dovecot support)."
Comment 13 Nicolas Mailhot 2005-11-19 09:24:23 EST
Problem still there on a clean system that uses selinux-policy-targeted-2.0.1-2
(ie the very latest one)

pam_abl[3173]: Permission denied (13) while opening or creating database

# audit2allow < /var/log/audit/audit.log
allow dovecot_auth_t var_lib_t:dir search;
allow system_chkpwd_t devpts_t:chr_file { read write };
allow spamd_t sbin_t:dir getattr;
allow system_chkpwd_t shell_exec_t:file entrypoint;
allow initrc_su_t bin_t:file execute;
allow updfstab_t hald_t:unix_stream_socket connectto;
allow dovecot_auth_t etc_runtime_t:file read;
allow spamd_t port_t:udp_socket name_bind;

with /var/log/audit/audit.log removed before reboot
Comment 14 Daniel Walsh 2005-11-21 12:57:32 EST
Ok I am adding some fixes for this to 2.0.3-1 But I could use the audit.log to
see what is causing some of these avc messages.  Also which app is using su? 
Could it use runuser instead?

Comment 15 Nicolas Mailhot 2005-11-21 13:53:06 EST
The su bit comes from this line in rc.local : /bin/su nim -c /usr/bin/fetchmail

The rest is system stuff.
Also selinux-policy-targeted-2.0.1-2 has some problems with rpm scriplets
(kernel upgrade for example.

Just point me to the policy version I should test, and I'm more than ready to
dump a full audit log in your inbox :)
Comment 16 Daniel Walsh 2005-11-21 14:44:36 EST
Change 
/bin/su nim -c /usr/bin/fetchmail

to 
/bin/runuser nim -c /usr/bin/fetchmail

runuser == su except it does not use the pam libraries.

I hope to update policy later today.
Comment 17 Nicolas Mailhot 2005-11-22 15:08:33 EST
(In reply to comment #14)
> Ok I am adding some fixes for this to 2.0.3-1 But I could use the audit.log to
> see what is causing some of these avc messages.

Attaching full audit.log for ~ 5 min of system activity after a reboot on
selinux-policy-targeted-2.0.3-1 (just fully relabeled). Some highlights
(audit2allox) :

1. the infamous 'spamassassin can not resolve' bug is back (you know what I'm
talking about, don't want to reopen it)
allow spamd_t port_t:udp_socket name_bind;

2. so is "spamc can not talk to spamd in procmail context" (bu#172088)
allow procmail_t spamd_port_t:tcp_socket name_connect;

3. some new hald stuff :
allow updfstab_t hald_t:unix_stream_socket connectto;

4. and the rest is dovecot + pam_abl problems (this boog)

allow dovecot_auth_t etc_runtime_t:file read;
allow dovecot_auth_t var_lib_t:dir search;


Comment 18 Nicolas Mailhot 2005-11-22 15:10:01 EST
Created attachment 121369 [details]
audit.log for selinux-policy-targeted-2.0.3-1
Comment 19 Robert Scheck 2005-11-22 15:26:54 EST
Created attachment 121370 [details]
Relevant parts from audit.log

Okay here are another two cent for -targeted-2.0.3-1 (I didn't change any
booleans/tunables).
Comment 20 Daniel Walsh 2005-11-29 09:21:52 EST
Fixes are in selinux-policy-targeted-2.0.6-2
Comment 21 Nicolas Mailhot 2005-11-29 13:43:05 EST
Ok, here is my report for selinux-policy-targeted-2.0.6-1. Will report again
when  selinux-policy-targeted-2.0.6-2 hits rawhide :

# audit2allow < /var/log/audit/audit.log | sort
allow dovecot_auth_t etc_runtime_t:file read;
allow dovecot_auth_t var_lib_t:dir search;
allow procmail_t spamd_port_t:tcp_socket name_connect;
allow saslauthd_t etc_runtime_t:file read;
allow saslauthd_t self:capability setuid;
allow saslauthd_t var_auth_t:dir search;
allow spamd_t port_t:udp_socket name_bind;
allow system_chkpwd_t devpts_t:chr_file { read write };
allow updfstab_t tmpfs_t:dir getattr;
Comment 22 Nicolas Mailhot 2005-11-29 16:23:43 EST
With selinux-policy-targeted-2.0.6-2

# audit2allow < /var/log/audit/audit.log | sort
allow dovecot_auth_t var_auth_t:dir write;
(on-the-fly pam_abl database creation failure, strangely works fine from
ssh)

allow saslauthd_t self:capability setuid;
(should saslauthd be allowed setuid ?)

allow saslauthd_t var_auth_t:dir search;
(more pam_abl stuff)

allow spamd_t port_t:udp_socket name_bind;

Probably related to one of those :

Nov 29 22:08:11 rousalka spamd[2382]: Error creating a DNS resolver
socket: Permission non accordée
at /usr/lib/perl5/vendor_perl/5.8.7/Mail/SpamAssassin/DnsResolver.pm
line 202, <GEN5> line 120.
Nov 29 22:08:11 rousalka spamd[2382]: spamd: Error creating a DNS
resolver socket: Permission non accordée
at /usr/lib/perl5/vendor_perl/5.8.7/Mail/SpamAssassin/DnsResolver.pm
line 202, <GEN5> line 120.


Nov 29 22:09:38 rousalka spamd[2382]: spamd: connection from
localhost.localdomain [127.0.0.1] at port 50657
Nov 29 22:09:38 rousalka spamd[2382]: spamd: setuid to nim succeeded
Nov 29 22:09:38 rousalka spamd[2382]: spamd: creating
default_prefs: /home/nim/.spamassassin/user_prefs
Nov 29 22:09:38 rousalka spamd[2382]: mkdir /home/nim: Le fichier
existe. at /usr/lib/perl5/vendor_perl/5.8.7/Mail/SpamAssassin.pm line
1467
Nov 29 22:09:38 rousalka spamd[2382]: config: cannot write
to /home/nim/.spamassassin/user_prefs: Permission non accordée
Nov 29 22:09:38 rousalka spamd[2382]: spamd: failed to create readable
default_prefs: /home/nim/.spamassassin/user_prefs
Nov 29 22:09:38 rousalka spamd[2382]: mkdir /home/nim: Le fichier
existe. at /usr/lib/perl5/vendor_perl/5.8.7/Mail/SpamAssassin.pm line
1467
Nov 29 22:09:38 rousalka spamd[2382]: spamd: checking message
<1133298570.3426.4.camel@rousalka.dyndns.org> for nim:500
Nov 29 22:09:38 rousalka spamd[2382]: internal error
Nov 29 22:09:38 rousalka spamd[2382]: pyzor: check failed: internal
error
Nov 29 22:09:38 rousalka spamd[2382]: mkdir /home/nim: Le fichier
existe. at /usr/lib/perl5/vendor_perl/5.8.7/Mail/SpamAssassin.pm line
1467
Nov 29 22:09:38 rousalka spamd[2382]: locker: safe_lock: cannot create
tmp
lockfile /home/nim/.spamassassin/auto-whitelist.lock.rousalka.dyndns.org.2382
for /home/nim/.spamassassin/auto-whitelist.lock: Permission non accordée
Nov 29 22:09:38 rousalka spamd[2382]: auto-whitelist: open of
auto-whitelist file failed: locker: safe_lock: cannot create tmp
lockfile /home/nim/.spamassassin/auto-whitelist.lock.rousalka.dyndns.org.2382
for /home/nim/.spamassassin/auto-whitelist.lock: Permission non accordée
Nov 29 22:09:38 rousalka spamd[2382]: Can't call method "finish" on an
undefined value
at /usr/lib/perl5/vendor_perl/5.8.7/Mail/SpamAssassin/Plugin/AWL.pm line
397.
Nov 29 22:09:38 rousalka spamd[2382]: bayes: locker: safe_lock: cannot
create tmp
lockfile /home/nim/.spamassassin/bayes.lock.rousalka.dyndns.org.2382
for /home/nim/.spamassassin/bayes.lock: Permission non accordée

allow system_chkpwd_t devpts_t:chr_file { read write };
(this one is pam-related - may be serious)

allow updfstab_t tmpfs_t:dir getattr;
(fstab-sync is blocked)

(you'll see in the audit logs httpd was also blocked once - it seems one of the
policy upgrades killed my /srv/dav custom chcon. You can ignore it)
Comment 23 Nicolas Mailhot 2005-11-29 16:25:23 EST
Created attachment 121612 [details]
audit.log for selinux-policy-targeted-2.0.6-2
Comment 24 Robert Scheck 2005-11-29 18:33:07 EST
Using selinux-policy-targeted-2.0.6-1, I added the following lines - they make 
it working for me correctly, independent whether my solution is sane or not! At 
least my changes are very similar to those one from comment #3 and a way to 
solve my comments #11 and #19.

# su
files_dontaudit_getattr_tmp_dir(sysadm_su_t)
files_dontaudit_read_etc_runtime_files(sysadm_su_t)

# saslauthd
files_dontaudit_read_etc_runtime_files(saslauthd_t)
files_dontaudit_getattr_tmp_dir(saslauthd_t)
auth_use_nsswitch(saslauthd_t)

# proftpd
files_search_var_lib_dir(ftpd_t)
auth_use_nsswitch(ftpd_t)

auth_use_nsswitch() contains mostly the var_auth stuff, so I simply used it like 
in other policy files. If my use was incorrect, the pam_abl part maybe should be 
splitted of.
Comment 25 Nicolas Mailhot 2005-12-01 13:16:20 EST
pam_abl + selinux almost works now, but pam_able should be updated to get the
dovecot fix
Comment 26 Nicolas Mailhot 2005-12-04 09:02:15 EST
Ok, I'm still seing pam_abl avcs but pam_abl seems to sort of work (using
pam_abl 0.2.3)

Since this boog sort of evolved in a generic selinux issue, changing its title
and component. Most of the problems left are on the selinux side, not the
pam_abl one
Comment 27 Nicolas Mailhot 2005-12-04 09:10:39 EST
Created attachment 121815 [details]
Clean audit.log for selinux-policy-targeted-2.0.8-1

# audit2allow < /var/log/audit/audit.log | sort
allow cupsd_config_t cupsd_log_t:file { read write };
allow dovecot_auth_t dovecot_var_run_t:dir search;
allow dovecot_auth_t tmp_t:dir getattr;
allow dovecot_auth_t usr_t:lnk_file read;
allow dovecot_t etc_runtime_t:file read;
allow saslauthd_t self:capability setuid;
allow saslauthd_t tmp_t:dir getattr;
allow saslauthd_t usr_t:lnk_file read;
allow spamd_t port_t:udp_socket name_bind;
allow sysadm_su_t etc_runtime_t:file read;
allow sysadm_su_t tmp_t:dir getattr;
allow sysadm_su_t usr_t:lnk_file read;
allow system_chkpwd_t devpts_t:chr_file { read write };
allow system_dbusd_t self:process setcap;
allow updfstab_t tmpfs_t:dir getattr;


The dovecot & saslauthd AVCs are probably pam_abls leftovers to fix
The spamd avc is the infamous can't create resolver socket problem
The rest are generic policy boogs
Comment 28 Robert Scheck 2005-12-11 14:00:53 EST
Using selinux-policy-targeted-2.1.2-1 the pam_abl related things seem to work 
for me - woho, thanks :)
Comment 29 Nicolas Mailhot 2005-12-11 15:52:07 EST
Yep - pam_abl is mostly done
Comment 30 Daniel Walsh 2005-12-13 10:06:53 EST
Ok closing,  More fixes should have shown up in 2.1.4-1
Comment 31 Robert Scheck 2005-12-14 05:58:09 EST
Using 2.1.4-1 I get these pam_abl related AVCs while doing "su -"...like in 
comment #24:

type=AVC msg=audit(1134557541.928:21447): avc:  denied  { read } for  pid=12231 
comm="su" name="mtab" dev=cciss/c0d0p2 ino=262191 scontext=user_u:system_r:
sysadm_su_t:s0-s0:c0.c255 tcontext=system_u:object_r:etc_runtime_t:s0 
tclass=file
type=SYSCALL msg=audit(1134557541.928:21447): arch=40000003 syscall=5 
success=yes exit=3 a0=2d2741 a1=0 a2=1b6 a3=9a415b0 items=1 pid=12231 auid=500 
uid=500 gid=100 euid=0 suid=0 fsuid=0 egid=100 sgid=100 fsgid=100 comm="su" 
exe="/bin/su"
type=CWD msg=audit(1134557541.928:21447):  cwd="/home/robert"
type=PATH msg=audit(1134557541.928:21447): item=0 name="/etc/mtab" flags=101  
inode=262191 dev=68:02 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1134557541.928:21448): avc:  denied  { getattr } for  
pid=12231 comm="su" name="mtab" dev=cciss/c0d0p2 ino=262191 scontext=user_u:
system_r:sysadm_su_t:s0-s0:c0.c255 tcontext=system_u:object_r:etc_runtime_t:s0 
tclass=file
type=SYSCALL msg=audit(1134557541.928:21448): arch=40000003 syscall=197 
success=yes exit=0 a0=3 a1=bfdc443c a2=2deff4 a3=3 items=0 pid=12231 auid=500 
uid=500 gid=100 euid=0 suid=0 fsuid=0 egid=100 sgid=100 fsgid=100 comm="su" 
exe="/bin/su"
type=AVC_PATH msg=audit(1134557541.928:21448):  path="/etc/mtab"
type=AVC msg=audit(1134557541.928:21449): avc:  denied  { getattr } for  
pid=12231 comm="su" name="tmp" dev=cciss/c0d0p2 ino=344065 scontext=user_u:
system_r:sysadm_su_t:s0-s0:c0.c255 tcontext=system_u:object_r:tmp_t:s0 
tclass=dir
type=SYSCALL msg=audit(1134557541.928:21449): arch=40000003 syscall=195 
success=yes exit=0 a0=45917d a1=bfdc685c a2=2deff4 a3=64 items=1 pid=12231 
auid=500 uid=500 gid=100 euid=0 suid=0 fsuid=0 egid=100 sgid=100 fsgid=100 
comm="su" exe="/bin/su"
type=AVC_PATH msg=audit(1134557541.928:21449):  path="/var/tmp"
type=CWD msg=audit(1134557541.928:21449):  cwd="/home/robert"
type=PATH msg=audit(1134557541.928:21449): item=0 name="/var/tmp" flags=1  
inode=344065 dev=68:02 mode=041777 ouid=0 ogid=0 rdev=00:00

Note You need to log in before you can comment on or make changes to this bug.