Bug 176983 - Some pam_abl leftovers at su
Some pam_abl leftovers at su
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-01-04 17:50 EST by Robert Scheck
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version: 2.1.7-2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-01-07 20:10:58 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Robert Scheck 2006-01-04 17:50:53 EST
Description of problem:
While doing "su -" after an upgrade of selinux-policy-targeted, I got  the 
following messages in syslog:

type=AVC msg=audit(1136412775.423:520212): avc:  denied  { read } for  pid=9839 
comm="su" name="mtab" dev=cciss/c0d0p2 ino=262191 scontext=user_u:system_r:
sysadm_su_t:s0-s0:c0.c255 tcontext=system_u:object_r:etc_runtime_t:s0 
tclass=file
type=SYSCALL msg=audit(1136412775.423:520212): arch=40000003 syscall=5 
success=yes exit=3 a0=29528c a1=0 a2=1b6 a3=8b2b230 items=1 pid=9839 auid=500 
uid=500 gid=100 euid=0 suid=0 fsuid=0 egid=100 sgid=100 fsgid=100 comm="su" 
exe="/bin/su"
type=CWD msg=audit(1136412775.423:520212):  cwd="/home/robert"
type=PATH msg=audit(1136412775.423:520212): item=0 name="/etc/mtab" flags=101  
inode=262191 dev=68:02 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1136412775.423:520213): avc:  denied  { getattr } for  
pid=9839 comm="su" name="mtab" dev=cciss/c0d0p2 ino=262191 scontext=user_u:
system_r:sysadm_su_t:s0-s0:c0.c255 tcontext=system_u:object_r:etc_runtime_t:s0 
tclass=file
type=SYSCALL msg=audit(1136412775.423:520213): arch=40000003 syscall=197 
success=yes exit=0 a0=3 a1=bfcda354 a2=2a1ff4 a3=3 items=0 pid=9839 auid=500 
uid=500 gid=100 euid=0 suid=0 fsuid=0 egid=100 sgid=100 fsgid=100 comm="su" 
exe="/bin/su"
type=AVC_PATH msg=audit(1136412775.423:520213):  path="/etc/mtab"
type=AVC msg=audit(1136412775.427:520214): avc:  denied  { getattr } for  
pid=9839 comm="su" name="tmp" dev=cciss/c0d0p2 ino=344065 scontext=user_u:
system_r:sysadm_su_t:s0-s0:c0.c255 tcontext=system_u:object_r:tmp_t:s0 
tclass=dir
type=SYSCALL msg=audit(1136412775.427:520214): arch=40000003 syscall=195 
success=yes exit=0 a0=82417d a1=bfcdc74c a2=2a1ff4 a3=64 items=1 pid=9839 
auid=500 uid=500 gid=100 euid=0 suid=0 fsuid=0 egid=100 sgid=100 fsgid=100 
comm="su" exe="/bin/su"
type=AVC_PATH msg=audit(1136412775.427:520214):  path="/var/tmp"
type=CWD msg=audit(1136412775.427:520214):  cwd="/home/robert"
type=PATH msg=audit(1136412775.427:520214): item=0 name="/var/tmp" flags=1  
inode=344065 dev=68:02 mode=041777 ouid=0 ogid=0 rdev=00:00

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.1.6-24
pam_abl-0.2.3

Actual results:
As far as I can see, it is a leftover of bug #172496 (comment #24 and #31).

Expected results:
Something like my

  files_dontaudit_getattr_tmp_dir(sysadm_su_t)
  files_dontaudit_read_etc_runtime_files(sysadm_su_t)

or even better, of course :)
Comment 1 Daniel Walsh 2006-01-05 09:39:03 EST
This looks like a mislabeled mtab file.

restorecon /etc/mtab

/etc/mtab should not be labeled tmp_t.

Comment 2 Robert Scheck 2006-01-05 09:44:01 EST
Ey, that were three different avc denied messages above and labeling of my
/etc/mtab was already and is correct - so restorecon didn't change anything:

-rw-r--r--  root     root     system_u:object_r:etc_runtime_t  /etc/mtab

Reopening...
Comment 3 Daniel Walsh 2006-01-05 16:52:28 EST
Fixed in  2.1.7-2
Comment 4 Robert Scheck 2006-01-07 20:10:58 EST
Works...thank you!

Note You need to log in before you can comment on or make changes to this bug.