Bug 176983 - Some pam_abl leftovers at su
Summary: Some pam_abl leftovers at su
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-01-04 22:50 UTC by Robert Scheck
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version: 2.1.7-2
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-01-08 01:10:58 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Robert Scheck 2006-01-04 22:50:53 UTC 
Description of problem:
While doing "su -" after an upgrade of selinux-policy-targeted, I got  the 
following messages in syslog:

type=AVC msg=audit(1136412775.423:520212): avc:  denied  { read } for  pid=9839 
comm="su" name="mtab" dev=cciss/c0d0p2 ino=262191 scontext=user_u:system_r:
sysadm_su_t:s0-s0:c0.c255 tcontext=system_u:object_r:etc_runtime_t:s0 
tclass=file
type=SYSCALL msg=audit(1136412775.423:520212): arch=40000003 syscall=5 
success=yes exit=3 a0=29528c a1=0 a2=1b6 a3=8b2b230 items=1 pid=9839 auid=500 
uid=500 gid=100 euid=0 suid=0 fsuid=0 egid=100 sgid=100 fsgid=100 comm="su" 
exe="/bin/su"
type=CWD msg=audit(1136412775.423:520212):  cwd="/home/robert"
type=PATH msg=audit(1136412775.423:520212): item=0 name="/etc/mtab" flags=101  
inode=262191 dev=68:02 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1136412775.423:520213): avc:  denied  { getattr } for  
pid=9839 comm="su" name="mtab" dev=cciss/c0d0p2 ino=262191 scontext=user_u:
system_r:sysadm_su_t:s0-s0:c0.c255 tcontext=system_u:object_r:etc_runtime_t:s0 
tclass=file
type=SYSCALL msg=audit(1136412775.423:520213): arch=40000003 syscall=197 
success=yes exit=0 a0=3 a1=bfcda354 a2=2a1ff4 a3=3 items=0 pid=9839 auid=500 
uid=500 gid=100 euid=0 suid=0 fsuid=0 egid=100 sgid=100 fsgid=100 comm="su" 
exe="/bin/su"
type=AVC_PATH msg=audit(1136412775.423:520213):  path="/etc/mtab"
type=AVC msg=audit(1136412775.427:520214): avc:  denied  { getattr } for  
pid=9839 comm="su" name="tmp" dev=cciss/c0d0p2 ino=344065 scontext=user_u:
system_r:sysadm_su_t:s0-s0:c0.c255 tcontext=system_u:object_r:tmp_t:s0 
tclass=dir
type=SYSCALL msg=audit(1136412775.427:520214): arch=40000003 syscall=195 
success=yes exit=0 a0=82417d a1=bfcdc74c a2=2a1ff4 a3=64 items=1 pid=9839 
auid=500 uid=500 gid=100 euid=0 suid=0 fsuid=0 egid=100 sgid=100 fsgid=100 
comm="su" exe="/bin/su"
type=AVC_PATH msg=audit(1136412775.427:520214):  path="/var/tmp"
type=CWD msg=audit(1136412775.427:520214):  cwd="/home/robert"
type=PATH msg=audit(1136412775.427:520214): item=0 name="/var/tmp" flags=1  
inode=344065 dev=68:02 mode=041777 ouid=0 ogid=0 rdev=00:00

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.1.6-24
pam_abl-0.2.3

Actual results:
As far as I can see, it is a leftover of bug #172496 (comment #24 and #31).

Expected results:
Something like my

  files_dontaudit_getattr_tmp_dir(sysadm_su_t)
  files_dontaudit_read_etc_runtime_files(sysadm_su_t)

or even better, of course :)
Comment 1 Daniel Walsh 2006-01-05 14:39:03 UTC 
This looks like a mislabeled mtab file.

restorecon /etc/mtab

/etc/mtab should not be labeled tmp_t.
Comment 2 Robert Scheck 2006-01-05 14:44:01 UTC 
Ey, that were three different avc denied messages above and labeling of my
/etc/mtab was already and is correct - so restorecon didn't change anything:

-rw-r--r--  root     root     system_u:object_r:etc_runtime_t  /etc/mtab

Reopening...
Comment 3 Daniel Walsh 2006-01-05 21:52:28 UTC 
Fixed in  2.1.7-2
Comment 4 Robert Scheck 2006-01-08 01:10:58 UTC 
Works...thank you!
Note You need to log in before you can comment on or make changes to this bug.