This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 197529 - spurious selinux AVC errors from semodule when running NFS/autofs
spurious selinux AVC errors from semodule when running NFS/autofs
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
5
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-07-03 14:00 EDT by Carl Roth
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-03-28 16:01:46 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Carl Roth 2006-07-03 14:00:29 EDT
Description of problem:

I'm noticing spurious selinux AVC deny messages in my logs whenever I run
'semodule' or 'setsebool' commands.  I traced this to attempts by
'genhomedircon' to try to traverse my NFS- or autofs-mounted directories.  I see
errors of the form

type=AVC msg=audit(1151948728.555:8393): avc:  denied  { read } for  pid=18761
comm="genhomedircon" name="resolv.conf" dev=dm-4 ino=918606
tcontext=user_u:system_r:semanage_t:s0 tcontext=system_u:object_r:net_conf_t:s0
tclass=file
type=SYSCALL msg=audit(1151948728.555:8393): arch=14 syscall=5 success=yes
exit=-13 a0=ff90fa4 a1=0 a2=1b6 a3=1b6 items=1 pid=18761 auid=5000 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="genhomedircon"
exe="/usr/bin/python" subj=user_u:system_r:semanage_t:s0

and others of the form

type=AVC msg=audit(1151948852.607:8407): avc:  denied  { create } for  pid=18761
comm="genhomedircon" scontext=user_u:system_r:semanage_t:s0
tcontext=user_u:system_r:semanage_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1151948852.607:8407): arch=14 syscall=102 success=yes
exit=-13 a0=1 a1=7f9a0234 a2=0 a3=0 items=0 pid=18761 auid=5000 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="genhomedircon"
exe="/usr/bin/python" subj=user_u:system_r:semanage_t:s0

type=AVC msg=audit(1151948852.607:8406): avc:  denied  { create } for  pid=18761
comm="genhomedircon" scontext=user_u:system_r:semanage_t:s0
tcontext=user_u:system_r:semanage_t:s0 tclass=netlink_route_socket
type=SYSCALL msg=audit(1151948852.607:8406): arch=14 syscall=102 success=yes
exit=-13 a0=1 a1=7f9a00f4 a2=0 a3=7f9a0164 items=0 pid=18761 auid=5000 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="genhomedircon"
exe="/usr/bin/python" subj=user_u:system_r:semanage_t:s0

I don't think it's the case that 'genhomedircon' should be accessing or labeling
any directories mounted via NFS or autofs.

I think it would be reasonable to include the following in the selinux policy to
suppress these messages:

  dontaudit semanage_t self:tcp_socket create_socket_perms;
  dontaudit semanage_t self:netlink_route_socket create_socket_perms;
  dontaudit semanage_t net_conf_t:file r_file_perms;

Version-Release number of selected component (if applicable):

  This is for selinux-policy-targeted-2.2.43-4.fc5 on a PPC.

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Daniel Walsh 2006-07-11 12:52:27 EDT
Fixed in Rawhide selinux-policy-2.3.2-2.  You can build a loadable module for
this using 
audit2allow -M genhomedircon -i /var/log/messages 

Or wait until the next policy backport for FC5.
Comment 2 Chris Jones 2006-07-22 11:00:49 EDT
We're also seeing this sort of message. Though we think this is because we're
useing ldap/nscd.
Comment 3 Daniel Walsh 2007-03-28 16:01:46 EDT
Closing bugs

Note You need to log in before you can comment on or make changes to this bug.