Bug 219999 - denied getattr hald automount_etc_t
denied getattr hald automount_etc_t
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2006-12-18 00:27 EST by Orion Poplawski
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-08-22 10:13:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Orion Poplawski 2006-12-18 00:27:46 EST
Description of problem:

Just started with selinux-policy-2.4.6-7.fc6:

Dec 16 11:39:37 hawk kernel: audit(1166294377.079:1798): avc:  denied  { getattr
} for  pid=2576 comm="hald" name="auto.misc" dev=dm-0 ino=43578
tcontext=system_u:object_r:automount_etc_t:s0 tclass=file
Comment 1 Orion Poplawski 2006-12-18 00:30:17 EST
Also seeing:

Dec 17 16:43:51 hawk kernel: audit(1166399031.969:3445): avc:  denied  { setgid
} for  pid=28543 comm="automount" capability=6
scontext=root:system_r:automount_t:s0 tcontext=root:system_r:automount_t:s0

but this has been happening for longer.
Comment 2 Daniel Walsh 2006-12-18 14:49:17 EST
That will be fixed in selinux-policy-2.4.6-15
Comment 3 Pradeep Picardo 2007-01-10 09:24:49 EST
Thanks for the resolution Daniel !
Just for completeness, here's what I see in the logs: 
Jan 10 05:48:17 odin setroubleshoot:      SELinux is preventing /usr/sbin/hald 
(hald_t) "getattr" access to /etc/auto.misc (automount_etc_t).      For 
complete SELinux messages. run sealert -l 239373a4-f370-48ca-84a4-9a82beb600c1
Comment 4 Orion Poplawski 2007-01-12 11:16:41 EST
setgid is gone now, but now I seee:

Jan 12 00:50:35 hawk kernel: audit(1168588235.987:213): avc:  denied  { setuid }
for  pid=32288 comm="automount" capability=7
tcontext=system_u:system_r:automount_t:s0 tclass=capability

Comment 5 Daniel Walsh 2007-01-12 12:10:31 EST
Orion are you in the wrong bugzilla?
Comment 6 Orion Poplawski 2007-01-12 12:22:47 EST
Well, I thought it was related to my comment in #1, but I can file a new report
if that helps.
Comment 7 Daniel Walsh 2007-01-12 13:08:29 EST
Ah ok, I guess I should have commented on the first one,  But I have already
added the fix and it should be in the -26 version, so don't worry about moving
the report.  If you add local policy, do you get any other avc's?
Comment 8 Orion Poplawski 2007-01-12 13:25:35 EST
Here's what I've got on this machine:

From when 2.4.6-17.fc6 was installed ontop of 2.4.6-13.fc6 from cron:

Jan  8 04:22:10 hawk kernel: audit(1168255330.928:109): avc:  denied  { write }
for  pid=21598 comm="load_policy" name="[1141143]" dev=pipefs ino=1141143
tcontext=user_u:system_r:unconfined_t:s0 tclass=fifo_file
Jan  8 04:22:10 hawk kernel: audit(1168255330.929:110): avc:  denied  { write }
for  pid=21598 comm="load_policy" name="[1141143]" dev=pipefs ino=1141143
tcontext=user_u:system_r:unconfined_t:s0 tclass=fifo_file

This is from a cfagent run started by the cfenvd daemon I think:

Jan  9 11:52:48 hawk kernel: audit(1168368768.870:156): avc:  denied  { read
write } for  pid=14893 comm="ifconfig" name="[1508602]" dev=sockfs ino=1508602
scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:initrc_t:s0

Not sure about this one:

Jan 11 11:23:23 hawk kernel: audit(1168539803.007:203): avc:  denied  { read }
for  pid=21958 comm="umount" name="mounts" dev=proc ino=136314897
scontext=system_u:system_r:mount_t:s0 tcontext=system_u:system_r:automount_t:s0
Comment 9 Orion Poplawski 2007-04-09 12:27:18 EDT
Sorry about still continuing random selinux-bugzilla entries, but I'm still
seeing this when yum is run from cron and selinux is updated (mentioned in
comment #8):

Apr  6 03:23:24 hammer kernel: audit(1175851404.139:21): avc:  denied  { write }
for  pid=9310 comm="load_policy" name="[3496209]" dev=pipefs ino=3496209
tcontext=user_u:system_r:unconfined_t:s0 tclass=fifo_file

Also still seeing the very occaisional:

Apr  4 14:28:08 hawk kernel: audit(1175718488.214:1774): avc:  denied  { read
write } for  pid=11473 comm="mount" name="[11889506]" dev=sockfs ino=11889506
scontext=user_u:system_r:mount_t:s0 tcontext=user_u:system_r:automount_t:s0
Apr  7 00:31:26 hawk kernel: audit(1175927486.004:1778): avc:  denied  { read }
for  pid=13921 comm="umount" name="mounts" dev=proc ino=12709232
scontext=user_u:system_r:mount_t:s0 tcontext=user_u:system_r:automount_t:s0
Comment 10 Daniel Walsh 2007-04-09 13:48:58 EDT
None of these are harmful, although I am sure they aggravate.  

Looks like automount is leaking an open file descriptor to a udp_socket.  Not
sure why umount would be looking at the /proc system for automount.  This should
be reported as a bug against automount.

I have updated the dontaudit rule for load_policy to now log when trying to
write to the cron fifo_file.  This is caused by the kernel looking at the
terminal which is associated with load_policy and checking its access.  When it
is run from cron, the terminal is set to a fifo_file owned by unconfined_t.

Comment 11 Daniel Walsh 2007-08-22 10:13:40 EDT
Fixed in current release

Note You need to log in before you can comment on or make changes to this bug.