219999 – denied getattr hald automount_etc_t

Bug 219999 - denied getattr hald automount_etc_t

Summary: denied getattr hald automount_etc_t

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	6
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-12-18 05:27 UTC by Orion Poplawski
Modified:	2007-11-30 22:11 UTC (History)
CC List:	2 users (show)
Fixed In Version:	Current
Clone Of:
Environment:
Last Closed:	2007-08-22 14:13:40 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Orion Poplawski 2006-12-18 05:27:46 UTC

Description of problem:

Just started with selinux-policy-2.4.6-7.fc6:

Dec 16 11:39:37 hawk kernel: audit(1166294377.079:1798): avc:  denied  { getattr
} for  pid=2576 comm="hald" name="auto.misc" dev=dm-0 ino=43578
scontext=system_u:system_r:hald_t:s0
tcontext=system_u:object_r:automount_etc_t:s0 tclass=file

Comment 1 Orion Poplawski 2006-12-18 05:30:17 UTC

Also seeing:

Dec 17 16:43:51 hawk kernel: audit(1166399031.969:3445): avc:  denied  { setgid
} for  pid=28543 comm="automount" capability=6
scontext=root:system_r:automount_t:s0 tcontext=root:system_r:automount_t:s0
tclass=capability

but this has been happening for longer.

Comment 2 Daniel Walsh 2006-12-18 19:49:17 UTC

That will be fixed in selinux-policy-2.4.6-15

Comment 3 Pradeep Picardo 2007-01-10 14:24:49 UTC

Thanks for the resolution Daniel !
Just for completeness, here's what I see in the logs: 
Jan 10 05:48:17 odin setroubleshoot:      SELinux is preventing /usr/sbin/hald 
(hald_t) "getattr" access to /etc/auto.misc (automount_etc_t).      For 
complete SELinux messages. run sealert -l 239373a4-f370-48ca-84a4-9a82beb600c1

Comment 4 Orion Poplawski 2007-01-12 16:16:41 UTC

setgid is gone now, but now I seee:

Jan 12 00:50:35 hawk kernel: audit(1168588235.987:213): avc:  denied  { setuid }
for  pid=32288 comm="automount" capability=7
scontext=system_u:system_r:automount_t:s0
tcontext=system_u:system_r:automount_t:s0 tclass=capability

selinux-policy-2.4.6-23.fc6

Comment 5 Daniel Walsh 2007-01-12 17:10:31 UTC

Orion are you in the wrong bugzilla?

Comment 6 Orion Poplawski 2007-01-12 17:22:47 UTC

Well, I thought it was related to my comment in #1, but I can file a new report
if that helps.

Comment 7 Daniel Walsh 2007-01-12 18:08:29 UTC

Ah ok, I guess I should have commented on the first one,  But I have already
added the fix and it should be in the -26 version, so don't worry about moving
the report.  If you add local policy, do you get any other avc's?

Comment 8 Orion Poplawski 2007-01-12 18:25:35 UTC

Here's what I've got on this machine:

From when 2.4.6-17.fc6 was installed ontop of 2.4.6-13.fc6 from cron:

Jan  8 04:22:10 hawk kernel: audit(1168255330.928:109): avc:  denied  { write }
for  pid=21598 comm="load_policy" name="[1141143]" dev=pipefs ino=1141143
scontext=user_u:system_r:load_policy_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=fifo_file
Jan  8 04:22:10 hawk kernel: audit(1168255330.929:110): avc:  denied  { write }
for  pid=21598 comm="load_policy" name="[1141143]" dev=pipefs ino=1141143
scontext=user_u:system_r:load_policy_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=fifo_file

This is from a cfagent run started by the cfenvd daemon I think:

Jan  9 11:52:48 hawk kernel: audit(1168368768.870:156): avc:  denied  { read
write } for  pid=14893 comm="ifconfig" name="[1508602]" dev=sockfs ino=1508602
scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:initrc_t:s0
tclass=tcp_socket

Not sure about this one:

Jan 11 11:23:23 hawk kernel: audit(1168539803.007:203): avc:  denied  { read }
for  pid=21958 comm="umount" name="mounts" dev=proc ino=136314897
scontext=system_u:system_r:mount_t:s0 tcontext=system_u:system_r:automount_t:s0
tclass=file

Comment 9 Orion Poplawski 2007-04-09 16:27:18 UTC

Sorry about still continuing random selinux-bugzilla entries, but I'm still
seeing this when yum is run from cron and selinux is updated (mentioned in
comment #8):

Apr  6 03:23:24 hammer kernel: audit(1175851404.139:21): avc:  denied  { write }
for  pid=9310 comm="load_policy" name="[3496209]" dev=pipefs ino=3496209
scontext=user_u:system_r:load_policy_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=fifo_file

Also still seeing the very occaisional:

Apr  4 14:28:08 hawk kernel: audit(1175718488.214:1774): avc:  denied  { read
write } for  pid=11473 comm="mount" name="[11889506]" dev=sockfs ino=11889506
scontext=user_u:system_r:mount_t:s0 tcontext=user_u:system_r:automount_t:s0
tclass=udp_socket
Apr  7 00:31:26 hawk kernel: audit(1175927486.004:1778): avc:  denied  { read }
for  pid=13921 comm="umount" name="mounts" dev=proc ino=12709232
scontext=user_u:system_r:mount_t:s0 tcontext=user_u:system_r:automount_t:s0
tclass=file

Comment 10 Daniel Walsh 2007-04-09 17:48:58 UTC

None of these are harmful, although I am sure they aggravate.  

Looks like automount is leaking an open file descriptor to a udp_socket.  Not
sure why umount would be looking at the /proc system for automount.  This should
be reported as a bug against automount.

I have updated the dontaudit rule for load_policy to now log when trying to
write to the cron fifo_file.  This is caused by the kernel looking at the
terminal which is associated with load_policy and checking its access.  When it
is run from cron, the terminal is set to a fifo_file owned by unconfined_t.

Comment 11 Daniel Walsh 2007-08-22 14:13:40 UTC

Fixed in current release

Note You need to log in before you can comment on or make changes to this bug.