Bug 222363 - [LSPP] ia64 /boot/efi is unaccessible to sysadm_r
[LSPP] ia64 /boot/efi is unaccessible to sysadm_r
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
: OtherQA
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-01-11 15:59 EST by Matt Anderson
Modified: 2009-06-19 07:27 EDT (History)
5 users (show)

See Also:
Fixed In Version: RHBA-2007-0544
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-07 11:38:05 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Matt Anderson 2007-01-11 15:59:58 EST
Description of problem:
After installing RHEL5rcs6 on ia64 the /boot/efi partition is labeled dosfs_t
and is not accessible to the administrator

Version-Release number of selected component (if applicable):
selinux-policy-mls-2.4.6-22.el5

How reproducible:
Everytime

Steps to Reproduce:
1. Install RHEL5 beta
2. Login as user / su / newrole -r sysadm_r
3. ls /boot/efi
  
Actual results:
Permission Denied

Expected results:
The administrator needs access to this directory.

Additional info:
Here are the AVCs from running in permissive mode and editing elilo.conf
type=AVC msg=audit(1168546168.321:127): avc:  denied  { read } for  pid=2768
comm="ls" name="/" dev=sdb1 ino=1
scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023
tcontext=system_u:object_r:dosfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1168546168.321:127): arch=c0000032 syscall=1028
success=yes exit=3 a0=6000000000012740 a1=10800 a2=c000000000000205 a3=280
items=0 ppid=2481 pid=2768 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=tty2 comm="ls" exe="/bin/ls"
subj=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1168546177.900:128): avc:  denied  { write } for  pid=2771
comm="vi" name="elilo.conf" dev=sdb1 ino=3927
scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023
tcontext=system_u:object_r:dosfs_t:s0 tclass=file
type=SYSCALL msg=audit(1168546177.900:128): arch=c0000032 syscall=1049
success=yes exit=0 a0=6000000000027880 a1=2 a2=6000000000027880
a3=c000000000002651 items=0 ppid=2481 pid=2771 auid=500 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 comm="vi" exe="/bin/vi"
subj=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1168546177.901:129): avc:  denied  { write } for  pid=2771
comm="vi" name="redhat" dev=sdb1 ino=3919
scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023
tcontext=system_u:object_r:dosfs_t:s0 tclass=dir
type=AVC msg=audit(1168546177.901:129): avc:  denied  { add_name } for  pid=2771
comm="vi" name=".elilo.conf.swp"
scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023
tcontext=system_u:object_r:dosfs_t:s0 tclass=dir
type=AVC msg=audit(1168546177.901:129): avc:  denied  { create } for  pid=2771
comm="vi" name=".elilo.conf.swp"
scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023
tcontext=staff_u:object_r:dosfs_t:s0 tclass=file
type=SYSCALL msg=audit(1168546177.901:129): arch=c0000032 syscall=1028
success=yes exit=4 a0=60000000000283e0 a1=c2 a2=180 a3=200000000033d4f8 items=0
ppid=2481 pid=2771 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=tty2 comm="vi" exe="/bin/vi"
subj=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1168546177.901:130): avc:  denied  { remove_name } for 
pid=2771 comm="vi" name=".elilo.conf.swx" dev=sdb1 ino=3929
scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023
tcontext=system_u:object_r:dosfs_t:s0 tclass=dir
type=AVC msg=audit(1168546177.901:130): avc:  denied  { unlink } for  pid=2771
comm="vi" name=".elilo.conf.swx" dev=sdb1 ino=3929
scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023
tcontext=system_u:object_r:dosfs_t:s0 tclass=file
type=SYSCALL msg=audit(1168546177.901:130): arch=c0000032 syscall=1032
success=yes exit=0 a0=6000000000026870 a1=5 a2=60000fffff60f0a0
a3=c000000000000b1a items=0 ppid=2481 pid=2771 auid=500 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 comm="vi" exe="/bin/vi"
subj=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1168546177.903:131): avc:  denied  { setattr } for  pid=2771
comm="vi" name=".elilo.conf.swp" dev=sdb1 ino=3930
scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023
tcontext=system_u:object_r:dosfs_t:s0 tclass=file
type=SYSCALL msg=audit(1168546177.903:131): arch=c0000032 syscall=1038
success=yes exit=0 a0=60000000000283e0 a1=180 a2=0 a3=1 items=0 ppid=2481
pid=2771 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=tty2 comm="vi" exe="/bin/vi" subj=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023
key=(null)
type=AVC msg=audit(1168546180.511:132): avc:  denied  { rename } for  pid=2771
comm="vi" name="elilo.conf" dev=sdb1 ino=3927
scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023
tcontext=system_u:object_r:dosfs_t:s0 tclass=file
type=SYSCALL msg=audit(1168546180.511:132): arch=c0000032 syscall=1054
success=yes exit=0 a0=6000000000027880 a1=6000000000036a10 a2=60000fffff60f1b0
a3=b8 items=0 ppid=2481 pid=2771 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=tty2 comm="vi" exe="/bin/vi"
subj=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)

Which translates to this:
module bootefi 1.0;

require {
        class dir { add_name read remove_name write }; 
        class file { create rename setattr unlink write }; 
        type dosfs_t; 
        type sysadm_t; 
        role sysadm_r; 
};

allow sysadm_t dosfs_t:dir { add_name read remove_name write };
allow sysadm_t dosfs_t:file { create rename setattr unlink write };
Comment 1 Daniel Walsh 2007-01-11 16:30:26 EST
Fixed in selinux-policy-2.4.6-25
Comment 3 RHEL Product and Program Management 2007-05-01 13:36:31 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 6 Eduard Benes 2007-08-23 12:59:37 EDT
A fix for this issue has been included in the packages contained in the beta
(RHN channel) or most recent snapshot (partners.redhat.com) for RHEL5.1.  Please
verify that your issue is fixed.

After you (Red Hat Partner) have verified that this issue has been addressed,
please perform the following:
1) Change the *status* of this bug to VERIFIED.
2) Add *keyword* of PartnerVerified (leaving the existing keywords unmodified)

If you cannot access bugzilla, please reply with a message to Issue Tracker and
I will change the status for you.

If this issue is not fixed, please add a comment describing the most recent
symptoms of the problem you are having and change the status of the bug to 
ASSIGNED.
Comment 7 Linda Knippers 2007-08-23 16:21:42 EDT
I tried this on the u1 beta and it seems to work fine.

Comment 9 errata-xmlrpc 2007-11-07 11:38:05 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0544.html

Note You need to log in before you can comment on or make changes to this bug.