222363 – [LSPP] ia64 /boot/efi is unaccessible to sysadm_r

Bug 222363 - [LSPP] ia64 /boot/efi is unaccessible to sysadm_r

Summary: [LSPP] ia64 /boot/efi is unaccessible to sysadm_r

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	5.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2007-01-11 20:59 UTC by Matt Anderson
Modified:	2009-06-19 11:27 UTC (History)
CC List:	5 users (show)
Fixed In Version:	RHBA-2007-0544
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2007-11-07 16:38:05 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2007:0544	0	normal	SHIPPED_LIVE	selinux-policy bug fix update	2007-11-08 14:16:49 UTC

Description Matt Anderson 2007-01-11 20:59:58 UTC

Description of problem:
After installing RHEL5rcs6 on ia64 the /boot/efi partition is labeled dosfs_t
and is not accessible to the administrator

Version-Release number of selected component (if applicable):
selinux-policy-mls-2.4.6-22.el5

How reproducible:
Everytime

Steps to Reproduce:
1. Install RHEL5 beta
2. Login as user / su / newrole -r sysadm_r
3. ls /boot/efi
  
Actual results:
Permission Denied

Expected results:
The administrator needs access to this directory.

Additional info:
Here are the AVCs from running in permissive mode and editing elilo.conf
type=AVC msg=audit(1168546168.321:127): avc:  denied  { read } for  pid=2768
comm="ls" name="/" dev=sdb1 ino=1
scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023
tcontext=system_u:object_r:dosfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1168546168.321:127): arch=c0000032 syscall=1028
success=yes exit=3 a0=6000000000012740 a1=10800 a2=c000000000000205 a3=280
items=0 ppid=2481 pid=2768 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=tty2 comm="ls" exe="/bin/ls"
subj=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1168546177.900:128): avc:  denied  { write } for  pid=2771
comm="vi" name="elilo.conf" dev=sdb1 ino=3927
scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023
tcontext=system_u:object_r:dosfs_t:s0 tclass=file
type=SYSCALL msg=audit(1168546177.900:128): arch=c0000032 syscall=1049
success=yes exit=0 a0=6000000000027880 a1=2 a2=6000000000027880
a3=c000000000002651 items=0 ppid=2481 pid=2771 auid=500 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 comm="vi" exe="/bin/vi"
subj=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1168546177.901:129): avc:  denied  { write } for  pid=2771
comm="vi" name="redhat" dev=sdb1 ino=3919
scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023
tcontext=system_u:object_r:dosfs_t:s0 tclass=dir
type=AVC msg=audit(1168546177.901:129): avc:  denied  { add_name } for  pid=2771
comm="vi" name=".elilo.conf.swp"
scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023
tcontext=system_u:object_r:dosfs_t:s0 tclass=dir
type=AVC msg=audit(1168546177.901:129): avc:  denied  { create } for  pid=2771
comm="vi" name=".elilo.conf.swp"
scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023
tcontext=staff_u:object_r:dosfs_t:s0 tclass=file
type=SYSCALL msg=audit(1168546177.901:129): arch=c0000032 syscall=1028
success=yes exit=4 a0=60000000000283e0 a1=c2 a2=180 a3=200000000033d4f8 items=0
ppid=2481 pid=2771 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=tty2 comm="vi" exe="/bin/vi"
subj=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1168546177.901:130): avc:  denied  { remove_name } for 
pid=2771 comm="vi" name=".elilo.conf.swx" dev=sdb1 ino=3929
scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023
tcontext=system_u:object_r:dosfs_t:s0 tclass=dir
type=AVC msg=audit(1168546177.901:130): avc:  denied  { unlink } for  pid=2771
comm="vi" name=".elilo.conf.swx" dev=sdb1 ino=3929
scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023
tcontext=system_u:object_r:dosfs_t:s0 tclass=file
type=SYSCALL msg=audit(1168546177.901:130): arch=c0000032 syscall=1032
success=yes exit=0 a0=6000000000026870 a1=5 a2=60000fffff60f0a0
a3=c000000000000b1a items=0 ppid=2481 pid=2771 auid=500 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty2 comm="vi" exe="/bin/vi"
subj=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1168546177.903:131): avc:  denied  { setattr } for  pid=2771
comm="vi" name=".elilo.conf.swp" dev=sdb1 ino=3930
scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023
tcontext=system_u:object_r:dosfs_t:s0 tclass=file
type=SYSCALL msg=audit(1168546177.903:131): arch=c0000032 syscall=1038
success=yes exit=0 a0=60000000000283e0 a1=180 a2=0 a3=1 items=0 ppid=2481
pid=2771 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=tty2 comm="vi" exe="/bin/vi" subj=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023
key=(null)
type=AVC msg=audit(1168546180.511:132): avc:  denied  { rename } for  pid=2771
comm="vi" name="elilo.conf" dev=sdb1 ino=3927
scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023
tcontext=system_u:object_r:dosfs_t:s0 tclass=file
type=SYSCALL msg=audit(1168546180.511:132): arch=c0000032 syscall=1054
success=yes exit=0 a0=6000000000027880 a1=6000000000036a10 a2=60000fffff60f1b0
a3=b8 items=0 ppid=2481 pid=2771 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=tty2 comm="vi" exe="/bin/vi"
subj=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null)

Which translates to this:
module bootefi 1.0;

require {
        class dir { add_name read remove_name write }; 
        class file { create rename setattr unlink write }; 
        type dosfs_t; 
        type sysadm_t; 
        role sysadm_r; 
};

allow sysadm_t dosfs_t:dir { add_name read remove_name write };
allow sysadm_t dosfs_t:file { create rename setattr unlink write };

Comment 1 Daniel Walsh 2007-01-11 21:30:26 UTC

Fixed in selinux-policy-2.4.6-25

Comment 3 RHEL Program Management 2007-05-01 17:36:31 UTC

This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 6 Eduard Benes 2007-08-23 16:59:37 UTC

A fix for this issue has been included in the packages contained in the beta
(RHN channel) or most recent snapshot (partners.redhat.com) for RHEL5.1.  Please
verify that your issue is fixed.

After you (Red Hat Partner) have verified that this issue has been addressed,
please perform the following:
1) Change the *status* of this bug to VERIFIED.
2) Add *keyword* of PartnerVerified (leaving the existing keywords unmodified)

If you cannot access bugzilla, please reply with a message to Issue Tracker and
I will change the status for you.

If this issue is not fixed, please add a comment describing the most recent
symptoms of the problem you are having and change the status of the bug to 
ASSIGNED.

Comment 7 Linda Knippers 2007-08-23 20:21:42 UTC

I tried this on the u1 beta and it seems to work fine.

Comment 9 errata-xmlrpc 2007-11-07 16:38:05 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0544.html

Note You need to log in before you can comment on or make changes to this bug.