222806 – getattr on dm-0 denied, which crashes setroubleshootd

Bug 222806 - getattr on dm-0 denied, which crashes setroubleshootd

Summary: getattr on dm-0 denied, which crashes setroubleshootd

Keywords:
Status:	CLOSED INSUFFICIENT_DATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	kernel
Sub Component:
Version:	6
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	---
Assignee:	Kernel Maintainer List
QA Contact:	Brian Brock
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2007-01-16 09:43 UTC by k3dzngrp8w2xtc9
Modified:	2007-11-30 22:11 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2007-02-26 08:32:42 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description k3dzngrp8w2xtc9 2007-01-16 09:43:30 UTC

Description of problem:
webalizer with default configuration tries to getattr("/"), which SELinux denies. 

Version-Release number of selected component (if applicable):
webalizer-2.01_10-30.1

Additional info:
avc: denied { getattr } for comm="webalizer" dev=dm-0 name="/" pid=259137
scontext=user_u:system_r:webalizer_t:s0 tclass=filesystem
tcontext=system_u:object_r:fs_t:s0

Comment 1 k3dzngrp8w2xtc9 2007-01-17 10:38:33 UTC

Actually / has the label "system_u:object_r:root_t" and yet the AVC says
"system_u:object_r:fs_t:s0". So this is not a webalizer bug.....

Component: webalizer -> filesystem (?)

Comment 2 k3dzngrp8w2xtc9 2007-01-17 10:43:58 UTC

*** Bug 222815 has been marked as a duplicate of this bug. ***

Comment 3 Mark Knoop 2007-01-24 10:37:27 UTC

I'm seeing this with webalizer and also with dovecot:

SELinux is preventing dovecot-auth (dovecot_auth_t) "getattr" to / (fs_t).

type=AVC msg=audit(1169634718.042:8543): avc:  denied  { getattr } for 
pid=23722 comm="dovecot-auth" name="/" dev=dm-2 ino=2
scontext=user_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:fs_t:s0
tclass=filesystem

Comment 4 k3dzngrp8w2xtc9 2007-01-25 18:21:51 UTC

I tested this more and this only happens to me when the policy package has been
updated since reboot. Doesn't seem to effect anything else only the rootdir. The
kernel generates the AVC messages and they contain target context info
inconsistent with the file's label therefore this looks like a kernel bug?

Component: filesystem -> kernel

Things to test:
* Does restarting cron fix it?
* Does reloading the same policy also trigger it?

Comment 5 k3dzngrp8w2xtc9 2007-01-26 22:17:06 UTC

Hmm.. I actually got it now after reboot as well without reloading the policy at
all. And note the tclass=filesystem and not dir

It is affecting setroubleshootd itself (which quits) so people might not notice
these AVCs.

type=AVC msg=audit(1169636523.985:80): avc:  denied  { getattr } for  pid=6305
comm="uname" name="/" dev=dm-0 ino=2
scontext=system_u:system_r:setroubleshootd_t:s0
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
type=AVC msg=audit(1169636523.989:81): avc:  denied  { getattr } for  pid=6304
comm="sh" name="/" dev=dm-0 ino=2
scontext=system_u:system_r:setroubleshootd_t:s0
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem

Comment 6 k3dzngrp8w2xtc9 2007-02-26 08:32:42 UTC

Can't reproduce this any more...

Note You need to log in before you can comment on or make changes to this bug.