Bug 222806 - getattr on dm-0 denied, which crashes setroubleshootd
getattr on dm-0 denied, which crashes setroubleshootd
Status: CLOSED INSUFFICIENT_DATA
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
6
All Linux
medium Severity high
: ---
: ---
Assigned To: Kernel Maintainer List
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-01-16 04:43 EST by k3dzngrp8w2xtc9
Modified: 2007-11-30 17:11 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-02-26 03:32:42 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description k3dzngrp8w2xtc9 2007-01-16 04:43:30 EST
Description of problem:
webalizer with default configuration tries to getattr("/"), which SELinux denies. 

Version-Release number of selected component (if applicable):
webalizer-2.01_10-30.1

Additional info:
avc: denied { getattr } for comm="webalizer" dev=dm-0 name="/" pid=259137
scontext=user_u:system_r:webalizer_t:s0 tclass=filesystem
tcontext=system_u:object_r:fs_t:s0
Comment 1 k3dzngrp8w2xtc9 2007-01-17 05:38:33 EST
Actually / has the label "system_u:object_r:root_t" and yet the AVC says
"system_u:object_r:fs_t:s0". So this is not a webalizer bug.....

Component: webalizer -> filesystem (?)
Comment 2 k3dzngrp8w2xtc9 2007-01-17 05:43:58 EST
*** Bug 222815 has been marked as a duplicate of this bug. ***
Comment 3 Mark Knoop 2007-01-24 05:37:27 EST
I'm seeing this with webalizer and also with dovecot:

SELinux is preventing dovecot-auth (dovecot_auth_t) "getattr" to / (fs_t).

type=AVC msg=audit(1169634718.042:8543): avc:  denied  { getattr } for 
pid=23722 comm="dovecot-auth" name="/" dev=dm-2 ino=2
scontext=user_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:fs_t:s0
tclass=filesystem
Comment 4 k3dzngrp8w2xtc9 2007-01-25 13:21:51 EST
I tested this more and this only happens to me when the policy package has been
updated since reboot. Doesn't seem to effect anything else only the rootdir. The
kernel generates the AVC messages and they contain target context info
inconsistent with the file's label therefore this looks like a kernel bug?

Component: filesystem -> kernel

Things to test:
* Does restarting cron fix it?
* Does reloading the same policy also trigger it?
Comment 5 k3dzngrp8w2xtc9 2007-01-26 17:17:06 EST
Hmm.. I actually got it now after reboot as well without reloading the policy at
all. And note the tclass=filesystem and not dir

It is affecting setroubleshootd itself (which quits) so people might not notice
these AVCs.

type=AVC msg=audit(1169636523.985:80): avc:  denied  { getattr } for  pid=6305
comm="uname" name="/" dev=dm-0 ino=2
scontext=system_u:system_r:setroubleshootd_t:s0
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
type=AVC msg=audit(1169636523.989:81): avc:  denied  { getattr } for  pid=6304
comm="sh" name="/" dev=dm-0 ino=2
scontext=system_u:system_r:setroubleshootd_t:s0
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
Comment 6 k3dzngrp8w2xtc9 2007-02-26 03:32:42 EST
Can't reproduce this any more...

Note You need to log in before you can comment on or make changes to this bug.