Bug 222815 - webalizer attempts getattr /
webalizer attempts getattr /
Product: Fedora
Classification: Fedora
Component: webalizer (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Joe Orton
: Reopened
Depends On:
  Show dependency treegraph
Reported: 2007-01-16 06:58 EST by k3dzngrp8w2xtc9
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-02-26 04:34:13 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Output of 'strace -fF ./00webalizer' in /etc/cron.daily as root (279.46 KB, text/plain)
2007-01-29 22:54 EST, k3dzngrp8w2xtc9
no flags Details

  None (edit)
Description k3dzngrp8w2xtc9 2007-01-16 06:58:04 EST
Description of problem:
avc: denied { getattr } for comm="pam_console_app" dev=dm-0 name="/" pid=318276
scontext=system_u:system_r:pam_console_t:s0-s0:c0.c1023 tclass=filesystem

Version-Release number of selected component (if applicable):
Comment 1 Tomas Mraz 2007-01-16 07:13:51 EST
what happens if you do 'restorecon /'?

What is printed by ls -Zd / before and after the restorecon?
Comment 2 k3dzngrp8w2xtc9 2007-01-16 07:23:44 EST
# ls -Zd /
drwxr-xr-x  root root system_u:object_r:root_t         /
# restorecon /
# ls -Zd /
drwxr-xr-x  root root system_u:object_r:root_t         /
Comment 3 Tomas Mraz 2007-01-16 07:43:40 EST
Strange that / has correct system_u:object_r:root_t but in the AVC it shows

I don't see this problem here.

pam_console_apply must be able to getattr on '/' so that's rather a policy or
labelling issue of some kind.
Comment 4 k3dzngrp8w2xtc9 2007-01-17 05:43:46 EST

*** This bug has been marked as a duplicate of 222806 ***
Comment 5 Tomas Mraz 2007-01-26 15:44:20 EST
The '/' in the AVC is not the real root but a root of the filesystem on dev dm-0.

What is the content of the /etc/fstab and what 'ls -l /dev/mapper' prints?
Comment 6 k3dzngrp8w2xtc9 2007-01-26 17:36:55 EST
$ cat /etc/fstab 
/dev/VolGroup00/LogVol00 /                       ext3    defaults        1 1
LABEL=/boot             /boot                   ext3    defaults        1 2
devpts                  /dev/pts                devpts  gid=5,mode=620  0 0
tmpfs                   /dev/shm                tmpfs   defaults        0 0
proc                    /proc                   proc    defaults        0 0
sysfs                   /sys                    sysfs   defaults        0 0
##/dev/VolGroup00/LogVol01 swap                    swap    defaults        0 0
# MY:
/swap                   swap                    swap    defaults        0 0

$ ls -l /dev/mapper
total 0
crw------- 1 root root  10, 63 Jan 25 15:49 control
brw-rw---- 1 root disk 253,  0 Jan 25 15:50 VolGroup00-LogVol00
brw-rw---- 1 root disk 253,  1 Jan 25 15:49 VolGroup00-LogVol01
Comment 7 k3dzngrp8w2xtc9 2007-01-26 17:47:40 EST
You are right, of course, but the filesystem on dm-0 *is* the one mounted on /
Comment 8 Tomas Mraz 2007-01-29 14:42:00 EST
Ah yes, that's because it is not a label of the root dir on the filesystem but
of the filesystem object itself. So the bug 222806 can actually be closed as

I am reopening this one. Can you try to run pam_console_apply manually from a 
root account with and without '-r' option? Do the AVCs appear? If yes, can you
please strace pam_console_apply and attach the log here?
Comment 9 k3dzngrp8w2xtc9 2007-01-29 22:49:00 EST
I have run 'pam_console_apply' and 'pam_console_apply -r' from a root prompt
opened with 'su -'. No AVCs.

I only got the AVC in regard to pam_console_apply 2 times. But from webalizer:
142 times. Webalizer is a daily cronjob, but sometimes there is no AVC for days
(the cronjob does get run)... So I will try running pam_console_apply more...

In the meantime I tried running './00webalizer' in /etc/cron.daily and got the
AVC that is in bug 222806 .

Comment 10 k3dzngrp8w2xtc9 2007-01-29 22:54:09 EST
Created attachment 146883 [details]
Output of 'strace -fF ./00webalizer' in /etc/cron.daily as root
Comment 11 Joe Orton 2007-02-06 10:19:27 EST
What exactly is that strace output supposed to show?  What is webalizer doing wrong?
Comment 12 Tomas Mraz 2007-02-06 10:37:11 EST
Well this strace doesn't seem to do anything suspicious to me. We would need a
strace when the AVC happen.
Comment 13 k3dzngrp8w2xtc9 2007-02-06 11:23:03 EST
That straced webalizer produced an avc.

avc: denied { getattr } for comm="webalizer" dev=dm-0 name="/" pid=18041
scontext=user_u:system_r:webalizer_t:s0 tclass=filesystem

The PID matches.
Comment 14 k3dzngrp8w2xtc9 2007-02-07 22:19:50 EST
Sorry but what syscall does "getattr" correspond to? stat and variants?

I can not reproduce this with pam_console_apply even after policy packge upgrade
(which seemed to trigger this "issue" with setroubleshootd and webalizer) it
runs without avcs... I tried by downgrading to an old policy and upgrading again.
Comment 15 k3dzngrp8w2xtc9 2007-02-26 03:40:06 EST
I cannot reproduce this issue any more.
Comment 16 Tomas Mraz 2007-02-26 04:34:13 EST
perhaps this was resolved with some later policy upgrade
Comment 17 k3dzngrp8w2xtc9 2007-02-27 03:38:18 EST
And just the following day, I got this again... Now it's tzdata

avc: denied { getattr } for comm="tzdata-update" dev=dm-0 name="/" pid=9902
scontext=system_u:system_r:tzdata_t:s0 tclass=filesystem
Comment 18 Tomas Mraz 2007-02-27 03:48:53 EST
This really looks like some leaked descriptor. But which process leaks it...

Note You need to log in before you can comment on or make changes to this bug.