Bug 229543 - LSPP: odd avc message
LSPP: odd avc message
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel (Show other bugs)
5.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Eric Paris
Brian Brock
:
Depends On:
Blocks: RHEL5LSPPCertTracker
  Show dependency treegraph
 
Reported: 2007-02-21 14:34 EST by Kylene J Hall
Modified: 2007-11-30 17:07 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-03-05 17:39:18 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kylene J Hall 2007-02-21 14:34:50 EST
Description of problem:
Kernel problem specifically with SELinux.

When attempting to write garbage (i.e. "invalid context") to
/proc/self/attr/current or /proc/self/attr/exec I get an AVC message that says
granted {setcurrent} or granted {setexec} even though the write fails as expected.

If I had to guess I'd say the SELinux check is probably passing thus the AVC
granted; however, an admin looking for who changed there process context would
probably want to know the operation ultimately failed, no?

Version-Release number of selected component (if applicable):
kernel-2.6.18-8.el5.lspp.65
selinux-policy-mls-2.4.6-37.el5

How reproducible:
Always

Steps to Reproduce:
1. echo "invalid context" > /proc/self/attr/current
2. tail /var/log/audit/audit.log
  
Actual results:
type=AVC msg=audit(1172085945.393:64052): avc:  granted  { setcurrent } for 
pid=21353 comm="bash" scontext=abat_u:abat_r:abat_t:s0-s15:c0.c1023
tcontext=abat_u:abat_r:abat_t:s0-s15:c0.c1023 tclass=process

Expected results:
Thought it would be an avc:  denied  { setcurrent } message.

Additional info:
Comment 1 Stephen Smalley 2007-02-22 07:52:45 EST
Not a bug.  SELinux avc messages are only about the permission check itself, not
the full operation (syscall audit records are for the latter), and only show you
whether the permission was granted by policy or denied by policy.  setcurrent is
just a check to see whether the task is allowed to change its current context at
all, not a check against the new context (the latter is covered by the later
dyntransition check, but we never reach that since the context wasn't valid at all).
Comment 2 Issue Tracker 2007-02-22 16:35:51 EST
----- Additional Comments From krisw@us.ibm.com  2007-02-22 15:25 EDT
-------
The interface shouldn't report success for invalid operations.  I don't
think 
this should be closed but perhaps deferred for a future fix. 

Internal Status set to 'Waiting on Support'
Status set to: Waiting on Tech

This event sent from IssueTracker by jwest 
 issue 114371
Comment 5 Steve Grubb 2007-03-05 17:39:18 EST
We should address this against the new development work and not RHEL5. Will
close the bug.

Note You need to log in before you can comment on or make changes to this bug.