Description of problem: The current mls policy for aide does not work. The utility fails with AVC denial records in the audit trail. Version-Release number of selected component (if applicable): RHEL5 + LSPP packages - following are the relevant ones: aide-0.12-8.el5 kernel-2.6.18-8.1.1.lspp.72.el5 selinux-policy-2.4.6-49.el5 How reproducible: Reproducible by running logging as as root/sysadm_r/SystemHigh and running aide. Steps to Reproduce: aide must be executed by a SystemHigh subject so that it can read all the system files and write to its database and log. The aide file contexts consist of these entries: [root/sysadm_r/SystemHigh@hvracer4 ~]# semanage fcontext --list | grep aide /var/log/aide.log regular file system_u:object_r:aide_log_t:s15:c0.c1023 /var/lib/aide(/.*) all files system_u:object_r:aide_db_t:s15:c0.c1023 /usr/sbin/aide regular file system_u:object_r:aide_exec_t:s15:c0.c1023 /var/log/aide.log and /usr/sbin/aide receive correct labels: [root/sysadm_r/SystemHigh@hvracer4 ~]# touch /var/log/aide.log [root/sysadm_r/SystemHigh@hvracer4 ~]# ls -Z /var/log/aide.log -rw-r--r-- root root root:object_r:var_log_t:SystemHigh /var/log/aide.log [root/sysadm_r/SystemHigh@hvracer4 ~]# ls -Z /usr/sbin/aide -rwx------ root root system_u:object_r:aide_exec_t:SystemHigh /usr/sbin/aide But /var/lib/aide is incorrectly labeled: [root/sysadm_r/SystemHigh@hvracer4 ~]# ls -dZ /var/lib/aide drwx------ root root system_u:object_r:var_lib_t:SystemLow /var/lib/aide restorecon does not help: [root/sysadm_r/SystemHigh@hvracer4 ~]# restorecon /var/lib/aide [root/sysadm_r/SystemHigh@hvracer4 ~]# ls -dZ /var/lib/aide drwx------ root root system_u:object_r:var_lib_t:SystemLow /var/lib/aide chcon does: [root/sysadm_r/SystemHigh@hvracer4 ~]# chcon system_u:object_r:aide_db_t:s15:c0.c1023 /var/lib/aide [root/sysadm_r/SystemHigh@hvracer4 ~]# ls -dZ /var/lib/aide drwx------ root root system_u:object_r:aide_db_t:SystemHigh /var/lib/aide When aide runs, it produces with lstat() failures: . . . lstat() failed for /sbin/rdump:Permission denied lstat() failed for /sbin/scsi_id:Permission denied lstat() failed for /sbin/rrestore.static:Permission denied These are caused by TE denials: . . . type=AVC msg=audit(1175519552.714:2134): avc: denied { getattr } for pid=7100 comm="aide" name="rdump" dev=dm-0 ino=196671 scontext=root:sysadm_r:aide_t:s15:c0.c1023 tcontext=system_u:object_r:sbin_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1175519552.714:2134): arch=14 syscall=196 success=no exit=-13 a0=107976f8 a1=fb99f910 a2=fb99f910 a3=40205bbc items=0 ppid=7051 pid=7100 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=hvc0 comm="aide" exe="/usr/sbin/aide" subj=root:sysadm_r:aide_t:s15:c0.c1023 key=(null) type=AVC_PATH msg=audit(1175519552.714:2134): path="/sbin/rdump" type=AVC msg=audit(1175519552.715:2135): avc: denied { getattr } for pid=7100 comm="aide" name="scsi_id" dev=dm-0 ino=196803 scontext=root:sysadm_r:aide_t:s15:c0.c1023 tcontext=system_u:object_r:sbin_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1175519552.715:2135): arch=14 syscall=196 success=no exit=-13 a0=10797710 a1=fb99f910 a2=fb99f910 a3=40205bbc items=0 ppid=7051 pid=7100 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=hvc0 comm="aide" exe="/usr/sbin/aide" subj=root:sysadm_r:aide_t:s15:c0.c1023 key=(null) type=AVC_PATH msg=audit(1175519552.715:2135): path="/sbin/scsi_id" type=AVC msg=audit(1175519552.723:2136): avc: denied { getattr } for pid=7100 comm="aide" name="rrestore.static" dev=dm-0 ino=196676 scontext=root:sysadm_r:aide_t:s15:c0.c1023 tcontext=system_u:object_r:sbin_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1175519552.723:2136): arch=14 syscall=196 success=no exit=-13 a0=107973a0 a1=fb99f910 a2=fb99f910 a3=40205bbc items=0 ppid=7051 pid=7100 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=hvc0 comm="aide" exe="/usr/sbin/aide" subj=root:sysadm_r:aide_t:s15:c0.c1023 key=(null) type=AVC_PATH msg=audit(1175519552.723:2136): path="/sbin/rrestore.static" Actual results: aide fails with denials. Expected results: aide succeeds. Additional info: I generated the attached policy module, which allows aide to succeed. It appears that the exiting aide module should cover some of the cases but doesn't. I also thought the domain_getattr_all_domains(aide_t) should allow aide to getattr but had to add explicit allow rules. Note that /var/lib/aide must be chcon'd by hand. I think that is precedence issue.
Created attachment 151456 [details] Additional aide policy
Fixed file context for /var/lib/aide I am adding files_read_all_symlinks(aide_t) domain_getattr_all_domains(aide_t) allow aide_t aide_log_t:file write; FIxed in selinux-policy-2.4.6-50
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2007-0544.html