Bug 237617 - logwatch_t should be allowed to search httpd_sys_content_t
logwatch_t should be allowed to search httpd_sys_content_t
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-04-24 03:12 EDT by Tomas Mraz
Modified: 2007-11-30 17:07 EST (History)
2 users (show)

See Also:
Fixed In Version: RHBA-2007-0544
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-07 11:39:17 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Mraz 2007-04-24 03:12:47 EDT
Logwatch reports free spaces of all mounted directories calling df. I have
mounted a filesystem with httpd_sys_content_t context into /var/www/html subdir. 

Here is the raw avc:
avc: denied { search } for comm="df" dev=dm-2 egid=0 euid=0 exe="/bin/df"
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="www" pid=4127
scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 suid=0 tclass=dir
tcontext=system_u:object_r:httpd_sys_content_t:s0 tty=(none) uid=0 

Note that basically logwatch_t should be allowed to search any contexts which
can be potentially assigned to directories.
Comment 1 Steve Grubb 2007-04-24 13:47:51 EDT
This seems legal. Its just trying to find the mount point so it can do a statfs.
Comment 2 Daniel Walsh 2007-04-25 11:05:00 EDT
The question is it necessary or not.  IE Can we don't audit it or do we need to
allow it.  If we allow it, it would mean that logwatch_t can read all search all
directories on the system, even ones with no log files.  If we can dontaudit it
and everything continues to work it would be much easier to get up stream.
Comment 3 Tomas Mraz 2007-04-25 11:31:48 EDT
But it makes df (which is called in every logwatch) to add permission denied to
the mail generated by logwatch.
Alternative solution (perhaps preferable?) could be to have special exec_t
assigned to df and transition when it is called from logwatch.
Comment 4 RHEL Product and Program Management 2007-05-15 09:43:45 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 5 Daniel Walsh 2007-05-15 10:40:27 EDT
Fixed in selinux-policy-2.4.6-69.el5.src.rpm
Comment 8 Eduard Benes 2007-09-05 10:38:09 EDT
Tomas, could you try the latest policy available at the link below and reply 
whether the new packages solve your problem? Thank you.

http://porkchop.devel.redhat.com/brewroot/packages/selinux-policy/2.4.6/88.el5/
noarch/
Comment 10 errata-xmlrpc 2007-11-07 11:39:17 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0544.html

Note You need to log in before you can comment on or make changes to this bug.