Bug 237617 - logwatch_t should be allowed to search httpd_sys_content_t
Summary: logwatch_t should be allowed to search httpd_sys_content_t
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy   
(Show other bugs)
Version: 5.0
Hardware: All Linux
Target Milestone: ---
: ---
Assignee: Daniel Walsh
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2007-04-24 07:12 UTC by Tomas Mraz
Modified: 2007-11-30 22:07 UTC (History)
2 users (show)

Fixed In Version: RHBA-2007-0544
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-11-07 16:39:17 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2007:0544 normal SHIPPED_LIVE selinux-policy bug fix update 2007-11-08 14:16:49 UTC

Description Tomas Mraz 2007-04-24 07:12:47 UTC
Logwatch reports free spaces of all mounted directories calling df. I have
mounted a filesystem with httpd_sys_content_t context into /var/www/html subdir. 

Here is the raw avc:
avc: denied { search } for comm="df" dev=dm-2 egid=0 euid=0 exe="/bin/df"
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="www" pid=4127
scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 suid=0 tclass=dir
tcontext=system_u:object_r:httpd_sys_content_t:s0 tty=(none) uid=0 

Note that basically logwatch_t should be allowed to search any contexts which
can be potentially assigned to directories.

Comment 1 Steve Grubb 2007-04-24 17:47:51 UTC
This seems legal. Its just trying to find the mount point so it can do a statfs.

Comment 2 Daniel Walsh 2007-04-25 15:05:00 UTC
The question is it necessary or not.  IE Can we don't audit it or do we need to
allow it.  If we allow it, it would mean that logwatch_t can read all search all
directories on the system, even ones with no log files.  If we can dontaudit it
and everything continues to work it would be much easier to get up stream.

Comment 3 Tomas Mraz 2007-04-25 15:31:48 UTC
But it makes df (which is called in every logwatch) to add permission denied to
the mail generated by logwatch.
Alternative solution (perhaps preferable?) could be to have special exec_t
assigned to df and transition when it is called from logwatch.

Comment 4 RHEL Product and Program Management 2007-05-15 13:43:45 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update

Comment 5 Daniel Walsh 2007-05-15 14:40:27 UTC
Fixed in selinux-policy-2.4.6-69.el5.src.rpm

Comment 8 Eduard Benes 2007-09-05 14:38:09 UTC
Tomas, could you try the latest policy available at the link below and reply 
whether the new packages solve your problem? Thank you.


Comment 10 errata-xmlrpc 2007-11-07 16:39:17 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.