Bug 238347 - SELinux policy blocks DF from running inside Logwatch
SELinux policy blocks DF from running inside Logwatch
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
: OtherQA, Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-04-29 13:57 EDT by Robert Auch
Modified: 2008-05-21 12:05 EDT (History)
3 users (show)

See Also:
Fixed In Version: RHBA-2008-0465
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-21 12:05:12 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Robert Auch 2007-04-29 13:57:58 EDT
Every time logwatch runs, the following error appears in SELinux-Troubleshoot 
Using targetted (not strict) policy, new build in VMWare Workstation 6 hardware,
fully updated as of 4/27/2007

Summary
    SELinux is preventing /bin/df (logwatch_t) "getattr" to / (unlabeled_t).

Detailed Description
    SELinux denied access requested by /bin/df. It is not expected that this
    access is required by /bin/df and this access may signal an intrusion
    attempt. It is also possible that the specific version or configuration of
    the application is causing it to require additional access.

Allowing Access
    You can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                system_u:system_r:logwatch_t:SystemLow-SystemHigh
Target Context                system_u:object_r:unlabeled_t
Target Objects                / [ filesystem ]
Affected RPM Packages         coreutils-5.97-12.1.el5
                              [application]filesystem-2.4.0-1 [target]
Policy RPM                    selinux-policy-2.4.6-30.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.18-8.1.1.el5 #1
                              SMP Mon Feb 26 20:38:02 EST 2007 i686 i686
Alert Count                   5
Line Numbers                  

Raw Audit Messages            

avc: denied { getattr } for comm="df" dev=vmblock egid=0 euid=0 exe="/bin/df"
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/" pid=13649
scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 suid=0 tclass=filesystem
tcontext=system_u:object_r:unlabeled_t:s0 tty=(none) uid=0
Comment 1 Daniel Walsh 2007-04-30 08:43:24 EDT
What file ssytem is it referring to as unlabeled?  This should not happen.  Do
you have any unusual file systems mounted on this system?
Comment 2 Robert Auch 2007-05-09 11:43:58 EDT
/ filesystem is ext3.  I haven't seen the error since reporting bug 238360 - 
the change of that that's of interest is that I switched from enforcing to 
permissive to relabel a file, then back to enforcing.  Also, because the target 
system is a VM on a laptop, it sometimes is only running for 20-30 minutes a 
day.

There is an unusual mountpoint /mnt/hgfs for VMWare workstation 6 to allow my 
VM to ready my host's $HOME, but that's failing to mount, as noted in bug 
238360.
Comment 3 Daniel Walsh 2007-05-17 12:12:07 EDT
Could you update to the u1 preview policy and see if this is fixed.

http://people.redhat.com/dwalsh/SELinux/RHEl5/u1

Comment 5 RHEL Product and Program Management 2007-05-18 12:24:21 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 8 Eduard Benes 2007-08-21 09:49:04 EDT
Robert, could you try the new policy available at the link below and reply 
whether the new packages solve your problem. 

http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/
Comment 9 Eduard Benes 2007-09-24 09:09:09 EDT
Robert, could you please try the new policy available at the link below and 
reply whether the new packages solve your problem? Thank you.

http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/
Comment 11 errata-xmlrpc 2007-11-07 11:39:28 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0544.html
Comment 12 Karl Latiss 2007-11-30 19:26:06 EST
I am still seeing this error with selinux-policy-targeted-2.4.6-106.el5_1.3.noarch

SummarySELinux is preventing /bin/df (logwatch_t) "getattr" to /
(unlabeled_t).Detailed DescriptionSELinux denied access requested by /bin/df. It
is not expected that this access is required by /bin/df and this access may
signal an intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional
access.Allowing AccessYou can generate a local policy module to allow this
access - see FAQ Or you can disable SELinux protection altogether. Disabling
SELinux protection is not recommended. Please file a bug report against this
package.Additional InformationSource
Context:  system_u:system_r:logwatch_t:SystemLow-SystemHighTarget
Context:  system_u:object_r:unlabeled_tTarget Objects:  / [ filesystem ]Affected
RPM Packages:  coreutils-5.97-12.1.el5 [application]filesystem-2.4.0-1
[target]Policy RPM:  selinux-policy-2.4.6-106.el5_1.3Selinux
Enabled:  TruePolicy Type:  targetedMLS Enabled:  TrueEnforcing
Mode:  EnforcingPlugin Name:  plugins.catchallHost
Name:  hp-nx9420.wdgPlatform:  Linux hp-nx9420.wdg 2.6.18-53.1.4.el5 #1 SMP Wed
Nov 14 10:37:27 EST 2007 x86_64 x86_64Alert Count:  1Line Numbers:   Raw Audit
Messages :avc: denied { getattr } for comm="df" dev=vmblock egid=0 euid=0
exe="/bin/df" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/" pid=4988
scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 suid=0 tclass=filesystem
tcontext=system_u:object_r:unlabeled_t:s0 tty=(none) uid=0 
Comment 13 Daniel Walsh 2007-12-01 08:43:40 EST
Ok I defined this filesystem in selinux

selinux-policy-2.4.6-107.el5.src.rpm
Comment 15 Eduard Benes 2008-01-09 13:38:34 EST
Karl, could you please try the new policy available at the link below and 
reply whether the new packages solve the problem? Thank you.

The fix should be present in selinux-policy-2.4.6-107 available here:

  http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/
Comment 16 Karl Latiss 2008-01-09 16:43:39 EST
I've installed the new policy and will monitor for any alerts.

Note that I haven't seen an alert sine 01/01/2008 (with the old policy)
Comment 18 errata-xmlrpc 2008-05-21 12:05:12 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0465.html

Note You need to log in before you can comment on or make changes to this bug.