Bug 242770 – logrotate AVC Denial

Bug 242770 - logrotate AVC Denial

Summary:	logrotate AVC Denial

Status:	CLOSED CURRENTRELEASE

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	selinux-policy (Show other bugs)
Sub Component:
Version:	7
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Daniel Walsh
QA Contact:	Ben Levenson
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2007-06-05 14:37 EDT by Eric Moret
Modified:	2007-11-30 17:12 EST (History)
CC List:	1 user (show)

See Also:
Fixed In Version:	selinux-policy-2.6.4-14
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2007-07-19 18:35:35 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Eric Moret 2007-06-05 14:37:17 EDT

Description of problem:
AVC Denial

Version-Release number of selected component (if applicable):
$ rpm -qf /usr/bin/updatedb 
mlocate-0.16-1


How reproducible:
Always

Steps to Reproduce:
1. Configure Fedora7 with nis and automount
2. wait until the daily crontab runs mlocate.cron

Actual results:
setroubleshoot browser pops up with an AVC denial, see below:

Summary
SELinux is preventing /usr/bin/updatedb (locate_t) "write" to socket
(nscd_var_run_t).

Detailed Description
SELinux denied access requested by /usr/bin/updatedb. It is not expected that
this access is required by /usr/bin/updatedb and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional access.

Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for socket, restorecon -v socket If this does
not work, there is currently no automatic way to allow this access. Instead, you
can generate a local policy module to allow this access - see FAQ Or you can
disable SELinux protection altogether. Disabling SELinux protection is not
recommended. Please file a bug report against this package.

Additional Information
Source Context:  system_u:system_r:locate_t
Target Context:  system_u:object_r:nscd_var_run_t
Target Objects:  socket [ sock_file ]
Affected RPM Packages:  mlocate-0.16-1 [application]
Policy RPM:  selinux-policy-2.6.4-8.fc7
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  plugins.catchall_file
Host Name:  renault-5.secteam.juniper.net
Platform:  Linux renault-5.secteam.juniper.net 2.6.21-1.3194.fc7 #1 SMP Wed May
23 22:35:01 EDT 2007 i686 i686
Alert Count:  2
First Seen:  Fri 01 Jun 2007 06:56:37 PM PDT
Last Seen:  Fri 01 Jun 2007 06:56:37 PM PDT
Local ID:  1dc7b2d5-f5ac-4d1f-9eb5-d576e820435a
Line Numbers:  

Raw Audit Messages :
avc: denied { write } for comm="updatedb" dev=dm-0 egid=0 euid=0
exe="/usr/bin/updatedb" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="socket"
pid=30631 scontext=system_u:system_r:locate_t:s0 sgid=0
subj=system_u:system_r:locate_t:s0 suid=0 tclass=sock_file
tcontext=system_u:object_r:nscd_var_run_t:s0 tty=(none) uid=0 

Expected results:
No denial

Comment 1 Miloslav Trmač 2007-06-06 10:04:35 EDT

Thanks for your report.

This happens because updatedb looks up the GID of the [ms]locate group.

Comment 2 Daniel Walsh 2007-06-06 11:28:17 EDT

Fixed in selinux-policy-2.6.4-14

Note You need to log in before you can comment on or make changes to this bug.