Bug 242770 - logrotate AVC Denial
Summary: logrotate AVC Denial
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy   
(Show other bugs)
Version: 7
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-06-05 18:37 UTC by Eric Moret
Modified: 2007-11-30 22:12 UTC (History)
1 user (show)

Fixed In Version: selinux-policy-2.6.4-14
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-07-19 22:35:35 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Eric Moret 2007-06-05 18:37:17 UTC 
Description of problem:
AVC Denial

Version-Release number of selected component (if applicable):
$ rpm -qf /usr/bin/updatedb 
mlocate-0.16-1


How reproducible:
Always

Steps to Reproduce:
1. Configure Fedora7 with nis and automount
2. wait until the daily crontab runs mlocate.cron

Actual results:
setroubleshoot browser pops up with an AVC denial, see below:

Summary
SELinux is preventing /usr/bin/updatedb (locate_t) "write" to socket
(nscd_var_run_t).

Detailed Description
SELinux denied access requested by /usr/bin/updatedb. It is not expected that
this access is required by /usr/bin/updatedb and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional access.

Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for socket, restorecon -v socket If this does
not work, there is currently no automatic way to allow this access. Instead, you
can generate a local policy module to allow this access - see FAQ Or you can
disable SELinux protection altogether. Disabling SELinux protection is not
recommended. Please file a bug report against this package.

Additional Information
Source Context:  system_u:system_r:locate_t
Target Context:  system_u:object_r:nscd_var_run_t
Target Objects:  socket [ sock_file ]
Affected RPM Packages:  mlocate-0.16-1 [application]
Policy RPM:  selinux-policy-2.6.4-8.fc7
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  plugins.catchall_file
Host Name:  renault-5.secteam.juniper.net
Platform:  Linux renault-5.secteam.juniper.net 2.6.21-1.3194.fc7 #1 SMP Wed May
23 22:35:01 EDT 2007 i686 i686
Alert Count:  2
First Seen:  Fri 01 Jun 2007 06:56:37 PM PDT
Last Seen:  Fri 01 Jun 2007 06:56:37 PM PDT
Local ID:  1dc7b2d5-f5ac-4d1f-9eb5-d576e820435a
Line Numbers:  

Raw Audit Messages :
avc: denied { write } for comm="updatedb" dev=dm-0 egid=0 euid=0
exe="/usr/bin/updatedb" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="socket"
pid=30631 scontext=system_u:system_r:locate_t:s0 sgid=0
subj=system_u:system_r:locate_t:s0 suid=0 tclass=sock_file
tcontext=system_u:object_r:nscd_var_run_t:s0 tty=(none) uid=0 

Expected results:
No denial
Comment 1 Miloslav Trmač 2007-06-06 14:04:35 UTC 
Thanks for your report.

This happens because updatedb looks up the GID of the [ms]locate group.
Comment 2 Daniel Walsh 2007-06-06 15:28:17 UTC 
Fixed in selinux-policy-2.6.4-14
Note You need to log in before you can comment on or make changes to this bug.