242770 – logrotate AVC Denial

Bug 242770 - logrotate AVC Denial

Summary: logrotate AVC Denial

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	7
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2007-06-05 18:37 UTC by Eric Moret
Modified:	2007-11-30 22:12 UTC (History)
CC List:	1 user (show)
Fixed In Version:	selinux-policy-2.6.4-14
Clone Of:
Environment:
Last Closed:	2007-07-19 22:35:35 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Eric Moret 2007-06-05 18:37:17 UTC

Description of problem:
AVC Denial

Version-Release number of selected component (if applicable):
$ rpm -qf /usr/bin/updatedb 
mlocate-0.16-1


How reproducible:
Always

Steps to Reproduce:
1. Configure Fedora7 with nis and automount
2. wait until the daily crontab runs mlocate.cron

Actual results:
setroubleshoot browser pops up with an AVC denial, see below:

Summary
SELinux is preventing /usr/bin/updatedb (locate_t) "write" to socket
(nscd_var_run_t).

Detailed Description
SELinux denied access requested by /usr/bin/updatedb. It is not expected that
this access is required by /usr/bin/updatedb and this access may signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional access.

Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for socket, restorecon -v socket If this does
not work, there is currently no automatic way to allow this access. Instead, you
can generate a local policy module to allow this access - see FAQ Or you can
disable SELinux protection altogether. Disabling SELinux protection is not
recommended. Please file a bug report against this package.

Additional Information
Source Context:  system_u:system_r:locate_t
Target Context:  system_u:object_r:nscd_var_run_t
Target Objects:  socket [ sock_file ]
Affected RPM Packages:  mlocate-0.16-1 [application]
Policy RPM:  selinux-policy-2.6.4-8.fc7
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  plugins.catchall_file
Host Name:  renault-5.secteam.juniper.net
Platform:  Linux renault-5.secteam.juniper.net 2.6.21-1.3194.fc7 #1 SMP Wed May
23 22:35:01 EDT 2007 i686 i686
Alert Count:  2
First Seen:  Fri 01 Jun 2007 06:56:37 PM PDT
Last Seen:  Fri 01 Jun 2007 06:56:37 PM PDT
Local ID:  1dc7b2d5-f5ac-4d1f-9eb5-d576e820435a
Line Numbers:  

Raw Audit Messages :
avc: denied { write } for comm="updatedb" dev=dm-0 egid=0 euid=0
exe="/usr/bin/updatedb" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="socket"
pid=30631 scontext=system_u:system_r:locate_t:s0 sgid=0
subj=system_u:system_r:locate_t:s0 suid=0 tclass=sock_file
tcontext=system_u:object_r:nscd_var_run_t:s0 tty=(none) uid=0 

Expected results:
No denial

Comment 1 Miloslav Trmač 2007-06-06 14:04:35 UTC

Thanks for your report.

This happens because updatedb looks up the GID of the [ms]locate group.

Comment 2 Daniel Walsh 2007-06-06 15:28:17 UTC

Fixed in selinux-policy-2.6.4-14

Note You need to log in before you can comment on or make changes to this bug.