Bug 244974 - In "cvs login" - AVC denied access
In "cvs login" - AVC denied access
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: cvs (Show other bugs)
7
i386 Linux
low Severity medium
: ---
: ---
Assigned To: Jiri Moskovcak
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-06-20 07:18 EDT by BONZANINI Paolo
Modified: 2015-02-01 17:47 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-06-16 21:39:35 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
AVC Log (18.73 KB, application/pdf)
2007-06-30 06:59 EDT, BONZANINI Paolo
no flags Details

  None (edit)
Description BONZANINI Paolo 2007-06-20 07:18:09 EDT
Description of problem:
After make command (in root): "cvs -d /var/cvs init" and make command "cvs
:pserver:BETA:/var/cvs login" - after enter password, AVC signals:

Summary
    SELinux is preventing /usr/bin/cvs (cvs_t) "create" to <Unknown> (cvs_t).

Detailed Description
    SELinux denied access requested by /usr/bin/cvs. It is not expected that
    this access is required by /usr/bin/cvs and this access may signal an
    intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.

Allowing Access
    You can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                system_u:system_r:cvs_t
Target Context                system_u:system_r:cvs_t
Target Objects                None [ netlink_audit_socket ]
Affected RPM Packages         cvs-1.11.22-9.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-14.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall
Host Name                     BETA
Platform                      Linux BETA 2.6.21-1.3228.fc7 #1 SMP Tue Jun 12
                              15:37:31 EDT 2007 i686 athlon
Alert Count                   15
First Seen                    mer 20 giu 2007 09:17:59 CEST
Last Seen                     mer 20 giu 2007 13:02:26 CEST
Local ID                      b349d124-2ad0-412f-a0d6-2b6a9a5c11a7
Line Numbers                  

Raw Audit Messages            

avc: denied { create } for comm="cvs" egid=0 euid=0 exe="/usr/bin/cvs" exit=-13
fsgid=0 fsuid=0 gid=0 items=0 pid=2701 scontext=system_u:system_r:cvs_t:s0
sgid=0 subj=system_u:system_r:cvs_t:s0 suid=0 tclass=netlink_audit_socket
tcontext=system_u:system_r:cvs_t:s0 tty=(none) uid=0

Version-Release number of selected component (if applicable):

How reproducible:


Steps to Reproduce:
1. cvs -d /var/cvs init
2. cvs :pserver:BETA:/var/cvs login
3. enter the password
  
Actual results:
not login in cvs

Expected results:
login in cvs

Additional info:
Comment 1 Jindrich Novy 2007-06-20 07:23:47 EDT
Dan, is there a need to fix anything on the cvs side?
Comment 2 Daniel Walsh 2007-06-20 07:34:46 EDT
Fixed in selinux-policy-2.6.4-20.fc7
Comment 3 BONZANINI Paolo 2007-06-23 06:56:15 EDT
"selinux-policy-2.6.4-20.fc7" isn't in distribution, I see only
selinux-policy-2.6.4-14.fc7.rpm. Must I wait this distribution on mirror servers?
Thanks.
Comment 4 Daniel Walsh 2007-06-25 06:50:23 EDT
"21" is in fedora-testing and should be pushed to stable today 
Comment 5 BONZANINI Paolo 2007-06-30 06:59:43 EDT
Created attachment 158290 [details]
AVC Log
Comment 6 BONZANINI Paolo 2007-06-30 07:02:29 EDT
Comment on attachment 158290 [details]
AVC Log

Same with selinux-policy-2.6.4-21.fc7...
Comment 7 Daniel Walsh 2007-07-01 21:36:49 EDT
Fixed in selinux-policy-2.6.4-24.fc7
Comment 8 BONZANINI Paolo 2007-07-07 21:14:12 EDT
Same problem with selinux-policy-2.6.4-25.fc7

Summary
    SELinux is preventing /usr/bin/cvs (cvs_t) "create" to <Unknown> (cvs_t).

Detailed Description
    SELinux denied access requested by /usr/bin/cvs. It is not expected that
    this access is required by /usr/bin/cvs and this access may signal an
    intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.

Allowing Access
    You can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                system_u:system_r:cvs_t
Target Context                system_u:system_r:cvs_t
Target Objects                None [ netlink_audit_socket ]
Affected RPM Packages         cvs-1.11.22-9.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-25.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall
Host Name                     BETA
Platform                      Linux BETA 2.6.21-1.3228.fc7 #1 SMP Tue Jun 12
                              15:37:31 EDT 2007 i686 athlon
Alert Count                   6
First Seen                    dom 08 lug 2007 00:19:12 CEST
Last Seen                     dom 08 lug 2007 03:04:08 CEST
Local ID                      abaa56cc-9514-46ab-96d5-e2467332346c
Line Numbers                  

Raw Audit Messages            

avc: denied { create } for comm="cvs" egid=0 euid=0 exe="/usr/bin/cvs" exit=-13
fsgid=0 fsuid=0 gid=0 items=0 pid=6434 scontext=system_u:system_r:cvs_t:s0
sgid=0 subj=system_u:system_r:cvs_t:s0 suid=0 tclass=netlink_audit_socket
tcontext=system_u:system_r:cvs_t:s0 tty=(none) uid=0

This problem will fixed with selinux-policy-2.6.4.26.fc7 (like "unfixed???" in
selinux-policy-2.6.4-20.fc7 or selinux-policy-2.6.4-24.fc7) ?

Comment 9 Daniel Walsh 2007-07-11 13:43:44 EDT
Should be fixed in 26
Comment 10 Bug Zapper 2008-05-14 09:12:31 EDT
This message is a reminder that Fedora 7 is nearing the end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 7. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '7'.

Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 7's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 7 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug. If you are unable to change the version, please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. If possible, it is recommended that you try the newest available Fedora distribution to see if your bug still exists.

Please read the Release Notes for the newest Fedora distribution to make sure it will meet your needs:
http://docs.fedoraproject.org/release-notes/

The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 11 Bug Zapper 2008-06-16 21:39:34 EDT
Fedora 7 changed to end-of-life (EOL) status on June 13, 2008. 
Fedora 7 is no longer maintained, which means that it will not 
receive any further security or bug fix updates. As a result we 
are closing this bug. 

If you can reproduce this bug against a currently maintained version 
of Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.