Bug 249754 - File watches using audit fail on files located in user home dirs
Summary: File watches using audit fail on files located in user home dirs
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy   
(Show other bugs)
Version: 5.0
Hardware: All
OS: Linux
Target Milestone: ---
: ---
Assignee: Daniel Walsh
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2007-07-26 20:10 UTC by Justin Nemmers
Modified: 2007-11-30 22:07 UTC (History)
1 user (show)

Fixed In Version: RHBA-2007-0544
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-11-07 16:40:56 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2007:0544 normal SHIPPED_LIVE selinux-policy bug fix update 2007-11-08 14:16:49 UTC

Description Justin Nemmers 2007-07-26 20:10:35 UTC
root is able to create a watch on the parent dir without issue:
[root@ThinClientTest ~]# ls -Zd /home/joesmith
drwx------  joesmith joesmith user_u:object_r:user_home_dir_t  /home/joesmith
[root@ThinClientTest ~]# auditctl -w /home/joesmith
(returns with no errors)

Expected results:
Watch rule is successfully added.  Disabling SELinux, and re-running the auditctl -w /home/joesmith/file 
command produces the desired result.

Comment 2 Steve Grubb 2007-07-26 20:18:44 UTC
More info about the bug:

As jnemmers, I create a file in /home/jnemmers:
[jnemmers@ThinClientTest ~]$ date > file; ls -Z file
-rw-rw-r--  jnemmers jnemmers user_u:object_r:user_home_t      file

Then, I verify that I can read said file as root:
[root@ThinClientTest ~]# cat /home/jnemmers/file
Thu Jul 26 14:35:01 EDT 2007

But it seems that when I attempt to create an audit watch on that  
file, I get AVC denials:
[root@ThinClientTest ~]# auditctl -w /home/jnemmers/file
Error sending add rule data request (Permission denied)

and from the Audit log:
type=AVC msg=audit(1185475033.137:1228): avc:  denied   
{ dac_override } for  pid=27209 comm="auditctl" capability=1  
tcontext=root:system_r:auditctl_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1185475033.137:1228): avc:  denied   
{ dac_read_search } for  pid=27209 comm="auditctl" capability=2  
tcontext=root:system_r:auditctl_t:s0-s0:c0.c1023 tclass=capability
type=CONFIG_CHANGE msg=audit(1185475033.137:1229): auid=0  
subj=root:system_r:auditctl_t:s0-s0:c0.c1023 op=add rule key=(null)  
list=4 res=0
type=SYSCALL msg=audit(1185475033.137:1228): arch=40000003  
syscall=102 success=yes exit=1076 a0=b a1=bfc7bc90 a2=805d4c4  
a3=97a6008 items=0 ppid=26853 pid=27209 auid=0 uid=0 gid=0 euid=0  
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 comm="auditctl" exe="/ 
sbin/auditctl" subj=root:system_r:auditctl_t:s0-s0:c0.c1023 key=(null)

Comment 3 Daniel Walsh 2007-07-27 09:47:59 UTC
Fixed in selinux-policy-2.4.6-81

Comment 9 Eduard Benes 2007-08-28 14:40:55 UTC
With the current policy (84), I'm still getting AVC denials when setting 
watches on file in user home dir. This seems to be present only with audit-
1.5.5-7 (no AVC with 1.3.1-1):

.qa.[root@pipa03 ~]# auditctl -W /home/foo/file
.qa.[root@pipa03 ~]# date
Tue Aug 28 13:12:14 CEST 2007
.qa.[root@pipa03 ~]# auditctl -w /home/foo/file
.qa.[root@pipa03 ~]#  ausearch --start 13:12:15 -sv no -c auditctl
time->Tue Aug 28 13:12:33 2007
type=SYSCALL msg=audit(1188299553.731:268): arch=40000003 syscall=195 
success=no exit=-13 a0=bf907b71 a1=bf906140 a2=368ff4 a3=3 items=0 ppid=3399 
90 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 
comm="auditctl" exe="/sbin/auditctl" subj=root:system_r:auditctl_t:s0-s0:c0.c1
023 key=(null)
type=AVC msg=audit(1188299553.731:268): avc:  denied  { getattr } for  pid=3890 
comm="auditctl" path="/home/foo/file" dev=sda2 ino=29392920 scontext=root
:system_r:auditctl_t:s0-s0:c0.c1023 tcontext=user_u:object_r:user_home_t:s0 
.qa.[root@pipa03 ~]# cat /home/foo/file
Tue Aug 28 12:46:12 CEST 2007
.qa.[root@pipa03 ~]# ausearch --start  13:12:14 -m PATH -f "/home/foo/file"
time->Tue Aug 28 13:14:49 2007
type=PATH msg=audit(1188299689.104:270): item=0 name="/home/foo/file" 
inode=29392920 dev=08:02 mode=0100664 ouid=501 ogid=501 rdev=00:00 
type=CWD msg=audit(1188299689.104:270):  cwd="/root"
type=SYSCALL msg=audit(1188299689.104:270): arch=40000003 syscall=5 success=yes 
exit=3 a0=bfe81b7d a1=8000 a2=0 a3=8000 items=1 ppid=3399 pid=3898 auid=0
 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="cat" 
exe="/bin/cat" subj=root:system_r:unconfined_t:s0-s0:c0.c1023 key=(null)
.qa.[root@pipa03 ~]#  sestatus && rpm -qa | grep selinux-policy
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        targeted

Comment 10 Daniel Walsh 2007-08-28 17:46:10 UTC
Fixed in selinux-policy-2.4.6-85

Comment 14 errata-xmlrpc 2007-11-07 16:40:56 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.