Bug 334401 - SELinux policyII
SELinux policyII
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
8
x86_64 Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-10-16 10:34 EDT by Zdenek Kabelac
Modified: 2007-11-30 17:12 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-10-23 12:01:13 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Zdenek Kabelac 2007-10-16 10:34:30 EDT
Description of problem:


Another part of my setroubleshoot log

SELinux is preventing tmpwatch (tmpreaper_t) "read" to (var_log_t).

Source Context:  system_u:system_r:tmpreaper_t:s0Target
Context:  system_u:object_r:var_log_t:s0Target Objects:  None [ dir ]Affected
RPM Packages:  Policy RPM:  selinux-policy-3.0.8-22.fc8Selinux
Enabled:  TruePolicy Type:  targetedMLS Enabled:  TrueEnforcing
Mode:  PermissivePlugin Name:  plugins.catchall_fileHost
Name:  dhcp-lab-228.englab.brq.redhat.comPlatform:  Linux
dhcp-lab-228.englab.brq.redhat.com 2.6.23-6.fc8 #1 SMP Thu Oct 11 13:36:39 EDT
2007 x86_64 x86_64Alert Count:  3First
Seen:  Pá 12. říjen 2007, 10:45:45 CESTLast
Seen:  Út 16. říjen 2007, 11:28:52 CESTLocal
ID:  2eddd4bc-5c9b-463b-81f2-341990ecfd43Line Numbers:  Raw Audit Messages :avc:
denied { read } for comm=tmpwatch dev=sda2 name=kismet pid=16519
scontext=system_u:system_r:tmpreaper_t:s0 tclass=dir
tcontext=system_u:object_r:var_log_t:s0 

----------------------------------------------------
SELinux is preventing /usr/sbin/tmpwatch (tmpreaper_t) "getattr" to /var/log
(var_log_t).

Source Context:  system_u:system_r:tmpreaper_t:s0Target
Context:  system_u:object_r:var_log_t:s0Target Objects:  /var/log [ dir
]Affected RPM Packages:  tmpwatch-2.9.11-1 [application]filesystem-2.4.11-1.fc8
[target]Policy RPM:  selinux-policy-3.0.8-22.fc8Selinux Enabled:  TruePolicy
Type:  targetedMLS Enabled:  TrueEnforcing Mode:  PermissivePlugin
Name:  plugins.catchall_fileHost
Name:  dhcp-lab-228.englab.brq.redhat.comPlatform:  Linux
dhcp-lab-228.englab.brq.redhat.com 2.6.23-6.fc8 #1 SMP Thu Oct 11 13:36:39 EDT
2007 x86_64 x86_64Alert Count:  5First
Seen:  Čt 11. říjen 2007, 20:19:38 CESTLast
Seen:  Út 16. říjen 2007, 11:28:52 CESTLocal
ID:  bdc377b3-3f56-427e-91c6-598954a23c68Line Numbers:  Raw Audit Messages :avc:
denied { getattr } for comm=tmpwatch dev=sda2 egid=0 euid=0
exe=/usr/sbin/tmpwatch exit=0 fsgid=0 fsuid=0 gid=0 items=0 path=/var/log
pid=16519 scontext=system_u:system_r:tmpreaper_t:s0 sgid=0
subj=system_u:system_r:tmpreaper_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:var_log_t:s0 tty=(none) uid=0 

-----------------------------------
SELinux is preventing /usr/sbin/tmpwatch (tmpreaper_t) "setattr" to (var_log_t).
Source Context:  system_u:system_r:tmpreaper_t:s0Target
Context:  system_u:object_r:var_log_t:s0Target Objects:  None [ dir ]Affected
RPM Packages:  tmpwatch-2.9.11-1 [application]Policy
RPM:  selinux-policy-3.0.8-22.fc8Selinux Enabled:  TruePolicy Type:  targetedMLS
Enabled:  TrueEnforcing Mode:  PermissivePlugin Name:  plugins.catchall_fileHost
Name:  dhcp-lab-228.englab.brq.redhat.comPlatform:  Linux
dhcp-lab-228.englab.brq.redhat.com 2.6.23-6.fc8 #1 SMP Thu Oct 11 13:36:39 EDT
2007 x86_64 x86_64Alert Count:  4First
Seen:  Čt 11. říjen 2007, 20:19:38 CESTLast
Seen:  Út 16. říjen 2007, 11:28:52 CESTLocal
ID:  1a80e5cd-ac19-4430-b851-837ee5b21ab0Line Numbers:  Raw Audit Messages :avc:
denied { setattr } for comm=tmpwatch dev=sda2 egid=0 euid=0
exe=/usr/sbin/tmpwatch exit=0 fsgid=0 fsuid=0 gid=0 items=0 name=kismet
pid=16519 scontext=system_u:system_r:tmpreaper_t:s0 sgid=0
subj=system_u:system_r:tmpreaper_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:var_log_t:s0 tty=(none) uid=0 

----------------------------------------

SummarySELinux is preventing /usr/sbin/tmpwatch (tmpreaper_t) "search" to
(var_log_t).
Source Context:  system_u:system_r:tmpreaper_t:s0Target
Context:  system_u:object_r:var_log_t:s0Target Objects:  None [ dir ]Affected
RPM Packages:  tmpwatch-2.9.11-1 [application]Policy
RPM:  selinux-policy-3.0.8-22.fc8Selinux Enabled:  TruePolicy Type:  targetedMLS
Enabled:  TrueEnforcing Mode:  PermissivePlugin Name:  plugins.catchall_fileHost
Name:  dhcp-lab-228.englab.brq.redhat.comPlatform:  Linux
dhcp-lab-228.englab.brq.redhat.com 2.6.23-5.fc8 #1 SMP Wed Oct 10 19:25:16 EDT
2007 x86_64 x86_64Alert Count:  3First
Seen:  Pá 12. říjen 2007, 10:45:45 CESTLast
Seen:  Po 15. říjen 2007, 10:42:47 CESTLocal
ID:  6e07d6fc-aecb-4d0c-99ed-136ace7e5c6dLine Numbers:  Raw Audit Messages :avc:
denied { search } for comm=tmpwatch dev=sda2 egid=0 euid=0
exe=/usr/sbin/tmpwatch exit=0 fsgid=0 fsuid=0 gid=0 items=0 name=log pid=20441
scontext=system_u:system_r:tmpreaper_t:s0 sgid=0
subj=system_u:system_r:tmpreaper_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:var_log_t:s0 tty=(none) uid=0 

------------------------------------









Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Daniel Walsh 2007-10-16 23:06:25 EDT
Why is tmpreaper reading /var/log?

Is this normal behavior?
Comment 2 Zdenek Kabelac 2007-10-17 04:12:37 EDT
Hi

With Tomas Mraz we have probably concluded it might be eventually result of the
package 'kismet' - thought I'm not sure as I'm not yet skilled enought in
selinux - just reporting policy errors I can see.
Comment 3 Daniel Walsh 2007-10-17 14:08:54 EDT
How come this is using tmpwatch and not logwatch to watch log files?
Comment 4 Enrico Scholz 2007-10-17 15:36:50 EDT
[I assume you mean 'logrotate' but not 'logwatch']

kismet creates a new logfile set per session; rotating does not make sense there
because this would rename files only but would not clean them up.
Comment 5 Daniel Walsh 2007-10-18 09:17:50 EDT
In that case why not /var/run/kismet?

We can add a label to the directory that kismet creates the log files in to
allow tmpreaper to remove them.  But I want to make sure that is the right thing
to do.  I would also like to get policy on kismet period.

Especially since it claims to be a security package and it is potentially
vulnerable to random network packets that it is collecting.
Comment 6 Zdenek Kabelac 2007-10-18 09:49:54 EDT
Hmm as I can see now in my todays log - I got that one again - however now I'm
not sure what I was running at this time :(
But it is possible it is somehow connected with 'yum update'
btw my yum.log-20071015 has the time 10:36
here is the message:

SELinux is preventing tmpwatch (tmpreaper_t) "getattr" to /var/log (var_log_t).

Source Context:  system_u:system_r:tmpreaper_t:s0Target
Context:  system_u:object_r:var_log_t:s0Target Objects:  /var/log [ dir
]Affected RPM Packages:  filesystem-2.4.11-1.fc8 [target]Policy
RPM:  selinux-policy-3.0.8-22.fc8Selinux Enabled:  TruePolicy Type:  targetedMLS
Enabled:  TrueEnforcing Mode:  PermissivePlugin Name:  plugins.catchall_fileHost
Name:  dhcp-lab-228.englab.brq.redhat.comPlatform:  Linux
dhcp-lab-228.englab.brq.redhat.com 2.6.23-6.fc8 #1 SMP Thu Oct 11 13:36:39 EDT
2007 x86_64 x86_64Alert Count:  1First
Seen:  Čt 18. říjen 2007, 10:22:18 CESTLast
Seen:  Čt 18. říjen 2007, 10:22:18 CESTLocal
ID:  cfae21d2-8501-475a-b24c-a42f28ac70b0Line Numbers:  Raw Audit Messages :avc:
denied { getattr } for comm=tmpwatch dev=sda2 path=/var/log pid=4260
scontext=system_u:system_r:tmpreaper_t:s0 tclass=dir
tcontext=system_u:object_r:var_log_t:s0 

btw I've some more messages for my vmware running with my localhost nfs.
I'll make another report.
Comment 7 Enrico Scholz 2007-10-18 10:39:36 EDT
kismet creates logfiles which might be for interest after a reboot (which
empties /var/run). Hence, /var/log/kismet seems to be a perfect choice for the logs.

There should not be much difference for SELinux: just put the named label to
/var/log/kismet instead of /var/run/kismet.
Comment 8 Daniel Walsh 2007-10-18 16:36:14 EDT
Ok I added kismet policy.  It will need some work.

Please test it out and report back the avc's

selinux-policy-3.0.8-25

Note You need to log in before you can comment on or make changes to this bug.