Bug 334461 - SELinux policy III
Summary: SELinux policy III
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 8
Hardware: x86_64
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-10-16 14:40 UTC by Zdenek Kabelac
Modified: 2008-01-30 19:20 UTC (History)
0 users

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-01-30 19:20:55 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
just compresed my actual log from SElinux if the messsages are not as readable as the plain text (17.66 KB, application/x-gzip)
2007-10-16 14:43 UTC, Zdenek Kabelac
no flags Details
audit.log (66.93 KB, application/x-bzip)
2007-10-18 07:56 UTC, Zdenek Kabelac
no flags Details

Description Zdenek Kabelac 2007-10-16 14:40:21 UTC
Description of problem:

SELinux is preventing /usr/sbin/load_policy (load_policy_t) "write" to pipe (rpm_t).

Source Context:  system_u:system_r:load_policy_t:s0Target
Context:  system_u:system_r:rpm_t:s0Target Objects:  pipe [ fifo_file ]Affected
RPM Packages:  policycoreutils-2.0.29-1.fc8 [application]Policy
RPM:  selinux-policy-3.0.8-20.fc8Selinux Enabled:  TruePolicy Type:  targetedMLS
Enabled:  TrueEnforcing Mode:  PermissivePlugin Name:  plugins.catchallHost
Name:  dhcp-lab-228.englab.brq.redhat.comPlatform:  Linux
dhcp-lab-228.englab.brq.redhat.com 2.6.23-5.fc8 #1 SMP Wed Oct 10 19:25:16 EDT
2007 x86_64 x86_64Alert Count:  7First
Seen:  Pá 12. říjen 2007, 14:59:02 CESTLast
Seen:  Po 15. říjen 2007, 10:05:29 CESTLocal
ID:  29ff9786-cc78-42f3-8380-3fc28747a808Line Numbers:  Raw Audit Messages :avc:
denied { write } for comm=load_policy dev=pipefs egid=0 euid=0
exe=/usr/sbin/load_policy exit=0 fsgid=0 fsuid=0 gid=0 items=0 path=pipe:[42398]
pid=7186 scontext=system_u:system_r:load_policy_t:s0 sgid=0
subj=system_u:system_r:load_policy_t:s0 suid=0 tclass=fifo_file
tcontext=system_u:system_r:rpm_t:s0 tty=pts1 uid=0 

-------------------------------------------

SELinux is preventing /usr/bin/readlink (udev_t) "getattr" to /home (home_root_t).

Source Context:  system_u:system_r:udev_t:s0-s0:c0.c1023Target
Context:  system_u:object_r:home_root_t:s0Target Objects:  /home [ dir ]Affected
RPM Packages:  coreutils-6.9-6.fc8 [application]filesystem-2.4.11-1.fc8
[target]Policy RPM:  selinux-policy-3.0.8-20.fc8Selinux Enabled:  TruePolicy
Type:  targetedMLS Enabled:  TrueEnforcing Mode:  PermissivePlugin
Name:  plugins.catchall_fileHost
Name:  dhcp-lab-228.englab.brq.redhat.comPlatform:  Linux
dhcp-lab-228.englab.brq.redhat.com 2.6.21-2949.fc8xen #1 SMP Wed Oct 10 11:45:45
EDT 2007 x86_64 x86_64Alert Count:  1First
Seen:  Pá 12. říjen 2007, 15:34:44 CESTLast
Seen:  Pá 12. říjen 2007, 15:34:44 CESTLocal
ID:  f3cdf5e0-a555-4d5f-9755-76685094fdecLine Numbers:  Raw Audit Messages :avc:
denied { getattr } for comm=readlink dev=sda7 egid=0 euid=0
exe=/usr/bin/readlink exit=0 fsgid=0 fsuid=0 gid=0 items=0 name=/ path=/home
pid=3822 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 sgid=0 

---------------------------------------------------


SELinux is preventing /usr/bin/readlink (udev_t) "search" to (home_root_t).

Source Context:  system_u:system_r:udev_t:s0-s0:c0.c1023Target
Context:  system_u:object_r:home_root_t:s0Target Objects:  None [ dir ]Affected
RPM Packages:  coreutils-6.9-6.fc8 [application]Policy
RPM:  selinux-policy-3.0.8-20.fc8Selinux Enabled:  TruePolicy Type:  targetedMLS
Enabled:  TrueEnforcing Mode:  PermissivePlugin Name:  plugins.catchall_fileHost
Name:  dhcp-lab-228.englab.brq.redhat.comPlatform:  Linux
dhcp-lab-228.englab.brq.redhat.com 2.6.21-2949.fc8xen #1 SMP Wed Oct 10 11:45:45
EDT 2007 x86_64 x86_64Alert Count:  1First
Seen:  Pá 12. říjen 2007, 15:34:44 CESTLast
Seen:  Pá 12. říjen 2007, 15:34:44 CESTLocal
ID:  daa032c0-8486-4760-906c-21a3405cd910Line Numbers:  Raw Audit Messages :avc:
denied { search } for comm=readlink dev=sda7 egid=0 euid=0 exe=/usr/bin/readlink
exit=0 fsgid=0 fsuid=0 gid=0 items=0 name=/ pid=3822
scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:udev_t:s0-s0:c0.c1023 suid=0 tclass=dir
tcontext=system_u:object_r:home_root_t:s0 tty=(none) uid=0 

-------------------------------------------------


SELinux is preventing /usr/sbin/brctl (brctl_t) "use" to /sys/kernel/hotplug
(kernel_t).


Source Context:  system_u:system_r:brctl_t:s0-s0:c0.c1023Target
Context:  system_u:system_r:kernel_t:s0Target Objects:  /sys/kernel/hotplug [ fd
]Affected RPM Packages:  bridge-utils-1.2-2.fc8 [application]Policy
RPM:  selinux-policy-3.0.8-20.fc8Selinux Enabled:  TruePolicy Type:  targetedMLS
Enabled:  TrueEnforcing Mode:  PermissivePlugin Name:  plugins.catchallHost
Name:  dhcp-lab-228.englab.brq.redhat.comPlatform:  Linux
dhcp-lab-228.englab.brq.redhat.com 2.6.21-2949.fc8xen #1 SMP Wed Oct 10 11:45:45
EDT 2007 x86_64 x86_64Alert Count:  1First
Seen:  Pá 12. říjen 2007, 15:18:07 CESTLast
Seen:  Pá 12. říjen 2007, 15:18:07 CESTLocal
ID:  ba7cdbb9-6eed-4f95-9e89-68f10be03163Line Numbers:  Raw Audit Messages :avc:
denied { use } for comm=brctl dev=proc egid=0 euid=0 exe=/usr/sbin/brctl exit=0
fsgid=0 fsuid=0 gid=0 items=0 name=hotplug path=/sys/kernel/hotplug pid=3442
scontext=system_u:system_r:brctl_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:brctl_t:s0-s0:c0.c1023 suid=0 tclass=fd
tcontext=system_u:system_r:kernel_t:s0 tty=(none) uid=0 

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Zdenek Kabelac 2007-10-16 14:43:45 UTC
Created attachment 228851 [details]
just compresed my actual log from SElinux if the messsages are not as readable as the plain text

Comment 2 Daniel Walsh 2007-10-17 18:01:51 UTC
Please attach your /var/log/audit/audit/audit.log

Comment 3 Zdenek Kabelac 2007-10-18 07:56:29 UTC
Created attachment 230771 [details]
audit.log

Here it goes

Comment 4 Daniel Walsh 2007-10-18 20:12:06 UTC
What service in inetd is listing on port 904?



Comment 5 Zdenek Kabelac 2007-10-19 10:02:49 UTC
It's the default port selected by vmware - I guess this should be then
handled most probably by some rule on the vmware installation - because
the port number could be arbitrarily changed during the installation
(or even just reconfiguration) - so it probably not something which
could be easily hardcoded.

rpm & installation code is written directly by VMWARE company - so it
might be probably needed to send them a patch for their installation
script to get things done in the right way ? (I'm not sure - just an idea...)
 

Comment 6 Daniel Walsh 2007-11-19 15:53:58 UTC
  Fixed in selinux-policy-3.0.8-56.fc8

Comment 7 Daniel Walsh 2008-01-30 19:20:55 UTC
Bulk closing all bugs in Fedora updates in the modified state.  If you bug is
not fixed, please reopen.


Note You need to log in before you can comment on or make changes to this bug.