Bug 337971 - SELinux Policy IV
SELinux Policy IV
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
x86_64 Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-10-18 10:01 EDT by Zdenek Kabelac
Modified: 2008-01-30 14:21 EST (History)
1 user (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-30 14:21:01 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Zdenek Kabelac 2007-10-18 10:01:22 EDT
Description of problem:

Using SELinux & Vmware & nfs exported home
I'm not sure whether this problem should be localy solved on my machine
or it's a global policy setting thing:

So here it comes:

SELinux is preventing /usr/bin/vmnet-netifup (vmware_host_t) "ioctl" access to
device /dev/vmnet8.

Source Context:  system_u:system_r:vmware_host_t:s0Target
Context:  system_u:object_r:device_t:s0Target Objects:  /dev/vmnet8 [ chr_file
]Affected RPM Packages:  VMware-server-1.0.4-56528 [application]Policy
RPM:  selinux-policy-3.0.8-22.fc8Selinux Enabled:  TruePolicy Type:  targetedMLS
Enabled:  TrueEnforcing Mode:  PermissivePlugin Name:  plugins.deviceHost
Name:  dhcp-lab-228.englab.brq.redhat.comPlatform:  Linux
dhcp-lab-228.englab.brq.redhat.com 2.6.23-6.fc8 #1 SMP Thu Oct 11 13:36:39 EDT
2007 x86_64 x86_64Alert Count:  1First
Seen:  St 17. říjen 2007, 15:20:47 CESTLast
Seen:  St 17. říjen 2007, 15:20:47 CESTLocal
ID:  6abd2ca9-3c32-4752-94cc-e677afc529ccLine Numbers:  Raw Audit Messages :avc:
denied { ioctl } for comm=vmnet-netifup dev=tmpfs egid=0 euid=0
exe=/usr/bin/vmnet-netifup exit=0 fsgid=0 fsuid=0 gid=0 items=0 path=/dev/vmnet8
pid=2367 scontext=system_u:system_r:vmware_host_t:s0 sgid=0
subj=system_u:system_r:vmware_host_t:s0 suid=0 tclass=chr_file
tcontext=system_u:object_r:device_t:s0 tty=(none) uid=0 

-------------------------------

SELinux is preventing /usr/bin/vmnet-netifup (vmware_host_t) "ioctl" access to
device /dev/vmnet1.

Source Context:  system_u:system_r:vmware_host_t:s0Target
Context:  system_u:object_r:device_t:s0Target Objects:  /dev/vmnet1 [ chr_file
]Affected RPM Packages:  VMware-server-1.0.4-56528 [application]Policy
RPM:  selinux-policy-3.0.8-22.fc8Selinux Enabled:  TruePolicy Type:  targetedMLS
Enabled:  TrueEnforcing Mode:  PermissivePlugin Name:  plugins.deviceHost
Name:  kabiPlatform:  Linux kabi 2.6.23-6.fc8 #1 SMP Thu Oct 11 13:36:39 EDT
2007 x86_64 x86_64Alert Count:  1First
Seen:  St 17. říjen 2007, 15:43:17 CESTLast
Seen:  St 17. říjen 2007, 15:43:17 CESTLocal
ID:  1ed813a5-8c41-4860-a2fb-5c3d566ab526Line Numbers:  Raw Audit Messages :avc:
denied { ioctl } for comm=vmnet-netifup dev=tmpfs egid=0 euid=0
exe=/usr/bin/vmnet-netifup exit=0 fsgid=0 fsuid=0 gid=0 items=0 path=/dev/vmnet1
pid=2353 scontext=system_u:system_r:vmware_host_t:s0 sgid=0
subj=system_u:system_r:vmware_host_t:s0 suid=0 tclass=chr_file
tcontext=system_u:object_r:device_t:s0 tty=(none) uid=0 

--------------------------------------------------


SELinux is preventing rpc.mountd (nfsd_t) "ioctl" to /dev/mapper/control
(lvm_control_t).
Source Context:  system_u:system_r:nfsd_t:s0Target
Context:  system_u:object_r:lvm_control_t:s0Target Objects:  /dev/mapper/control
[ chr_file ]Affected RPM Packages:  Policy
RPM:  selinux-policy-3.0.8-22.fc8Selinux Enabled:  TruePolicy Type:  targetedMLS
Enabled:  TrueEnforcing Mode:  PermissivePlugin Name:  plugins.catchall_fileHost
Name:  kabiPlatform:  Linux kabi 2.6.23-6.fc8 #1 SMP Thu Oct 11 13:36:39 EDT
2007 x86_64 x86_64Alert Count:  2First
Seen:  St 17. říjen 2007, 17:08:33 CESTLast
Seen:  St 17. říjen 2007, 17:08:33 CESTLocal
ID:  74d30be1-56b7-4cd0-9639-71c8d673fac3Line Numbers:  Raw Audit Messages :avc:
denied { ioctl } for comm=rpc.mountd dev=tmpfs path=/dev/mapper/control pid=4906
scontext=system_u:system_r:nfsd_t:s0 tclass=chr_file
tcontext=system_u:object_r:lvm_control_t:s0 

----------------------------------


This one seeems to be quite interesting - as my /etc/exports contains
only 'rw' exported filesystems so I do not understand the help message
which suggest to use yet another command to export nfs rw -
is it purpose - isn't enough to mark filesystems (rw) only in exports file ?

SELinux is preventing the nfs daemon from allowing remote clients to write local
files.Detailed DescriptionSELinux has preventing the nfs daemon (nfsd) from
writing files on the local system. If you have not exported any file systems
(rw), this could signals an intrusion.Allowing AccessIf you want to export
writable file systems using nfs you need to turn on the nfs_export_all_rw
boolean: "setsebool -P nfs_export_all_rw=1".The following command will allow
this access:setsebool -P nfs_export_all_rw=1Additional InformationSource
Context:  system_u:system_r:nfsd_t:s0Target
Context:  system_u:object_r:lvm_control_t:s0Target Objects:  None [ chr_file
]Affected RPM Packages:  nfs-utils-1.1.0-5.fc8 [application]Policy
RPM:  selinux-policy-3.0.8-22.fc8Selinux Enabled:  TruePolicy Type:  targetedMLS
Enabled:  TrueEnforcing Mode:  PermissivePlugin
Name:  plugins.nfs_export_all_rwHost Name:  kabiPlatform:  Linux kabi
2.6.23-6.fc8 #1 SMP Thu Oct 11 13:36:39 EDT 2007 x86_64 x86_64Alert
Count:  1First Seen:  St 17. říjen 2007, 17:08:33 CESTLast
Seen:  St 17. říjen 2007, 17:08:33 CESTLocal
ID:  79c57641-673a-4602-953a-0cd438e65ac6Line Numbers:  Raw Audit Messages :avc:
denied { read write } for comm=rpc.mountd dev=tmpfs egid=0 euid=0
exe=/usr/sbin/rpc.mountd exit=12 fsgid=0 fsuid=0 gid=0 items=0 name=control
pid=4906 scontext=system_u:system_r:nfsd_t:s0 sgid=0
subj=system_u:system_r:nfsd_t:s0 suid=0 tclass=chr_file
tcontext=system_u:object_r:lvm_control_t:s0 tty=(none) uid=0 


------------------






Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Daniel Walsh 2007-10-22 10:24:27 EDT
Please report these as different errors.  Since some are SELinux problems and
some are other apps leaking file descriptors.

The vmware host errors are caused by an initscript in vmware creating a device
but not labeling it correctly.  If you add the line restorecon /dev/vmnet8 right
after the device is created, this should fix this problem.

The nfsd_t wanting access to lvm_control_t looks like a leaked file descriptor
from lvm or nash or something else in the boot sequence.
Comment 2 Daniel Walsh 2007-11-19 10:52:58 EST
I believe these are all fixed in Fixed in selinux-policy-3.0.8-56.fc8
Comment 3 Daniel Walsh 2008-01-30 14:21:01 EST
Bulk closing all bugs in Fedora updates in the modified state.  If you bug is
not fixed, please reopen.

Note You need to log in before you can comment on or make changes to this bug.