Bug 432920 - preventing df (logwatch_t) "getattr" to / (public_content_rw_t)
Summary: preventing df (logwatch_t) "getattr" to / (public_content_rw_t)
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: rawhide
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-02-15 06:19 UTC by Andrew Farris
Modified: 2008-02-26 21:56 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2008-02-26 21:56:24 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Andrew Farris 2008-02-15 06:19:01 UTC 
Description of problem:
logwatch is getting an selinux denial for df of a mount I have labeled
public_content_rw_t for samba and nfs export.


Summary:

SELinux is preventing df (logwatch_t) "getattr" to / (public_content_rw_t).

Detailed Description:

SELinux denied access requested by df. It is not expected that this access is
required by df and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:logwatch_t:SystemLow-SystemHigh
Target Context                system_u:object_r:public_content_rw_t
Target Objects                / [ filesystem ]
Source                        df
Source Path                   /bin/df
Port                          <Unknown>
Host                          cirithungol
Source RPM Packages           coreutils-6.10-5.fc9
Target RPM Packages           filesystem-2.4.11-1.fc8
Policy RPM                    selinux-policy-3.2.7-4.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     cirithungol
Platform                      Linux cirithungol 2.6.25-0.35.rc1.fc9 #1 SMP Tue
                              Feb 12 13:24:07 EST 2008 i686 i686
Alert Count                   2
First Seen                    Thu 14 Feb 2008 04:24:29 AM PST
Last Seen                     Thu 14 Feb 2008 04:24:29 AM PST
Local ID                      9dfb98dc-bf07-43a8-9d56-1a8add1ef40a
Line Numbers                  

Raw Audit Messages            

host=cirithungol type=AVC msg=audit(1202991869.912:28): avc:  denied  { getattr
} for  pid=4111 comm="df" name="/" dev=sdc3 ino=1
scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023
tcontext=system_u:object_r:public_content_rw_t:s0 tclass=filesystem

host=cirithungol type=SYSCALL msg=audit(1202991869.912:28): arch=40000003
syscall=268 success=no exit=-13 a0=99a05d8 a1=54 a2=bfe425d8 a3=0 items=0
ppid=4109 pid=4111 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=3 comm="df" exe="/bin/df"
subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)


This results in the following in logwatch mails to root:
--------------------- Disk Space Begin ------------------------

 Filesystem            Size  Used Avail Use% Mounted on
 /dev/sdb3             3.0G  1.1G  1.8G  37% /
 /dev/sdb6              12G  5.7G  4.8G  55% /usr
 /dev/sdb2              20G   12G  8.7G  57% /home
 /dev/sdb1             342M   39M  286M  12% /boot
 /dev/sdc2              20G   19G   93M 100% /media/blackhole
 /dev/sdc1              20G  9.5G  9.3G  51% /media/extarc
 df: `/media/archive': Permission denied
 /dev/sda1              23G   20G  2.5G  89% /media/xp
 /dev/sda2              16G   14G  2.0G  88% /media/op

 df: `/media/archive': Permission denied
 /dev/sdc2 => 100% Used. Warning. Disk Filling up.

 ---------------------- Disk Space End -------------------------

The partition /dev/sdc3 is mounted on /media/archive and labeled:
     1 16 drwxrwxr-x 26 system_u:object_r:public_content_rw_t 500 555 16
1969-12-31 16:00 archive/
Comment 1 Andrew Farris 2008-02-15 06:23:27 UTC 
The partition is mounted via fstab with:

LABEL=archive	/media/archive	vfat
auto,rw,async,users,group,nosuid,noexec,context=system_u:object_r:public_content_rw_t:s0,fmask=0002,dmask=0002,gid=555
0 0

Since it is vfat the files cannot be labeled public content without setting at
mount, but that changes /media/archive from mnt_t to public_content_rw_t rather
than just the files inside.  Is there a different approach to this or should
logwatch have access to this context?
Comment 2 Daniel Walsh 2008-02-26 21:56:24 UTC 
Fixed in selinux-policy-3.3.1-4.fc9
Note You need to log in before you can comment on or make changes to this bug.