Red Hat Bugzilla – Bug 432920
preventing df (logwatch_t) "getattr" to / (public_content_rw_t)
Last modified: 2008-02-26 16:56:24 EST
Description of problem: logwatch is getting an selinux denial for df of a mount I have labeled public_content_rw_t for samba and nfs export. Summary: SELinux is preventing df (logwatch_t) "getattr" to / (public_content_rw_t). Detailed Description: SELinux denied access requested by df. It is not expected that this access is required by df and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:logwatch_t:SystemLow-SystemHigh Target Context system_u:object_r:public_content_rw_t Target Objects / [ filesystem ] Source df Source Path /bin/df Port <Unknown> Host cirithungol Source RPM Packages coreutils-6.10-5.fc9 Target RPM Packages filesystem-2.4.11-1.fc8 Policy RPM selinux-policy-3.2.7-4.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name cirithungol Platform Linux cirithungol 2.6.25-0.35.rc1.fc9 #1 SMP Tue Feb 12 13:24:07 EST 2008 i686 i686 Alert Count 2 First Seen Thu 14 Feb 2008 04:24:29 AM PST Last Seen Thu 14 Feb 2008 04:24:29 AM PST Local ID 9dfb98dc-bf07-43a8-9d56-1a8add1ef40a Line Numbers Raw Audit Messages host=cirithungol type=AVC msg=audit(1202991869.912:28): avc: denied { getattr } for pid=4111 comm="df" name="/" dev=sdc3 ino=1 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:public_content_rw_t:s0 tclass=filesystem host=cirithungol type=SYSCALL msg=audit(1202991869.912:28): arch=40000003 syscall=268 success=no exit=-13 a0=99a05d8 a1=54 a2=bfe425d8 a3=0 items=0 ppid=4109 pid=4111 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="df" exe="/bin/df" subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null) This results in the following in logwatch mails to root: --------------------- Disk Space Begin ------------------------ Filesystem Size Used Avail Use% Mounted on /dev/sdb3 3.0G 1.1G 1.8G 37% / /dev/sdb6 12G 5.7G 4.8G 55% /usr /dev/sdb2 20G 12G 8.7G 57% /home /dev/sdb1 342M 39M 286M 12% /boot /dev/sdc2 20G 19G 93M 100% /media/blackhole /dev/sdc1 20G 9.5G 9.3G 51% /media/extarc df: `/media/archive': Permission denied /dev/sda1 23G 20G 2.5G 89% /media/xp /dev/sda2 16G 14G 2.0G 88% /media/op df: `/media/archive': Permission denied /dev/sdc2 => 100% Used. Warning. Disk Filling up. ---------------------- Disk Space End ------------------------- The partition /dev/sdc3 is mounted on /media/archive and labeled: 1 16 drwxrwxr-x 26 system_u:object_r:public_content_rw_t 500 555 16 1969-12-31 16:00 archive/
The partition is mounted via fstab with: LABEL=archive /media/archive vfat auto,rw,async,users,group,nosuid,noexec,context=system_u:object_r:public_content_rw_t:s0,fmask=0002,dmask=0002,gid=555 0 0 Since it is vfat the files cannot be labeled public content without setting at mount, but that changes /media/archive from mnt_t to public_content_rw_t rather than just the files inside. Is there a different approach to this or should logwatch have access to this context?
Fixed in selinux-policy-3.3.1-4.fc9