Bug 443282 - SELinux is preventing rm (hald_t) "rmdir" to ./storage (var_run_t).
SELinux is preventing rm (hald_t) "rmdir" to ./storage (var_run_t).
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: hal (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: David Zeuthen
Fedora Extras Quality Assurance
: SELinux
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-04-20 02:26 EDT by Matěj Cepl
Modified: 2013-03-05 22:55 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-04-20 07:00:30 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Matěj Cepl 2008-04-20 02:26:59 EDT
Description of problem:
SELinux denied access requested by rm. It is not expected that this access is
required by rm and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.


More information:

Kontext zdroje                system_u:system_r:hald_t
Kontext cíle                 system_u:object_r:var_run_t
Objekty cíle                 ./storage [ dir ]
Zdroj                         rm
Cesta zdroje                  /bin/rm
Port                          <Neznámé>
Počítač                    viklef
RPM balíčky zdroje          coreutils-6.10-18.fc9
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.3.1-35.fc9
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     catchall_file
Název počítače            viklef
Platforma                     Linux viklef 2.6.25-1.fc9.i686 #1 SMP Thu Apr 17
                              01:47:10 EDT 2008 i686 i686
Počet uporoznění           1
Poprvé viděno               Ne 20. duben 2008, 08:11:36 CEST
Naposledy viděno             Ne 20. duben 2008, 08:11:36 CEST
Místní ID                   d0adbb7c-8b6c-449f-af8e-e17f73a0b2b3
Čísla řádků              

Původní zprávy auditu      

host=viklef type=AVC msg=audit(1208671896.435:42): avc:  denied  { rmdir } for 
pid=9182 comm="rm" name="storage" dev=dm-0 ino=1275335
scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:var_run_t:s0
tclass=dir

host=viklef type=SYSCALL msg=audit(1208671896.435:42): arch=40000003 syscall=301
success=no exit=-13 a0=ffffff9c a1=8874150 a2=200 a3=8874150 items=2 ppid=8641
pid=9182 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm="rm" exe="/bin/rm"
subj=system_u:system_r:hald_t:s0 key=(null)

host=viklef type=CWD msg=audit(1208671896.435:42): cwd="/usr/lib/hal/scripts"

host=viklef type=PATH msg=audit(1208671896.435:42): item=0
name="/var/run/pm-utils/" inode=1275120 dev=fd:00 mode=040755 ouid=0 ogid=0
rdev=00:00 obj=system_u:object_r:var_run_t:s0

host=viklef type=PATH msg=audit(1208671896.435:42): item=1
name="/var/run/pm-utils/storage" inode=1275335 dev=fd:00 mode=040755 ouid=0
ogid=0 rdev=00:00 obj=system_u:object_r:var_run_t:s0

Version-Release number of selected component (if applicable):
hal-0.5.11-0.6.rc2.fc9.i386
selinux-policy-targeted-3.3.1-35.fc9.noarch
kernel-2.6.25-1.fc9.i686

How reproducible:
Happened once (and I am not sure when; will try suspend/resume)
Comment 1 Matěj Cepl 2008-04-20 03:04:58 EDT
OK, so this is suspend/resume in the Permissive mode:


Souhrn:

SELinux is preventing rm (hald_t) "rmdir" to ./storage (var_run_t).

Podrobný popis:

[SELinux je v uvolněném režimu, operace by byla odmítnuta, ale byla povolena
kvůli uvolněnému režimu.]

SELinux denied access requested by rm. It is not expected that this access is
required by rm and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Povolení přístupu:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./storage,

restorecon -v './storage'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                system_u:system_r:hald_t
Kontext cíle                 system_u:object_r:var_run_t
Objekty cíle                 ./storage [ dir ]
Zdroj                         rm
Cesta zdroje                  /bin/rm
Port                          <Neznámé>
Počítač                    viklef
RPM balíčky zdroje          coreutils-6.10-18.fc9
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.3.1-35.fc9
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Permissive
Název zásuvného modulu     catchall_file
Název počítače            viklef
Platforma                     Linux viklef 2.6.25-1.fc9.i686 #1 SMP Thu Apr 17
                              01:47:10 EDT 2008 i686 i686
Počet uporoznění           1
Poprvé viděno               Ne 20. duben 2008, 08:55:42 CEST
Naposledy viděno             Ne 20. duben 2008, 08:55:42 CEST
Místní ID                   8d4a088f-d50c-4b5e-a1cc-9937be01ee69
Čísla řádků              

Původní zprávy auditu      

host=viklef type=AVC msg=audit(1208674542.225:55): avc:  denied  { rmdir } for 
pid=12575 comm="rm" name="storage" dev=dm-0 ino=1275335
scontext=system_u:system_r:hald_t:s0 tcontext=system_u:object_r:var_run_t:s0
tclass=dir

host=viklef type=SYSCALL msg=audit(1208674542.225:55): arch=40000003 syscall=301
success=yes exit=0 a0=ffffff9c a1=8540150 a2=200 a3=8540150 items=2 ppid=12084
pid=12575 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="rm" exe="/bin/rm"
subj=system_u:system_r:hald_t:s0 key=(null)

host=viklef type=CWD msg=audit(1208674542.225:55): cwd="/usr/lib/hal/scripts"

host=viklef type=PATH msg=audit(1208674542.225:55): item=0
name="/var/run/pm-utils/" inode=1275120 dev=fd:00 mode=040755 ouid=0 ogid=0
rdev=00:00 obj=system_u:object_r:var_run_t:s0

host=viklef type=PATH msg=audit(1208674542.225:55): item=1
name="/var/run/pm-utils/storage" inode=1275335 dev=fd:00 mode=040755 ouid=0
ogid=0 rdev=00:00 obj=system_u:object_r:var_run_t:s0
Comment 2 Daniel Walsh 2008-04-20 07:00:30 EDT
This is a labeling problem on /var/run/pm-utils

restorecon -R -v /var/run/pm-utils

Will fix it.  If it comes back afterwards then some tool is creating this
directory without labeling it correctly.
Comment 3 Matěj Cepl 2008-04-21 01:41:27 EDT
Restorecon did actually nothing (see below) and if I am not greatly mistaken,
the label is still the same as before (well, there is no
/var/run/pm-utils/storage at all currently, it is probably created just during
suspend):

[root@viklef ~]# restorecon -R -v /var/run/pm-utils/
[root@viklef ~]# ls -lZ /var/run/pm-utils/
drwxr-xr-x  root root system_u:object_r:var_run_t      locks
[root@viklef ~]# 

Will try another suspend.
Comment 4 Daniel Walsh 2008-04-21 13:09:45 EDT
Which policy do you have installed.

selinux-policy-3.3.1-35 has

+/var/run/pm-utils(/.*)?				gen_context(system_u:object_r:hald_var_run_t,s0)


Which means these files should be labeled hald_var_run_t
Comment 5 Matěj Cepl 2008-04-22 09:44:03 EDT
OK, then it is probably really NOTABUG. No idea.

Note You need to log in before you can comment on or make changes to this bug.