Bug 445101 – (staff_u) zillion AVC denials

Bug 445101 - (staff_u) zillion AVC denials

Summary:	(staff_u) zillion AVC denials

Status:	CLOSED NOTABUG

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted (Show other bugs)
Sub Component:
Version:	rawhide
Hardware:	All Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Daniel Walsh
QA Contact:	Ben Levenson
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2008-05-03 14:50 EDT by Matěj Cepl
Modified:	2008-05-06 17:31 EDT (History)
CC List:	0 users

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2008-05-05 16:41:35 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:

Attachments	(Terms of Use)
/var/log/audit/audit.log (2.93 MB, text/plain) 2008-05-03 14:50 EDT, Matěj Cepl	no flags	Details
generated SELinux module (1.85 KB, text/plain) 2008-05-03 18:17 EDT, Matěj Cepl	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Matěj Cepl 2008-05-03 14:50:18 EDT

Description of problem:
I thought I will be filing one bug per AVC denial while using staff_u, but there
is too much junk here. I think that everything (except for bitlbee bugs) in the
attached /var/log/audit/audit.log is relevant as a staff_u bug.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.3.1-42.fc9.noarch
(the rest is from Rawhide as of today)

Comment 1 Matěj Cepl 2008-05-03 14:50:18 EDT

Created attachment 304465 [details]
/var/log/audit/audit.log

Comment 2 Matěj Cepl 2008-05-03 18:17:23 EDT

Created attachment 304468 [details]
generated SELinux module

When removing all lines from audit.log before I switched to using staff_u, I
generated this selinux module with audit2allow

Comment 3 Daniel Walsh 2008-05-05 14:30:27 EDT

If you are testing staff_t please do not run in permissive mode.  Any avc that
you collected while in permissive mode is useless.  Since staff_u is not allowed
to run su, when in permissive mode you ran visudo which is also not allowed so
lots of AVC messages are useless to me.

You need to setup sudo before hand and user sudo to switch to unconfined_t when
run as root.

Comment 4 Matěj Cepl 2008-05-05 16:41:35 EDT

OK, if I cannot run in permissive mode, than I am afraid I cannot use staff_u at
all (need for developing stuff permissive mode).

Comment 5 Daniel Walsh 2008-05-06 17:23:30 EDT

Not sure why you need permissive mode for developing.  I use staff_t which a
transition to unconfined_t and I develop every day.

Comment 6 Matěj Cepl 2008-05-06 17:31:37 EDT

I am probably much worse programmer than you (well, I am not a programmer at
all, strictly speaking) so when hacking on bitlbee (which is confined) I am
hitting SELinux all the time.

Note You need to log in before you can comment on or make changes to this bug.