446122 – cobblerd logging AVC denial blames iptables

Bug 446122 - cobblerd logging AVC denial blames iptables

Summary: cobblerd logging AVC denial blames iptables

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	8
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-05-12 21:03 UTC by Michael DeHaan
Modified:	2008-11-17 22:03 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-11-17 22:03:47 UTC
Type:	---
Dependent Products:

Attachments	(Terms of Use)

Description Michael DeHaan 2008-05-12 21:03:28 UTC

Description of problem:

Cobbler is getting an AVC denial when trying to write to it's own log file. 
Most likely (#selinux says) this is an open file descriptor, and since we are
leaving them open for logging purposes and this is python standard logging I'm
not sure it's fixable from that respect.  eparis says file a bz and ask dwalsh
to "dontaudit" it or equivalent.

Version-Release number of selected component (if applicable):


How reproducible:

Very


Steps to Reproduce:
1.   Start with F8 and setroubleshoot, permissive mode, install cobbler
2.   run cobbler sync or run any command that makes cobbler or cobblerd write to
the log
3.   observe denial
  
Actual results:

AVC denial below

Expected results:

No denial (var_log_t type is already set)

Additional info:


#
Summary:
#
 
#
SELinux is preventing iptables (iptables_t) "append" to
#
/var/log/cobbler/cobbler.log (var_log_t).
#
 
#
Detailed Description:
#
 
#
[SELinux is in permissive mode, the operation would have been denied but was
#
permitted due to permissive mode.]
#
 
#
SELinux is preventing iptables (iptables_t) "append" to
#
/var/log/cobbler/cobbler.log (var_log_t). The SELinux type var_log_t, is a
#
generic type for all files in the directory and very few processes (SELinux
#
Domains) are allowed to write to this SELinux type. This type of denial usual
#
indicates a mislabeled file. By default a file created in a directory has the
#
gets the context of the parent directory, but SELinux policy has rules about the
#
creation of directories, that say if a process running in one SELinux Domain
#
(D1) creates a file in a directory with a particular SELinux File Context (F1)
#
the file gets a different File Context (F2). The policy usually allows the
#
SELinux Domain (D1) the ability to write, unlink, and append on (F2). But if for
#
some reason a file (/var/log/cobbler/cobbler.log) was created with the wrong
#
context, this domain will be denied. The usual solution to this problem is to
#
reset the file context on the target file, restorecon -v
#
'/var/log/cobbler/cobbler.log'. If the file context does not change from
#
var_log_t, then this is probably a bug in policy. Please file a bug report
#
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against the selinux-policy
#
package. If it does change, you can try your application again to see if it
#
works. The file context could have been mislabeled by editing the file or moving
#
the file from a different directory, if the file keeps getting mislabeled, check
#
the init scripts to see if they are doing something to mislabel the file.
#
 
#
Allowing Access:
#
 
#
You can attempt to fix file context by executing restorecon -v
#
'/var/log/cobbler/cobbler.log'
#
 
#
The following command will allow this access:
#
 
#
restorecon '/var/log/cobbler/cobbler.log'
#
 
#
Additional Information:
#
 
#
Source Context                system_u:system_r:iptables_t
#
Target Context                system_u:object_r:var_log_t
#
Target Objects                /var/log/cobbler/cobbler.log [ file ]
#
Source                        iptables
#
Source Path                   /sbin/iptables
#
Port                          <Unknown>
#
Host                          mdehaan.rdu.redhat.com
#
Source RPM Packages           iptables-1.3.8-6.fc8
#
Target RPM Packages          
#
Policy RPM                    selinux-policy-3.0.8-98.fc8
#
Selinux Enabled               True
#
Policy Type                   targeted
#
MLS Enabled                   True
#
Enforcing Mode                Permissive
#
Plugin Name                   mislabeled_file
#
Host Name                     mdehaan.rdu.redhat.com
#
Platform                      Linux mdehaan.rdu.redhat.com 2.6.24.5-85.fc8 #1
#
                              SMP Sat Apr 19 12:39:34 EDT 2008 i686 i686
#
Alert Count                   1
#
First Seen                    Mon 12 May 2008 04:42:59 PM EDT
#
Last Seen                     Mon 12 May 2008 04:42:59 PM EDT
#
Local ID                      dfad26ff-f811-4f0a-998f-e4366128d4ed
#
Line Numbers                  
#
 
#
Raw Audit Messages            
#
 
#
host=mdehaan.rdu.redhat.com type=AVC msg=audit(1210624979.274:21): avc:  denied
 { append } for  pid=4577 comm="iptables" path="/var/log/cobbler/cobbler.log"
dev=sda1 ino=4484833 scontext=system_u:system_r:iptables_t:s0
tcontext=system_u:object_r:var_log_t:s0 tclass=file
#
 
#
host=mdehaan.rdu.redhat.com type=SYSCALL msg=audit(1210624979.274:21):
arch=40000003 syscall=11 success=yes exit=0 a0=874dab0 a1=8727028 a2=8735610
a3=0 items=0 ppid=4568 pid=4577 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts4 comm="iptables" exe="/sbin/iptables"
subj=system_u:system_r:iptables_t:s0 key=(null)

Comment 1 Dominick Grift 2008-05-12 21:08:22 UTC

also note this related in iptables.te:

# system-config-network appends to /var/log
#logging_append_system_logs(iptables_t)

Comment 2 Daniel Walsh 2008-05-13 15:34:15 UTC

No this looks legitimate.

Fixed in selinux-policy-3.0.8-103.fc8

Comment 3 Daniel Walsh 2008-11-17 22:03:47 UTC

Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.

Note You need to log in before you can comment on or make changes to this bug.