Bug 471783 - SELinux is preventing df (logwatch_t) "getattr" unlabeled_t.
SELinux is preventing df (logwatch_t) "getattr" unlabeled_t.
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-11-16 03:57 EST by Vladimir Kondratiev
Modified: 2009-05-01 14:31 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-05-01 14:31:27 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vladimir Kondratiev 2008-11-16 03:57:27 EST
Summary:

SELinux is preventing df (logwatch_t) "getattr" unlabeled_t.

Detailed Description:

SELinux denied access requested by df. It is not expected that this access is
required by df and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:logwatch_t:s0
Target Context                system_u:object_r:unlabeled_t:s0
Target Objects                / [ filesystem ]
Source                        df
Source Path                   /bin/df
Port                          <Unknown>
Host                          fedora10
Source RPM Packages           coreutils-6.12-17.fc10
Target RPM Packages           filesystem-2.4.19-1.fc10
Policy RPM                    selinux-policy-3.5.13-18.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     fedora10
Platform                      Linux fedora10 2.6.27.5 #1 SMP Tue Nov 11 10:38:08
                              IST 2008 i686 i686
Alert Count                   2
First Seen                    Thu 13 Nov 2008 12:31:08 PM IST
Last Seen                     Thu 13 Nov 2008 12:31:08 PM IST
Local ID                      623b69c8-343d-4692-8cdb-2598b76bdfa9
Line Numbers                  

Raw Audit Messages            

node=fedora10 type=AVC msg=audit(1226572268.41:32): avc:  denied  { getattr } for  pid=3744 comm="df" name="/" dev=gadgetfs ino=13170 scontext=system_u:system_r:logwatch_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem

node=fedora10 type=SYSCALL msg=audit(1226572268.41:32): arch=40000003 syscall=268 success=no exit=-13 a0=8abb4f0 a1=54 a2=bfb2da08 a3=0 items=0 ppid=3742 pid=3744 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="df" exe="/bin/df" subj=system_u:system_r:logwatch_t:s0 key=(null)
Comment 1 Bug Zapper 2008-11-26 00:28:00 EST
This bug appears to have been reported against 'rawhide' during the Fedora 10 development cycle.
Changing version to '10'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 2 Jerry Amundson 2009-04-16 15:18:20 EDT
Summary:

SELinux is preventing df (logwatch_t) "getattr" unlabeled_t.

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by df. It is not expected that this access is
required by df and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:logwatch_t:s0-s0:c0.c1023
Target Context                system_u:object_r:unlabeled_t:s0
Target Objects                / [ filesystem ]
Source                        df
Source Path                   /bin/df
Port                          <Unknown>
Host                          jerry-opti755
Source RPM Packages           coreutils-7.2-1.fc11
Target RPM Packages           filesystem-2.4.21-1.fc11
Policy RPM                    selinux-policy-3.6.12-3.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     jerry-opti755
Platform                      Linux jerry-opti755
                              2.6.29.1-1.2.20.xendom0.fc11.x86_64 #1 SMP Tue Apr
                              14 19:17:01 EDT 2009 x86_64 x86_64
Alert Count                   1
First Seen                    Thu 16 Apr 2009 03:31:06 AM CDT
Last Seen                     Thu 16 Apr 2009 03:31:06 AM CDT
Local ID                      cd26ba8d-de2c-49ac-8bb0-9963b63115be
Line Numbers                  

Raw Audit Messages            

node=jerry-opti755 type=AVC msg=audit(1239870666.443:122): avc:  denied  { getattr } for  pid=8594 comm="df" name="/" dev=xenfs ino=1 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem

node=jerry-opti755 type=SYSCALL msg=audit(1239870666.443:122): arch=c000003e syscall=137 success=yes exit=0 a0=10c1a40 a1=7fff5355e360 a2=7fff5355ec00 a3=fffffffb items=0 ppid=8593 pid=8594 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=14 comm="df" exe="/bin/df" subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)
Comment 3 Daniel Walsh 2009-05-01 14:31:27 EDT
Fixed in selinux-policy-3.6.12-23.fc11.noarch

Note You need to log in before you can comment on or make changes to this bug.