Bug 475351 - (staff_u) cannot use at command
(staff_u) cannot use at command
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: at (Show other bugs)
10
All Linux
low Severity medium
: ---
: ---
Assigned To: Marcela Mašláňová
Fedora Extras Quality Assurance
: SELinux
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-12-08 17:32 EST by Matěj Cepl
Modified: 2018-04-11 03:24 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-06-10 03:24:13 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Matěj Cepl 2008-12-08 17:32:07 EST
Description of problem:

When tried a trivial at command:

echo "touch /tmp/test" |at <time>

I got following AVC denials. I don't think at command is any higher magic which should be forbidden to the staff user -- anybody can need scheduled commands.
=============================

SELinux is preventing at (staff_crontab_t) "setsched" staff_crontab_t.

Podrobný popis:

SELinux denied access requested by at. It is not expected that this access is
required by at and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Povolení přístupu:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                staff_u:staff_r:staff_crontab_t:SystemLow-
                              SystemHigh
Kontext cíle                 staff_u:staff_r:staff_crontab_t:SystemLow-
                              SystemHigh
Objekty cíle                 None [ process ]
Zdroj                         at
Cesta zdroje                  /usr/bin/at
Port                          <Neznámé>
Počítač                    viklef
RPM balíčky zdroje          at-3.1.10-26.fc10
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.5.13-30.fc10
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     catchall
Název počítače            viklef
Platforma                     Linux viklef 2.6.27.7-134.fc10.i686 #1 SMP Mon Dec
                              1 22:42:50 EST 2008 i686 i686
Počet upozornění           1
Poprvé viděno               Po 8. prosinec 2008, 23:26:15 CET
Naposledy viděno             Po 8. prosinec 2008, 23:26:15 CET
Místní ID                   bd45ae75-3ed9-4c54-abd1-80de1879dcf8
Čísla řádků              

Původní zprávy auditu      

node=viklef type=AVC msg=audit(1228775175.655:3452): avc:  denied  { setsched } for  pid=5832 comm="at" scontext=staff_u:staff_r:staff_crontab_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_crontab_t:s0-s0:c0.c1023 tclass=process

node=viklef type=SYSCALL msg=audit(1228775175.655:3452): arch=40000003 syscall=97 success=no exit=-13 a0=0 a1=0 a2=0 a3=1 items=0 ppid=5799 pid=5832 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="at" exe="/usr/bin/at" subj=staff_u:staff_r:staff_crontab_t:s0-s0:c0.c1023 key=(null)

==============================


Souhrn:

SELinux is preventing at (staff_crontab_t) "audit_control" staff_crontab_t.

Podrobný popis:

SELinux denied access requested by at. It is not expected that this access is
required by at and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Povolení přístupu:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                staff_u:staff_r:staff_crontab_t:SystemLow-
                              SystemHigh
Kontext cíle                 staff_u:staff_r:staff_crontab_t:SystemLow-
                              SystemHigh
Objekty cíle                 None [ capability ]
Zdroj                         at
Cesta zdroje                  /usr/bin/at
Port                          <Neznámé>
Počítač                    viklef
RPM balíčky zdroje          at-3.1.10-26.fc10
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.5.13-30.fc10
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     catchall
Název počítače            viklef
Platforma                     Linux viklef 2.6.27.7-134.fc10.i686 #1 SMP Mon Dec
                              1 22:42:50 EST 2008 i686 i686
Počet upozornění           1
Poprvé viděno               Po 8. prosinec 2008, 23:26:15 CET
Naposledy viděno             Po 8. prosinec 2008, 23:26:15 CET
Místní ID                   cde2e8ff-4fc6-4ff5-b2d6-9cbf80eb4793
Čísla řádků              

Původní zprávy auditu      

node=viklef type=AVC msg=audit(1228775175.642:3451): avc:  denied  { audit_control } for  pid=5832 comm="at" capability=30 scontext=staff_u:staff_r:staff_crontab_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_crontab_t:s0-s0:c0.c1023 tclass=capability

node=viklef type=SYSCALL msg=audit(1228775175.642:3451): arch=40000003 syscall=4 success=no exit=-1 a0=3 a1=bf91bdc0 a2=3 a3=0 items=0 ppid=5799 pid=5832 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="at" exe="/usr/bin/at" subj=staff_u:staff_r:staff_crontab_t:s0-s0:c0.c1023 key=(null)

====================================


Souhrn:

SELinux is preventing at (staff_crontab_t) "read" to ./utmp (initrc_var_run_t).

Podrobný popis:

SELinux denied access requested by at. It is not expected that this access is
required by at and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Povolení přístupu:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./utmp,

restorecon -v './utmp'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                staff_u:staff_r:staff_crontab_t:SystemLow-
                              SystemHigh
Kontext cíle                 system_u:object_r:initrc_var_run_t
Objekty cíle                 ./utmp [ file ]
Zdroj                         at
Cesta zdroje                  /usr/bin/at
Port                          <Neznámé>
Počítač                    viklef
RPM balíčky zdroje          at-3.1.10-26.fc10
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.5.13-30.fc10
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     catchall_file
Název počítače            viklef
Platforma                     Linux viklef 2.6.27.7-134.fc10.i686 #1 SMP Mon Dec
                              1 22:42:50 EST 2008 i686 i686
Počet upozornění           2
Poprvé viděno               Po 8. prosinec 2008, 23:26:15 CET
Naposledy viděno             Po 8. prosinec 2008, 23:26:15 CET
Místní ID                   d235d1bc-b910-41d3-8fd8-40e648a0be35
Čísla řádků              

Původní zprávy auditu      

node=viklef type=AVC msg=audit(1228775175.737:3456): avc:  denied  { read } for  pid=5832 comm="at" name="utmp" dev=dm-0 ino=1274215 scontext=staff_u:staff_r:staff_crontab_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file

node=viklef type=SYSCALL msg=audit(1228775175.737:3456): arch=40000003 syscall=5 success=no exit=-13 a0=af36a2 a1=88000 a2=0 a3=af36a8 items=0 ppid=5799 pid=5832 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="at" exe="/usr/bin/at" subj=staff_u:staff_r:staff_crontab_t:s0-s0:c0.c1023 key=(null)

==================


Souhrn:

SELinux is preventing at (staff_crontab_t) "read write" to ./utmp
(initrc_var_run_t).

Podrobný popis:

SELinux denied access requested by at. It is not expected that this access is
required by at and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Povolení přístupu:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./utmp,

restorecon -v './utmp'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                staff_u:staff_r:staff_crontab_t:SystemLow-
                              SystemHigh
Kontext cíle                 system_u:object_r:initrc_var_run_t
Objekty cíle                 ./utmp [ file ]
Zdroj                         at
Cesta zdroje                  /usr/bin/at
Port                          <Neznámé>
Počítač                    viklef
RPM balíčky zdroje          at-3.1.10-26.fc10
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.5.13-30.fc10
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     catchall_file
Název počítače            viklef
Platforma                     Linux viklef 2.6.27.7-134.fc10.i686 #1 SMP Mon Dec
                              1 22:42:50 EST 2008 i686 i686
Počet upozornění           2
Poprvé viděno               Po 8. prosinec 2008, 23:26:15 CET
Naposledy viděno             Po 8. prosinec 2008, 23:26:15 CET
Místní ID                   2b919073-97ad-4a35-8826-6836cd4e747e
Čísla řádků              

Původní zprávy auditu      

node=viklef type=AVC msg=audit(1228775175.737:3455): avc:  denied  { read write } for  pid=5832 comm="at" name="utmp" dev=dm-0 ino=1274215 scontext=staff_u:staff_r:staff_crontab_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file

node=viklef type=SYSCALL msg=audit(1228775175.737:3455): arch=40000003 syscall=5 success=no exit=-13 a0=af36a2 a1=88002 a2=0 a3=af36a8 items=0 ppid=5799 pid=5832 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="at" exe="/usr/bin/at" subj=staff_u:staff_r:staff_crontab_t:s0-s0:c0.c1023 key=(null)
Comment 1 Daniel Walsh 2008-12-10 10:15:33 EST
You can allow this for now.

# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp

Fixed in selinux-policy-3.5.13-35.fc10

Note You need to log in before you can comment on or make changes to this bug.