Bug 497273 - Comming autofs update needs Selinux policy update
Summary: Comming autofs update needs Selinux policy update
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.3
Hardware: All
OS: Linux
low
low
Target Milestone: rc
: ---
Assignee: Daniel Walsh
QA Contact: BaseOS QE
URL:
Whiteboard:
Depends On: 433407
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-04-23 06:02 UTC by Ian Kent
Modified: 2012-10-15 14:03 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 433407
Environment:
Last Closed: 2009-09-02 08:00:13 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
RHEL-5.3 selinux alert from Selinux Troubleshooter (3.20 KB, text/plain)
2009-04-23 06:09 UTC, Ian Kent 		no flags Details
RHEL-5.3 selinux alert from Selinux Troubleshooter (3.12 KB, text/plain)
2009-04-23 06:12 UTC, Ian Kent 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2009:1242 0 normal SHIPPED_LIVE selinux-policy bug fix update 2009-09-01 08:32:34 UTC

Description Ian Kent 2009-04-23 06:02:08 UTC 
+++ This bug was initially created as a clone of Bug #433407 +++

Description of problem:

Heads up!

There is a problem with the active re-start, that is the
restart of autofs with active mounts.

The details are a bit complicated and the best way to
understand the problem is to look at bug #431716, in
particular comment #5. Bug #287411 is alao an example
of the problem.

The bottom line is that, to resolve the issue, ioctl
commands need to be sent to autofs via a miscellaneous
device node. So autofs will need appropriate access rights
to use the device file (udev creates it as /dev/autofs at
kernel module load time).

The changes for the kernel module and the daemon are well
along and I will collect specific avc messages as the final
step in my testing and post them to this bug.

The changes will, as the work progresses, need to find their
way into F8 (and perhaps F7), RHEL-5 and RHEL-4.

Ian

--- Additional comment from ikent on 2008-02-19 22:25:04 EDT ---

Created an attachment (id=295375)
Alerts from device file access


--- Additional comment from ikent on 2008-02-19 22:26:22 EDT ---

Created an attachment (id=295376)
Alerts from mount and umount

I'm also seeing these in F8.
They appear to be new alerts.

--- Additional comment from dwalsh on 2008-02-20 08:56:01 EDT ---

selinux-policy-3.2.8-2.fc9.noarch has the definition for /dev/autofs

The second group of avcs for mount seem to be a leaked file descriptor.

selinux-policy-3.0.8-88.fc8 has the same policy so please make sure it works in
rawhide.
Comment 1 Ian Kent 2009-04-23 06:06:33 UTC 
This functionality is to be incorporated in RHEL-5.4 autofs.

Sorry I didn't alert you to this earlier but it slipped my mind
that, although addressed in Fedora, I would need to request it
be included in RHEL-5 policy.

It didn't occur to me until I saw the avcs when testing against
RHEL-5.3.
Comment 2 Ian Kent 2009-04-23 06:09:26 UTC 
Created attachment 340871 [details]
RHEL-5.3 selinux alert from Selinux Troubleshooter
Comment 3 Ian Kent 2009-04-23 06:12:24 UTC 
Created attachment 340872 [details]
RHEL-5.3 selinux alert from Selinux Troubleshooter

These two alerts are the only relevant avs I can see on RHEL-5.3.
AFAICT the other alerts I have are common in my test setup and
don't occur in normal use of autofs.
Comment 4 Daniel Walsh 2009-04-23 12:22:35 UTC 
Fixed in selinux-policy-2.4.6-228.el5
Comment 11 errata-xmlrpc 2009-09-02 08:00:13 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-1242.html
Note You need to log in before you can comment on or make changes to this bug.