500768 – SELinux is preventing readahead_t (read|open|getattr) auditd_etc_t

Bug 500768 - SELinux is preventing readahead_t (read|open|getattr) auditd_etc_t

Summary: SELinux is preventing readahead_t (read|open|getattr) auditd_etc_t

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-05-14 05:29 UTC by Allen Kistler
Modified:	2009-05-29 01:36 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-05-29 01:36:26 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
setroublshooter denial report early.sorted (3.42 KB, text/plain) 2009-05-17 04:44 UTC, David Timms	no flags	Details
setroublshooter denial report later.sorted (3.42 KB, text/plain) 2009-05-17 04:45 UTC, David Timms	no flags	Details
View All

Description Allen Kistler 2009-05-14 05:29:58 UTC

Description of problem:
A few denials in audit.log.  They occurred coincident with a log rotation initiated by anacron, even though audit.log didn't get rotated itself.

Version-Release number of selected component (if applicable):
selinux-policy-3.6.12-34

How reproducible:
Sometimes (?)

Steps to Reproduce:
1. boot
2. look in audit.log

Actual results:
AVC denials (see below)

Expected results:
No AVC denials

Additional info:
I haven't succeeded in reproducing the denials, even though audit2why says there's not an enforcement rule to allow the actions.  Nevertheless, here they are.

node=ack607 type=AVC msg=audit(1242260032.181:24): avc:  denied  { read } for  pid=8345 comm="readahead" name="auditd.conf" dev=dm-7 ino=41387 scontext=system_u:system_r:readahead_t:s0-s0:c0.c1023 tcontext=system_u:object_r:auditd_etc_t:s0 tclass=file

node=ack607 type=AVC msg=audit(1242260032.181:24): avc:  denied  { open } for  pid=8345 comm="readahead" name="auditd.conf" dev=dm-7 ino=41387 scontext=system_u:system_r:readahead_t:s0-s0:c0.c1023 tcontext=system_u:object_r:auditd_etc_t:s0 tclass=file

node=ack607 type=AVC msg=audit(1242260032.188:25): avc:  denied  { getattr } for  pid=8345 comm="readahead" path="/etc/audit/auditd.conf" dev=dm-7 ino=41387 scontext=system_u:system_r:readahead_t:s0-s0:c0.c1023 tcontext=system_u:object_r:auditd_etc_t:s0 tclass=file

Comment 1 Daniel Walsh 2009-05-14 12:51:33 UTC

Fixed in selinux-policy-3.6.12-36.fc11.noarch

Comment 2 David Timms 2009-05-17 04:44:43 UTC

Created attachment 344314 [details]
setroublshooter denial report early.sorted

(In reply to comment #1)
> Fixed in selinux-policy-3.6.12-36.fc11.noarch  
I'm on selinux-policy-3.6.12-34 and saw these two, but I'm not sure if they are exactly the same as the reporter

Comment 3 David Timms 2009-05-17 04:45:21 UTC

Created attachment 344315 [details]
setroublshooter denial report later.sorted

Comment 4 Allen Kistler 2009-05-17 17:31:21 UTC

David:

early.sorted on my system is in /var/lib/readahead and has context readahead_var_lib_t, not etc_t, which is what sealert is trying to tell you when it says

You can attempt to fix file context by executing restorecon -v early.sorted

Ditto later.sorted.  Somehow your contexts got messed up.  restorecon is your friend.

HTH

Comment 5 Allen Kistler 2009-05-29 01:36:26 UTC

Tested against selinux-policy-3.6.12-39.

Verified that all those events are now "dontaudit"

Closing ...

Note You need to log in before you can comment on or make changes to this bug.