Bug 502636 - selinux is preventing groupadd/groupmod to touch /usr/tmp
selinux is preventing groupadd/groupmod to touch /usr/tmp
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
11
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-05-26 11:36 EDT by Petr Muller
Modified: 2016-09-19 22:05 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-08-21 17:27:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Petr Muller 2009-05-26 11:36:19 EDT
Description of problem:
When nsswitch.conf is configured to use 'db' source for groups, groupadd/groupmod utilities start, for some reason try to touch /usr/tmp, which is a symlink to /var/tmp. This is prevented by selinux with AVC message of this kind:

time->Mon May 25 15:55:53 2009
type=SYSCALL msg=audit(1243281353.364:499668): arch=40000003 syscall=195 success=no exit=-13 a0=22e284 a1=bfc2af08 a2=a60ff4 a3=64 items=0 ppid=15361 pid=16261 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="groupmod" exe="/usr/sbin/groupmod" subj=system_u:system_r:groupadd_t:s0 key=(null)
type=AVC msg=audit(1243281353.364:499668): avc:  denied  { read } for  pid=16261 comm="groupmod" name="tmp" dev=dm-0 ino=1922 scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=lnk_file

Version-Release number of selected component (if applicable):
selinux-policy-3.6.12-39.fc11.noarch
selinux-policy-targeted-3.6.12-39.fc11.noarch

How reproducible:
When we run some of our tests in RHTS. It doesn't seem to manifest when running a simple groupadd from command line, though. But the contexts seem sane.

Steps to Reproduce:
1. run /tools/glibc/Sanity/nss-sanity test with latest rawhide distro
  
Actual results:
avc denied

Expected results:
no avc failures

Additional info:
This was found when testing tier tests on rawhide-20090525 using rhts.
Comment 1 Daniel Walsh 2009-05-26 12:36:47 EDT
If you put the machine or domain into permissive mode, do you actually see it trying to write to tmp_t files?
Comment 2 Petr Muller 2009-05-26 12:59:26 EDT
it doesn't seem so - everything groupadd is doing is stat:

# groupdel aaa1; strace -e trace=file groupadd aaa1 2>&1 | grep tmp
stat("/var/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=4096, ...}) = 0
stat("/var/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=4096, ...}) = 0
(tens of occurences)
Comment 3 Bug Zapper 2009-06-09 12:35:50 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 4 Daniel Walsh 2009-08-21 17:27:58 EDT
Seems like this is fixed in the current release.

Note You need to log in before you can comment on or make changes to this bug.