Bug 503561 - chfn fails due to SELinux - without logging an AVC denial message [NEEDINFO]
chfn fails due to SELinux - without logging an AVC denial message
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: util-linux (Show other bugs)
5.3
i686 Linux
low Severity low
: rc
: ---
Assigned To: Karel Zak
qe-baseos-daemons
:
: 638354 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-06-01 13:59 EDT by Brian Ginn
Modified: 2014-06-02 09:04 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-02 09:04:33 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
pm-rhel: needinfo? (bginn)


Attachments (Terms of Use)

  None (edit)
Description Brian Ginn 2009-06-01 13:59:00 EDT
Description of problem:
chfn refuses to change the finger info, reporting:
chfn: system_u:system_r:myapp_t:SystemLow-SystemHigh is not authorized to change the finger info of user5

This refusal is due to SELinux, however chfn is reporting the refusal rather than having SELinux report a denial.  Having the denial is necessary so that audit2allow can be used to determine the SELinux policy required.

Version-Release number of selected component (if applicable):
util-linux-2.13-0.50.el5

How reproducible:
100%

Steps to Reproduce:
1. Create an application that will exec /usr/bin/chfn.
2. Create SELinux policy for that application such that the source context is
   system_u:system_r:myapp_t:SystemLow-SystemHigh 
   Do NOT include "allow myapp_t self:passwd chfn;" in the policy.
3. Run the application
  
Actual results:
chfn does not update the finger info, and reports:
chfn: system_u:system_r:myapp_t:SystemLow-SystemHigh is not authorized to change the finger info of user5

Expected results:
/var/log/audit/audit.log should contain an AVC denial message.
Audit2allow should be able to convert that message into the appropriate policy:
allow myapp_t self:passwd chfn;

Additional info: none.
Comment 1 Daniel Walsh 2009-06-02 08:30:02 EDT
The problem here is the denial is not being reported to the audit log in audit log format.  This would give the SELinux tools a chance to realize what is going on and suggest the correct policy to fix this.

I believe this should all be auditible events since a unpriv process tried to change the finger, shell or password of another user.
Comment 2 Steve Grubb 2009-06-02 17:19:11 EDT
The real issue is that some code needs changing inside selinux_utils.c. It needs to use  avc_has_perm rather than security_compute_av and setup an audit callback via avc_init. Then the callback should call audit_log_user_avc_message to get this in the right place.
Comment 3 Karel Zak 2010-04-09 08:59:50 EDT
Is this problem still reproducible on RHEL5.5? If yes, is it correct to have this issue assigned to util-linux (see comment #2)?
Comment 4 Karel Zak 2010-09-29 17:51:45 EDT
Oh, I see the issue in selinux_utils.c now. Ignore my previous comment #3.
Comment 5 Karel Zak 2010-09-29 17:52:22 EDT
*** Bug 638354 has been marked as a duplicate of this bug. ***
Comment 6 RHEL Product and Program Management 2011-01-11 15:26:59 EST
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
Comment 7 RHEL Product and Program Management 2011-01-12 10:16:05 EST
This request was erroneously denied for the current release of
Red Hat Enterprise Linux.  The error has been fixed and this
request has been re-proposed for the current release.
Comment 8 RHEL Product and Program Management 2011-05-31 09:22:31 EDT
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
Comment 9 RHEL Product and Program Management 2014-03-07 07:41:20 EST
This bug/component is not included in scope for RHEL-5.11.0 which is the last RHEL5 minor release. This Bugzilla will soon be CLOSED as WONTFIX (at the end of RHEL5.11 development phase (Apr 22, 2014)). Please contact your account manager or support representative in case you need to escalate this bug.
Comment 10 RHEL Product and Program Management 2014-06-02 09:04:33 EDT
Thank you for submitting this request for inclusion in Red Hat Enterprise Linux 5. We've carefully evaluated the request, but are unable to include it in RHEL5 stream. If the issue is critical for your business, please provide additional business justification through the appropriate support channels (https://access.redhat.com/site/support).

Note You need to log in before you can comment on or make changes to this bug.