Bug 558062 - SELinux is preventing /usr/sbin/xenstored "read write" access on privcmd.
Summary: SELinux is preventing /usr/sbin/xenstored "read write" access on privcmd.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 12
Hardware: i386
OS: Linux
low
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:a4cad2c915a...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-01-23 12:08 UTC by Gaetan Cambier
Modified: 2010-02-02 01:22 UTC (History)
2 users (show)

Fixed In Version: 3.6.32-78.fc12
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-02-02 01:22:49 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Gaetan Cambier 2010-01-23 12:08:18 UTC 
Résumé:

SELinux is preventing /usr/sbin/xenstored "read write" access on privcmd.

Description détaillée:

SELinux denied access requested by xenstored. It is not expected that this
access is required by xenstored and this access may signal an intrusion attempt.
It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Autoriser l'accès:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report.

Informations complémentaires:

Contexte source               system_u:system_r:xenstored_t:s0
Contexte cible                system_u:object_r:xenfs_t:s0
Objets du contexte            privcmd [ file ]
source                        xenstored
Chemin de la source           /usr/sbin/xenstored
Port                          <Inconnu>
Hôte                         (removed)
Paquetages RPM source         xen-runtime-3.4.2-1.fc12
Paquetages RPM cible          
Politique RPM                 selinux-policy-3.6.32-69.fc12
Selinux activé               True
Type de politique             targeted
Mode strict                   Enforcing
Nom du plugin                 catchall
Nom de l'hôte                (removed)
Plateforme                    Linux Gaetan.Cambier-Dereze
                              2.6.31.9-1.2.82.xendom0.fc12.i686.PAE #1 SMP Wed
                              Dec 23 21:24:05 UTC 2009 i686 athlon
Compteur d'alertes            1
Première alerte              sam 23 jan 2010 10:34:41 CET
Dernière alerte              sam 23 jan 2010 10:34:41 CET
ID local                      c06a6601-2b16-4b75-b574-d7f473222f66
Numéros des lignes           

Messages d'audit bruts        

node=Gaetan.Cambier-Dereze type=AVC msg=audit(1264239281.344:11): avc:  denied  { read write } for  pid=1662 comm="xenstored" name="privcmd" dev=xenfs ino=6008 scontext=system_u:system_r:xenstored_t:s0 tcontext=system_u:object_r:xenfs_t:s0 tclass=file

node=Gaetan.Cambier-Dereze type=SYSCALL msg=audit(1264239281.344:11): arch=40000003 syscall=5 success=no exit=-13 a0=a8828f a1=8002 a2=0 a3=84e00e0 items=0 ppid=1 pid=1662 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="xenstored" exe="/usr/sbin/xenstored" subj=system_u:system_r:xenstored_t:s0 key=(null)



Hash String generated from  selinux-policy-3.6.32-69.fc12,catchall,xenstored,xenstored_t,xenfs_t,file,read,write
audit2allow suggests:

#============= xenstored_t ==============
allow xenstored_t xenfs_t:file { read write };
Comment 1 Daniel Walsh 2010-01-25 16:49:29 UTC 
Miroslav add 

fs_manage_xenfs_files(xenstored_t)
 Please.
Comment 2 Miroslav Grepl 2010-01-25 17:01:04 UTC 
Fixed in selinux-policy-3.6.32-77.fc12
Comment 3 Fedora Update System 2010-01-28 09:23:17 UTC 
selinux-policy-3.6.32-78.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-78.fc12
Comment 4 Fedora Update System 2010-01-29 03:28:33 UTC 
selinux-policy-3.6.32-78.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1207
Comment 5 Fedora Update System 2010-02-02 01:20:38 UTC 
selinux-policy-3.6.32-78.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.