Bug 619285 - staff_u user cannot run "Applications -> System Tools -> SELinux Audit Log Analysis"
staff_u user cannot run "Applications -> System Tools -> SELinux Audit Log An...
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.0
All Linux
low Severity medium
: rc
: ---
Assigned To: Daniel Walsh
BaseOS QE Security Team
: RHELNAK
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-07-29 03:28 EDT by Milos Malik
Modified: 2010-07-29 09:44 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-07-29 09:44:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
AVCs caught during the action (44.21 KB, text/plain)
2010-07-29 05:22 EDT, Milos Malik
no flags Details
screenshot taken immediately after the action (547.22 KB, image/png)
2010-07-29 05:24 EDT, Milos Malik
no flags Details

  None (edit)
Description Milos Malik 2010-07-29 03:28:03 EDT
Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.7.19-34.el6.noarch
selinux-policy-3.7.19-34.el6.noarch

How reproducible:
always

Steps to Reproduce:
1. useradd -Z staff_u somebody
2. passwd somebody
3. log in as somebody via GDM
4. run Applications -> System Tools -> SELinux Audit Log Analysis
5. ausearch -m avc -ts recent | audit2allow

#============= staff_consolehelper_t ==============
allow staff_consolehelper_t fonts_t:dir getattr;
allow staff_consolehelper_t home_root_t:dir search;
allow staff_consolehelper_t pam_var_run_t:dir getattr;
allow staff_consolehelper_t self:shm create;
allow staff_consolehelper_t staff_dbusd_t:unix_stream_socket connectto;
allow staff_consolehelper_t usr_t:file { read getattr };

Actual results:


Expected results:
Comment 2 RHEL Product and Program Management 2010-07-29 03:48:05 EDT
This issue has been proposed when we are only considering blocker
issues in the current Red Hat Enterprise Linux release.

** If you would still like this issue considered for the current
release, ask your support representative to file as a blocker on
your behalf. Otherwise ask that it be considered for the next
Red Hat Enterprise Linux release. **
Comment 3 Milos Malik 2010-07-29 05:22:05 EDT
Created attachment 435233 [details]
AVCs caught during the action
Comment 4 Milos Malik 2010-07-29 05:24:45 EDT
Created attachment 435234 [details]
screenshot taken immediately after the action
Comment 5 Milos Malik 2010-07-29 05:30:16 EDT
The same problem arises if the user runs Applications -> System Tools -> SELinux Policy Generation Tool .
Comment 6 Milos Malik 2010-07-29 05:55:04 EDT
I know that staff_u user is not able to run some programs, but the user should be at least allowed to read the message in the window (see the attached screenshot).
Comment 7 Daniel Walsh 2010-07-29 09:34:38 EDT
It is questionable whether a staff_t user should be able to look at log files.  The selinux policy generation is also tough.  The problem is these tools have  not been dbus-ified so it is not likely that these will work or should work in RHEL6.
Comment 8 RHEL Product and Program Management 2010-07-29 09:44:40 EDT
Development Management has reviewed and declined this request.  You may appeal
this decision by reopening this request.

Note You need to log in before you can comment on or make changes to this bug.