691665 – AVCs appear when evince is running in sandbox

Bug 691665 - AVCs appear when evince is running in sandbox

Summary: AVCs appear when evince is running in sandbox

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-03-29 08:24 UTC by Milos Malik
Modified:	2013-01-11 03:54 UTC (History)
CC List:	3 users (show)
Fixed In Version:	selinux-policy-3.7.19-84.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-05-19 12:27:03 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2011:0526	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2011-05-19 09:37:41 UTC

Description Milos Malik 2011-03-29 08:24:35 UTC

Description of problem:


Version-Release number of selected component (if applicable):
evince-2.28.2-14.el6.i686
evince-libs-2.28.2-14.el6.i686
policycoreutils-2.0.83-19.7.el6_0.i686
policycoreutils-debuginfo-2.0.83-19.7.el6_0.i686
policycoreutils-gui-2.0.83-19.7.el6_0.i686
policycoreutils-newrole-2.0.83-19.7.el6_0.i686
policycoreutils-python-2.0.83-19.7.el6_0.i686
policycoreutils-sandbox-2.0.83-19.7.el6_0.i686
selinux-policy-3.7.19-54.el6_0.5.noarch
selinux-policy-doc-3.7.19-54.el6_0.5.noarch
selinux-policy-minimum-3.7.19-54.el6_0.5.noarch
selinux-policy-mls-3.7.19-54.el6_0.5.noarch
selinux-policy-targeted-3.7.19-54.el6_0.5.noarch

How reproducible:
always

Steps to Reproduce:
1. get a RHEL-6.0 machine
2. create an user
3. log into X Windows as this user
4. run terminal
5. run "sandbox -X evince" in the terminal
6. click File->Open in evince, choose Filesystem and then choose home directory again
  
Actual results:
----
time->Tue Mar 29 10:11:46 2011
type=USER_AVC msg=audit(1301386306.866:108): user pid=1293 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=GetAll dest=org.freedesktop.UDisks spid=3135 tpid=2285 scontext=unconfined_u:unconfined_r:sandbox_x_client_t:s0:c80,c672 tcontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tclass=dbus : exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
----
time->Tue Mar 29 10:11:48 2011
type=SYSCALL msg=audit(1301386308.864:110): arch=40000003 syscall=5 success=no exit=-13 a0=b50048a8 a1=8000 a2=0 a3=0 items=0 ppid=3118 pid=3138 auid=505 uid=505 gid=505 euid=505 suid=505 fsuid=505 egid=505 sgid=505 fsgid=505 tty=(none) ses=2 comm="evince" exe="/usr/bin/evince" subj=unconfined_u:unconfined_r:sandbox_x_client_t:s0:c80,c672 key=(null)
type=AVC msg=audit(1301386308.864:110): avc:  denied  { read } for  pid=3138 comm="evince" name="/" dev=vda1 ino=2 scontext=unconfined_u:unconfined_r:sandbox_x_client_t:s0:c80,c672 tcontext=system_u:object_r:boot_t:s0 tclass=dir
----
time->Tue Mar 29 10:11:48 2011
type=SYSCALL msg=audit(1301386308.869:111): arch=40000003 syscall=5 success=no exit=-13 a0=b5010900 a1=8000 a2=0 a3=0 items=0 ppid=3118 pid=3138 auid=505 uid=505 gid=505 euid=505 suid=505 fsuid=505 egid=505 sgid=505 fsgid=505 tty=(none) ses=2 comm="evince" exe="/usr/bin/evince" subj=unconfined_u:unconfined_r:sandbox_x_client_t:s0:c80,c672 key=(null)
type=AVC msg=audit(1301386308.869:111): avc:  denied  { read } for  pid=3138 comm="evince" name="cgroup" dev=dm-0 ino=15873 scontext=unconfined_u:unconfined_r:sandbox_x_client_t:s0:c80,c672 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
----

Expected results:
no AVCs

Comment 1 Milos Malik 2011-03-29 08:27:16 UTC

AVCs mentioned aboved appear in enforcing mode.

Following AVCs appear when I repeat the same procedure in permissive mode:
----
time->Tue Mar 29 10:24:49 2011
type=SYSCALL msg=audit(1301387089.543:126): arch=40000003 syscall=21 success=no exit=-1 a0=836a318 a1=836a2b0 a2=836ad50 a3=6 items=0 ppid=1 pid=3299 auid=505 uid=505 gid=505 euid=505 suid=505 fsuid=505 egid=505 sgid=505 fsgid=505 tty=(none) ses=2 comm="gvfs-fuse-daemo" exe="/usr/libexec/gvfs-fuse-daemon" subj=unconfined_u:unconfined_r:sandbox_x_client_t:s0:c351,c461 key=(null)
type=AVC msg=audit(1301387089.543:126): avc:  denied  { mounton } for  pid=3299 comm="gvfs-fuse-daemo" path="/home/tulpas/.gvfs" dev=dm-0 ino=80111 scontext=unconfined_u:unconfined_r:sandbox_x_client_t:s0:c351,c461 tcontext=unconfined_u:object_r:sandbox_file_t:s0:c351,c461 tclass=dir
----
time->Tue Mar 29 10:24:55 2011
type=USER_AVC msg=audit(1301387095.282:127): user pid=1293 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=GetAll dest=org.freedesktop.UDisks spid=3308 tpid=2285 scontext=unconfined_u:unconfined_r:sandbox_x_client_t:s0:c351,c461 tcontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tclass=dbus : exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
----
time->Tue Mar 29 10:24:55 2011
type=SYSCALL msg=audit(1301387095.318:128): arch=40000003 syscall=196 success=yes exit=0 a0=bffdad4c a1=bffdac98 a2=297ff4 a3=bffd8c63 items=0 ppid=3307 pid=3308 auid=505 uid=505 gid=505 euid=505 suid=505 fsuid=505 egid=505 sgid=505 fsgid=505 tty=(none) ses=2 comm="gvfs-gdu-volume" exe="/usr/libexec/gvfs-gdu-volume-monitor" subj=unconfined_u:unconfined_r:sandbox_x_client_t:s0:c351,c461 key=(null)
type=AVC msg=audit(1301387095.318:128): avc:  denied  { getattr } for  pid=3308 comm="gvfs-gdu-volume" path="/dev/dm-0" dev=devtmpfs ino=6015 scontext=unconfined_u:unconfined_r:sandbox_x_client_t:s0:c351,c461 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
----

Comment 2 Miroslav Grepl 2011-03-29 11:29:49 UTC

I think this is a similar situation which we have with confined users. If you switch to permissive mode, you will see a lot of AVC messages.

I would dontaudit AVC msgs from enforcing mode.

Comment 3 Daniel Walsh 2011-03-29 18:09:10 UTC

Miroslav lets add

files_dontaudit_list_all_mountpoints(sandbox_x_domain)

Comment 5 Miroslav Grepl 2011-04-05 19:10:23 UTC

Fixed in selinux-policy-3.7.19-81.el6

Comment 8 Daniel Walsh 2011-04-07 14:12:35 UTC

I have not seen that but Miroslav please add

optional_policy(`
	devicekit_dontaudit_dbus_chat_disk(sandbox_x_domain)
')

########################################
## <summary>
##	Dontaudit Send and receive messages from
##	devicekit disk over dbus.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`devicekit_dontaudit_dbus_chat_disk',`
	gen_require(`
		type devicekit_disk_t;
		class dbus send_msg;
	')

	dontaudit $1 devicekit_disk_t:dbus send_msg;
	dontaudit devicekit_disk_t $1:dbus send_msg;
')

Comment 9 Miroslav Grepl 2011-04-08 13:47:55 UTC

Yes, I missed this also.

Comment 10 Miroslav Grepl 2011-04-11 10:14:56 UTC

Fixed in selinux-policy-3.7.19-84.el6

Comment 13 errata-xmlrpc 2011-05-19 12:27:03 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0526.html

Note You need to log in before you can comment on or make changes to this bug.