Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 691665

Summary:	AVCs appear when evince is running in sandbox
Product:	Red Hat Enterprise Linux 6	Reporter:	Milos Malik <mmalik>
Component:	selinux-policy	Assignee:	Miroslav Grepl <mgrepl>
Status:	CLOSED ERRATA	QA Contact:	Milos Malik <mmalik>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	6.0	CC:	dwalsh, mgrepl, plyons
Target Milestone:	rc
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	selinux-policy-3.7.19-84.el6	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2011-05-19 12:27:03 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Milos Malik 2011-03-29 08:24:35 UTC

Description of problem:


Version-Release number of selected component (if applicable):
evince-2.28.2-14.el6.i686
evince-libs-2.28.2-14.el6.i686
policycoreutils-2.0.83-19.7.el6_0.i686
policycoreutils-debuginfo-2.0.83-19.7.el6_0.i686
policycoreutils-gui-2.0.83-19.7.el6_0.i686
policycoreutils-newrole-2.0.83-19.7.el6_0.i686
policycoreutils-python-2.0.83-19.7.el6_0.i686
policycoreutils-sandbox-2.0.83-19.7.el6_0.i686
selinux-policy-3.7.19-54.el6_0.5.noarch
selinux-policy-doc-3.7.19-54.el6_0.5.noarch
selinux-policy-minimum-3.7.19-54.el6_0.5.noarch
selinux-policy-mls-3.7.19-54.el6_0.5.noarch
selinux-policy-targeted-3.7.19-54.el6_0.5.noarch

How reproducible:
always

Steps to Reproduce:
1. get a RHEL-6.0 machine
2. create an user
3. log into X Windows as this user
4. run terminal
5. run "sandbox -X evince" in the terminal
6. click File->Open in evince, choose Filesystem and then choose home directory again
  
Actual results:
----
time->Tue Mar 29 10:11:46 2011
type=USER_AVC msg=audit(1301386306.866:108): user pid=1293 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=GetAll dest=org.freedesktop.UDisks spid=3135 tpid=2285 scontext=unconfined_u:unconfined_r:sandbox_x_client_t:s0:c80,c672 tcontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tclass=dbus : exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
----
time->Tue Mar 29 10:11:48 2011
type=SYSCALL msg=audit(1301386308.864:110): arch=40000003 syscall=5 success=no exit=-13 a0=b50048a8 a1=8000 a2=0 a3=0 items=0 ppid=3118 pid=3138 auid=505 uid=505 gid=505 euid=505 suid=505 fsuid=505 egid=505 sgid=505 fsgid=505 tty=(none) ses=2 comm="evince" exe="/usr/bin/evince" subj=unconfined_u:unconfined_r:sandbox_x_client_t:s0:c80,c672 key=(null)
type=AVC msg=audit(1301386308.864:110): avc:  denied  { read } for  pid=3138 comm="evince" name="/" dev=vda1 ino=2 scontext=unconfined_u:unconfined_r:sandbox_x_client_t:s0:c80,c672 tcontext=system_u:object_r:boot_t:s0 tclass=dir
----
time->Tue Mar 29 10:11:48 2011
type=SYSCALL msg=audit(1301386308.869:111): arch=40000003 syscall=5 success=no exit=-13 a0=b5010900 a1=8000 a2=0 a3=0 items=0 ppid=3118 pid=3138 auid=505 uid=505 gid=505 euid=505 suid=505 fsuid=505 egid=505 sgid=505 fsgid=505 tty=(none) ses=2 comm="evince" exe="/usr/bin/evince" subj=unconfined_u:unconfined_r:sandbox_x_client_t:s0:c80,c672 key=(null)
type=AVC msg=audit(1301386308.869:111): avc:  denied  { read } for  pid=3138 comm="evince" name="cgroup" dev=dm-0 ino=15873 scontext=unconfined_u:unconfined_r:sandbox_x_client_t:s0:c80,c672 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
----

Expected results:
no AVCs

Comment 1 Milos Malik 2011-03-29 08:27:16 UTC

AVCs mentioned aboved appear in enforcing mode.

Following AVCs appear when I repeat the same procedure in permissive mode:
----
time->Tue Mar 29 10:24:49 2011
type=SYSCALL msg=audit(1301387089.543:126): arch=40000003 syscall=21 success=no exit=-1 a0=836a318 a1=836a2b0 a2=836ad50 a3=6 items=0 ppid=1 pid=3299 auid=505 uid=505 gid=505 euid=505 suid=505 fsuid=505 egid=505 sgid=505 fsgid=505 tty=(none) ses=2 comm="gvfs-fuse-daemo" exe="/usr/libexec/gvfs-fuse-daemon" subj=unconfined_u:unconfined_r:sandbox_x_client_t:s0:c351,c461 key=(null)
type=AVC msg=audit(1301387089.543:126): avc:  denied  { mounton } for  pid=3299 comm="gvfs-fuse-daemo" path="/home/tulpas/.gvfs" dev=dm-0 ino=80111 scontext=unconfined_u:unconfined_r:sandbox_x_client_t:s0:c351,c461 tcontext=unconfined_u:object_r:sandbox_file_t:s0:c351,c461 tclass=dir
----
time->Tue Mar 29 10:24:55 2011
type=USER_AVC msg=audit(1301387095.282:127): user pid=1293 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=GetAll dest=org.freedesktop.UDisks spid=3308 tpid=2285 scontext=unconfined_u:unconfined_r:sandbox_x_client_t:s0:c351,c461 tcontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tclass=dbus : exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
----
time->Tue Mar 29 10:24:55 2011
type=SYSCALL msg=audit(1301387095.318:128): arch=40000003 syscall=196 success=yes exit=0 a0=bffdad4c a1=bffdac98 a2=297ff4 a3=bffd8c63 items=0 ppid=3307 pid=3308 auid=505 uid=505 gid=505 euid=505 suid=505 fsuid=505 egid=505 sgid=505 fsgid=505 tty=(none) ses=2 comm="gvfs-gdu-volume" exe="/usr/libexec/gvfs-gdu-volume-monitor" subj=unconfined_u:unconfined_r:sandbox_x_client_t:s0:c351,c461 key=(null)
type=AVC msg=audit(1301387095.318:128): avc:  denied  { getattr } for  pid=3308 comm="gvfs-gdu-volume" path="/dev/dm-0" dev=devtmpfs ino=6015 scontext=unconfined_u:unconfined_r:sandbox_x_client_t:s0:c351,c461 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
----

Comment 2 Miroslav Grepl 2011-03-29 11:29:49 UTC

I think this is a similar situation which we have with confined users. If you switch to permissive mode, you will see a lot of AVC messages.

I would dontaudit AVC msgs from enforcing mode.

Comment 3 Daniel Walsh 2011-03-29 18:09:10 UTC

Miroslav lets add

files_dontaudit_list_all_mountpoints(sandbox_x_domain)

Comment 5 Miroslav Grepl 2011-04-05 19:10:23 UTC

Fixed in selinux-policy-3.7.19-81.el6

Comment 8 Daniel Walsh 2011-04-07 14:12:35 UTC

I have not seen that but Miroslav please add

optional_policy(`
	devicekit_dontaudit_dbus_chat_disk(sandbox_x_domain)
')

########################################
## <summary>
##	Dontaudit Send and receive messages from
##	devicekit disk over dbus.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`devicekit_dontaudit_dbus_chat_disk',`
	gen_require(`
		type devicekit_disk_t;
		class dbus send_msg;
	')

	dontaudit $1 devicekit_disk_t:dbus send_msg;
	dontaudit devicekit_disk_t $1:dbus send_msg;
')

Comment 9 Miroslav Grepl 2011-04-08 13:47:55 UTC

Yes, I missed this also.

Comment 10 Miroslav Grepl 2011-04-11 10:14:56 UTC

Fixed in selinux-policy-3.7.19-84.el6

Comment 13 errata-xmlrpc 2011-05-19 12:27:03 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0526.html