Bug 692835 - SELinux is preventing /sbin/setfiles from 'read' accesses on the fichier /var/lib/libvirt/images/debian-6.0.1a-amd64-netinst.iso.
Summary: SELinux is preventing /sbin/setfiles from 'read' accesses on the fichier /var...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 14
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:2c415653bd9...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-04-01 10:35 UTC by Nicolas Sapa
Modified: 2011-04-26 14:43 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-04-26 14:43:33 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Sapa 2011-04-01 10:35:38 UTC 
SELinux is preventing /sbin/setfiles from 'read' accesses on the fichier /var/lib/libvirt/images/debian-6.0.1a-amd64-netinst.iso.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that setfiles should be allowed read access on the debian-6.0.1a-amd64-netinst.iso file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep restorecon /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c102
                              3
Target Context                system_u:object_r:virt_image_t:s0
Target Objects                /var/lib/libvirt/images/debian-6.0.1a-
                              amd64-netinst.iso [ file ]
Source                        restorecon
Source Path                   /sbin/setfiles
Port                          <Inconnu>
Host                          (removed)
Source RPM Packages           policycoreutils-2.0.85-19.fc14
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-37.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 2.6.35.11-83.fc14.x86_64 #1 SMP
                              Mon Feb 7 07:06:44 UTC 2011 x86_64 x86_64
Alert Count                   1
First Seen                    ven. 01 avril 2011 12:16:34 CEST
Last Seen                     ven. 01 avril 2011 12:16:34 CEST
Local ID                      60c9bed4-5a94-4fd2-94d8-e538c19951d4

Raw Audit Messages
type=AVC msg=audit(1301652994.903:1337): avc:  denied  { read } for  pid=7299 comm="restorecon" path="/var/lib/libvirt/images/debian-6.0.1a-amd64-netinst.iso" dev=dm-1 ino=1453715 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_image_t:s0 tclass=file


type=SYSCALL msg=audit(1301652994.903:1337): arch=x86_64 syscall=read success=no exit=EACCES a0=4 a1=7fe0298be000 a2=1000 a3=88f447d7d69683d3 items=0 ppid=7269 pid=7299 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=restorecon exe=/sbin/setfiles subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)

Hash: restorecon,setfiles_t,virt_image_t,file,read

audit2allow

#============= setfiles_t ==============
allow setfiles_t virt_image_t:file read;

audit2allow -R

#============= setfiles_t ==============
allow setfiles_t virt_image_t:file read;
Comment 1 Nicolas Sapa 2011-04-01 10:38:29 UTC 
I was doing a restorecon -R -vv /var/lib/libvirt/images/debian-6.0.1a-amd64-netinst.iso in order to get access to this ISO in libvirt when i got this AVC.
The correct context for this file was restored despite this AVC.
Comment 2 Daniel Walsh 2011-04-01 15:12:31 UTC 
Strange I have no idea why setfiles/restorecon would be trying to read the file?
Comment 3 Stephen Smalley 2011-04-01 17:37:12 UTC 
It shouldn't.  I can't seem to reproduce here.
$ rpm -q policycoreutils selinux-policy-targeted
policycoreutils-2.0.85-19.fc14.x86_64
selinux-policy-targeted-3.9.7-37.fc14.noarch
$ uname -r
2.6.35.11-83.fc14.x86_64
$ su
# chcon -t user_home_t /var/lib/libvirt/images/ubuntu.img 
# restorecon -R -vv /var/lib/libvirt/images/ubuntu.img 
restorecon reset /var/lib/libvirt/images/ubuntu.img context system_u:object_r:user_home_t:s0->system_u:object_r:virt_image_t:s0
# ausearch -m AVC -ts recent -i
<no matches>

setfiles/restorecon should only lstat(), getxattr() and setxattr() the file.
If applied recursively to a directory, it should read the directory, of course, and if applied to a symlink, it will read the symlink in order to expand the real path, but it shouldn't try to read the individual files themselves.

It does use fts(3) to walk the file tree, so I suppose if something changed in glibc implementation of fts (e.g. open O_RDONLY followed by fstat rather than just stat), that could affect things.
$ rpm -q glibc
glibc-2.13-1.x86_64
Comment 4 Daniel Walsh 2011-04-01 17:59:59 UTC 
It could be a leak or a redirection of stdin. Although that access should be blocked at exec time.
Comment 5 Nicolas Sapa 2011-04-26 09:50:13 UTC 
I 've found the cause:
One of the administrators had aliased a little too heavily (without reading the man ...).
I had:
alias restorecon='restorecon -f'

---
[root@Gallifrey images]# find . -iname "*FR*" > /root/fr.list
[root@Gallifrey images]# restorecon -f /root/fr.list -vv -R
Unable to open /root/fr.list: Permission denied

type=AVC msg=audit(1303810910.572:215): avc:  denied  { read } for  pid=4355 comm="restorecon" name="fr.list" dev=dm-1 ino=10102 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file


type=SYSCALL msg=audit(1303810910.572:215): arch=x86_64 syscall=open success=no exit=EACCES a0=7fffca238837 a1=0 a2=1b6 a3=0 items=0 ppid=4048 pid=4355 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts12 ses=2 comm=restorecon exe=/sbin/setfiles subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)
---
Comment 6 Daniel Walsh 2011-04-26 14:43:33 UTC 
So this is not a bug?
Note You need to log in before you can comment on or make changes to this bug.