Bug 737643 - bad selinux policy for system-config-kdump, grubby and /etc/mtab
Summary: bad selinux policy for system-config-kdump, grubby and /etc/mtab
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 15
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-09-12 19:22 UTC by Roman Rakus
Modified: 2014-01-13 00:13 UTC (History)
2 users (show)

Fixed In Version: selinux-policy-3.9.16-50.fc15
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-01-17 20:25:00 UTC


Attachments (Terms of Use)

Description Roman Rakus 2011-09-12 19:22:12 UTC
Description of problem:
Package system-config-kdump is unable to get kernel informations via grubby command.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.9.16-38.fc15.noarch

How reproducible:
100%

Steps to Reproduce:
1. start `system-config-kdump'
2.
3.
  
Actual results:
Errors and AVC deny

Expected results:


Additional info:
Looks like grubby changed, but I'm not sure.
system-config-kdump is using dbus and calls external programs (like grubby).

Details from sealert:
SELinux is preventing grubby from read access on the lnk_file /etc/mtab.

*****  Plugin restorecon (99.5 confidence) suggests  *************************

If you want to fix the label. 
/etc/mtab default label should be etc_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /etc/mtab

*****  Plugin catchall (1.49 confidence) suggests  ***************************

If you believe that grubby should be allowed read access on the mtab lnk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep grubby /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:kdumpgui_t:s0-s0:c0.c1023
Target Context                system_u:object_r:etc_runtime_t:s0
Target Objects                /etc/mtab [ lnk_file ]
Source                        grubby
Source Path                   grubby
Port                          <Unknown>
Host                          hp-xw6600-02.rhts.eng.bos.redhat.com
Source RPM Packages           
Target RPM Packages           util-linux-2.19.1-1.4.fc15
Policy RPM                    selinux-policy-3.9.16-38.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     hp-xw6600-02.rhts.eng.bos.redhat.com
Platform                      Linux hp-xw6600-02.rhts.eng.bos.redhat.com
                              2.6.40.4-5.fc15.x86_64 #1 SMP Tue Aug 30 14:38:32
                              UTC 2011 x86_64 x86_64
Alert Count                   1
First Seen                    Mon 12 Sep 2011 03:01:40 PM EDT
Last Seen                     Mon 12 Sep 2011 03:01:40 PM EDT
Local ID                      547032cc-97dd-43c7-b8c9-29c0ae5b9876

Raw Audit Messages
type=AVC msg=audit(1315854100.445:106): avc:  denied  { read } for  pid=6467 comm="grubby" name="mtab" dev=dm-1 ino=2097168 scontext=system_u:system_r:kdumpgui_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=lnk_file


Hash: grubby,kdumpgui_t,etc_runtime_t,lnk_file,read

audit2allow

#============= kdumpgui_t ==============
allow kdumpgui_t etc_runtime_t:lnk_file read;

audit2allow -R

#============= kdumpgui_t ==============
allow kdumpgui_t etc_runtime_t:lnk_file read;

Comment 1 Daniel Walsh 2011-09-12 19:32:36 UTC
We should add this abiltiy to read lnk_files to the manage_etc_runtime_files interface.  Already done in F16 policy.

Comment 2 Miroslav Grepl 2011-09-13 05:32:53 UTC
Fixed in selinux-policy-3.9.16-41.fc15

Comment 3 Fedora Update System 2011-12-14 13:39:31 UTC
selinux-policy-3.9.16-50.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-50.fc15

Comment 4 Fedora Update System 2011-12-14 23:29:31 UTC
Package selinux-policy-3.9.16-50.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-50.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2011-17089/selinux-policy-3.9.16-50.fc15
then log in and leave karma (feedback).

Comment 5 Fedora Update System 2012-01-17 20:25:00 UTC
selinux-policy-3.9.16-50.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.