Bug 756066 - Failing cvs login causes avc denial on /var/run/utmp
Failing cvs login causes avc denial on /var/run/utmp
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.7
All Linux
medium Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-11-22 11:06 EST by Petr Sklenar
Modified: 2012-10-16 07:52 EDT (History)
3 users (show)

See Also:
Fixed In Version: selinux-policy-2.4.6-320.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 853403 (view as bug list)
Environment:
Last Closed: 2012-02-21 00:48:36 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Petr Sklenar 2011-11-22 11:06:35 EST
Description of problem:
Failing cvs login causes avc denial on /var/run/utmp 

Version-Release number of selected component (if applicable):

# rpm -qa | grep cvs
cvs-1.11.22-10.el5
cvs-debuginfo-1.11.22-10.el5
cvs-inetd-1.11.22-10.el5

# rpm -qa | grep selinux
selinux-policy-targeted-2.4.6-317.el5
libselinux-devel-1.33.4-5.7.el5
libselinux-utils-1.33.4-5.7.el5
libselinux-python-1.33.4-5.7.el5
selinux-policy-2.4.6-317.el5
libselinux-1.33.4-5.7.el5


How reproducible:
deterministic

Steps to Reproduce:
1, Install `cvs-inetd' and `cvs' packages.
2, Enable cvs service in xinetd configuration (/etc/xinetd.d/cvs: disable = no) 
3, service xinetd restart
4, Try logging into CVS service on this machine as existing user (e.g. `root') with bad password:

5, cvs -d ":pserver:root:fooWrongPassword@localhost:/var/cvs" login
Logging in to :pserver:root@localhost:2401/var/cvs
PAM authenticate error: Authentication failure
cvs login: authorization failed: server localhost rejected access to /var/cvs for user root
# cvs failure is correct but not avc denial:

  
Actual results:
type=AVC msg=audit(1321976733.640:1688): avc:  denied  { read } for  pid=22606 comm="cvs" name="utmp" dev=dm-0 ino=33914887 scontext=root:system_r:cvs_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1321976733.640:1689): avc:  denied  { lock } for  pid=22606 comm="cvs" path="/var/run/utmp" dev=dm-0 ino=33914887 scontext=root:system_r:cvs_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file

# find / -mount -inum 33914887
/var/run/utmp

# ls -laZ /var/run/utmp
-rw-rw-r--  root utmp system_u:object_r:initrc_var_run_t /var/run/utmp
# restorecon /var/run/utmp
# ls -laZ /var/run/utmp
-rw-rw-r--  root utmp system_u:object_r:initrc_var_run_t /var/run/utmp

Expected results:
no avc denial

Additional info:
Avc denial appears occasionally on file /var/run/utmp. But there is always on the first try of command in step 5. After that you need to wait random time to reproduce it again.
Comment 1 Petr Pisar 2011-11-23 04:09:36 EST
I think this is triggered by PAM module after I applied patch to /usr/bin/cvs  setting dummy PAM_TTY value (https://bugzilla.redhat.com/attachment.cgi?id=484179).
Comment 2 Milos Malik 2011-11-23 07:20:44 EST
Enforcing mode reveals the read operation only. Permissive mode reveals both operations: read and lock.

----
type=SYSCALL msg=audit(11/23/2011 07:16:30.921:80099) : arch=x86_64 syscall=open success=yes exit=3 a0=364e122686 a1=0 a2=2 a3=cc8d5a0d items=0 ppid=20118 pid=20192 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=7901 comm=cvs exe=/usr/bin/cvs subj=root:system_r:cvs_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/23/2011 07:16:30.921:80099) : avc:  denied  { read } for  pid=20192 comm=cvs name=utmp dev=dm-0 ino=16859047 scontext=root:system_r:cvs_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file 
----
type=SYSCALL msg=audit(11/23/2011 07:16:30.921:80100) : arch=x86_64 syscall=fcntl success=yes exit=0 a0=3 a1=7 a2=7fff7f5edab0 a3=8 items=0 ppid=20118 pid=20192 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=7901 comm=cvs exe=/usr/bin/cvs subj=root:system_r:cvs_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/23/2011 07:16:30.921:80100) : avc:  denied  { lock } for  pid=20192 comm=cvs path=/var/run/utmp dev=dm-0 ino=16859047 scontext=root:system_r:cvs_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file 
----
Comment 3 Daniel Walsh 2011-11-23 15:05:42 EST
We should dontaudit this.
Comment 4 Miroslav Grepl 2011-12-05 03:48:08 EST
Dontaudited in the selinux-policy-2.4.6-320.el5
Comment 8 errata-xmlrpc 2012-02-21 00:48:36 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0158.html

Note You need to log in before you can comment on or make changes to this bug.