Hide Forgot
Description of problem: Version-Release number of selected component (if applicable): selinux-policy-3.7.19-124.el6.noarch selinux-policy-targeted-3.7.19-124.el6.noarch How reproducible: always Steps to Reproduce: 1. create a xguest_u user 2. log in as this user 3. run "getsebool -a" 4. create a guest_u user 5. log in as this user 6. run "getsebool -a" Actual results: * "getsebool -a" executed by xguest_u user prints all booleans * "getsebool -a" executed by guest_u user prints following message: getsebool: Unable to get boolean names: Permission denied Expected results: * the output of "getsebool -a" should be the same in both cases
Following AVC appears when dontaudit rules are turned off: ---- time->Tue Dec 6 03:52:34 2011 type=SYSCALL msg=audit(1323161554.372:485625): arch=c000003e syscall=2 success=no exit=-13 a0=7fffb5e0e210 a1=90800 a2=3199008260 a3=fffffff6 items=0 ppid=12741 pid=12768 auid=504 uid=504 gid=505 euid=504 suid=504 fsuid=504 egid=505 sgid=505 fsgid=505 tty=pts0 ses=25366 comm="getsebool" exe="/usr/sbin/getsebool" subj=guest_u:guest_r:guest_t:s0 key=(null) type=AVC msg=audit(1323161554.372:485625): avc: denied { read } for pid=12768 comm="getsebool" name="booleans" dev=selinuxfs ino=21 scontext=guest_u:guest_r:guest_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=dir ----
The reason for this is that restorecond is running for the xguest user to make sure content in his homedir is labeled correctly. I believe it needs to read security_t content in order for it to get the labels right. guest_t does not run restorecond so it does not need this access.
Yes, this is correct. We have in the policy seutil_exec_restorecond($1_t) seutil_read_file_contexts($1_t) seutil_read_default_contexts($1_t)