Bug 773197 - denial on cvs search in user's home directory
Summary: denial on cvs search in user's home directory
Keywords:
Status: CLOSED DUPLICATE of bug 768312
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.2
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-01-11 08:23 UTC by Petr Sklenar
Modified: 2012-10-16 11:52 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-01-11 10:12:03 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Petr Sklenar 2012-01-11 08:23:01 UTC 
Description of problem:
denial on cvs search in user's home directory

Version-Release number of selected component (if applicable):
# rpm -q cvs selinux-policy
cvs-1.11.23-11.el6_0.1.i686
selinux-policy-3.7.19-126.el6.noarch


How reproducible:
deterministic

Steps to Reproduce:
1. set up CVS server
2. cvs -d ":pserver:bz538376-14857:redhat@<IP of HOST>:/var/cvs" commit -m test
  
Actual results:
AVC denial
# type=AVC msg=audit(1326269693.725:281399): avc:  denied  { search } for  pid=18869 comm="cvs" name="bz538376-14857" dev=dm-0 ino=314158 scontext=unconfined_u:system_r:cvs_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1326269693.793:281400): avc:  denied  { search } for  pid=18869 comm="cvs" name="bz538376-14857" dev=dm-0 ino=314158 scontext=unconfined_u:system_r:cvs_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir

# find / -mount -inum 314158
/home/bz538376-14857
# ls -Zd /home/bz538376-14857
drwx------. bz538376-14857 bz538376-14857 unconfined_u:object_r:user_home_dir_t:s0 /home/bz538376-14857


Expected results:
no denial,
cvs can search for user setting in his/her home
or there is a boolean which can enable it

Additional info:
# getsebool -a | grep cvs
allow_cvs_read_shadow --> on
Comment 2 Petr Sklenar 2012-01-11 08:27:36 UTC 
I just found that there is boolean on rhel5 which helps there.

setsebool cvs_disable_trans on

When I tried that on rhel5 then this boolean will help and denial is not there.
Its not on rhel6, so adding keyword Regression.
Comment 4 Milos Malik 2012-01-11 08:43:24 UTC 
There are many *_disable_trans booleans in RHEL-5, but these booleans were intentionally not implemented in RHEL-6, because they serve another purpose. I'm going to remove Regression keyword, because this is a regular bug.
Comment 6 Milos Malik 2012-01-11 09:55:50 UTC 
I see the same AVC in https://bugzilla.redhat.com/show_bug.cgi?id=768312#c6. Could we mark this bug as duplicate?
Comment 7 Petr Sklenar 2012-01-11 10:12:03 UTC 
(In reply to comment #6)
> I see the same AVC in https://bugzilla.redhat.com/show_bug.cgi?id=768312#c6.
> Could we mark this bug as duplicate?

I see this is that search. I thing its the same. I am closing this bug as dupe of 768312

*** This bug has been marked as a duplicate of bug 768312 ***
Comment 8 Miroslav Grepl 2012-01-11 10:32:51 UTC 
We don't audit it in RHEL5. 

Is this really needed? Are you getting more AVC msgs in permissive mode?
Comment 9 Petr Sklenar 2012-01-11 10:44:22 UTC 
(In reply to comment #8)
> Is this really needed? Are you getting more AVC msgs in permissive mode?
There is the same amount of denials in permissive mode.

All of them looks like Comment 0 : avc:  denied  { search } for  pid=19270 comm="cvs" 
I hope its going to be fixed by bug 768312, is it?
Note You need to log in before you can comment on or make changes to this bug.