Bug 829802 - sysnet_read_config does not allow reading symlinks
sysnet_read_config does not allow reading symlinks
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
17
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-06-07 11:16 EDT by jbash
Modified: 2012-06-16 20:05 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-16 20:05:32 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description jbash 2012-06-07 11:16:31 EDT
Description of problem:

The sysnet_read_config macro doesn't let the subject read symbolic
links in the network configuration.


Version-Release number of selected component (if applicable):

3.10.0-128.fc17

How reproducible:

Perfectly reproducible

Steps to Reproduce:

1. Create a symbolic link, to, say, an ifcfg-xxx file in /etc/sysconfig/network-scripts
2. Create a policy module that grants sysnet_read_config to a domain
3. Run something in that domain and have it try to follow the symlink
  
Actual results:

Access denied.

Expected results:

Access permitted; there's no important difference between accessing the file
directly and accessing it via a symlink, nor can the content of a symlink
in the network config reasonably be expected to reveal anything sensitive.
Comment 1 Daniel Walsh 2012-06-07 12:23:09 EDT
Fixed in selinux-policy-3.10.0-129.fc17
Comment 2 Fedora Update System 2012-06-11 17:03:45 EDT
selinux-policy-3.10.0-130.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-130.fc17
Comment 3 Fedora Update System 2012-06-15 20:00:40 EDT
Package selinux-policy-3.10.0-130.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-130.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-9520/selinux-policy-3.10.0-130.fc17
then log in and leave karma (feedback).
Comment 4 Fedora Update System 2012-06-16 20:05:32 EDT
selinux-policy-3.10.0-130.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.