Bug 842905 - user_u crontab_t autofs .viminfo
Summary: user_u crontab_t autofs .viminfo
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.5
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Michal Trunecka
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-07-24 21:30 UTC by Sol Jerome
Modified: 2014-09-30 23:33 UTC (History)
4 users (show)

Fixed In Version: selinux-policy-3.7.19-160.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-02-21 08:26:03 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:0314 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2013-02-20 20:35:01 UTC

Description Sol Jerome 2012-07-24 21:30:52 UTC
Description of problem:

A user_u selinux user is unable to write to .viminfo via crontab.


Version-Release number of selected component (if applicable):

selinux-policy-3.7.19-155.el6_3.noarch

How reproducible:

always

Steps to Reproduce:
1. automount user's home directory
2. setsebool -P use_nfs_home_dirs=1
3. try to edit crontab with EDITOR=vim
  
Actual results:

Crontab is edited successfully, with the following AVC:

type=AVC msg=audit(1343164641.420:12541): avc:  denied  { search } for  pid=4752 comm="vim" name="/" dev=autofs ino=10361 scontext=user_u:user_r:crontab_t:s0 tcontext=system_u:object_r:autofs_t:s0 tclass=dir

Expected results:

User should be able to write to ~/.viminfo.

Additional info:

# echo "avc:  denied  { search } for  pid=4752 comm="vim" name="/" dev=autofs ino=10361 scontext=user_u:user_r:crontab_t:s0 tcontext=system_u:object_r:autofs_t:s0 tclass=dir" | audit2why 
avc:  denied  { search } for  pid=4752 comm=vim name=/ dev=autofs ino=10361 scontext=user_u:user_r:crontab_t:s0 tcontext=system_u:object_r:autofs_t:s0 tclass=dir

        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

Comment 2 Daniel Walsh 2012-08-03 11:47:39 UTC
Do you have NFS Home dirs?

Comment 3 Sol Jerome 2012-08-03 12:58:22 UTC
(In reply to comment #2)
> Do you have NFS Home dirs?

Yes. They are mounted via autofs.

Comment 4 Daniel Walsh 2012-08-13 20:23:43 UTC
This is currently allowed in F18.

Comment 5 Miroslav Grepl 2012-08-20 07:39:50 UTC
Will backport it.

Comment 8 errata-xmlrpc 2013-02-21 08:26:03 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0314.html


Note You need to log in before you can comment on or make changes to this bug.