Description of problem: df is accessing two fs it's not allowed to. Version-Release number of selected component (if applicable): logwatch-7.4.0-19.20120619svn110.fc18.noarch selinux-policy-devel-3.11.1-62.fc18.noarch selinux-policy-3.11.1-62.fc18.noarch selinux-policy-targeted-3.11.1-62.fc18.noarch selinux-policy-doc-3.11.1-62.fc18.noarch How reproducible: Run logwatch Actual results: #============= logwatch_t ============== allow logwatch_t configfs_t:dir getattr; allow logwatch_t nfsd_fs_t:dir getattr; klaus@nepomuk:~$ sudo ausearch -m avc -ts 03:00 ---- time->Mon Dec 17 03:19:44 2012 type=SYSCALL msg=audit(1355710784.665:26156): arch=c000003e syscall=4 success=no exit=-13 a0=cf4350 a1=7fff14836910 a2=7fff14836910 a3=38c8284710 items=0 ppid=22556 pid=22557 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=334 comm="df" exe="/usr/bin/df" subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1355710784.665:26156): avc: denied { getattr } for pid=22557 comm="df" path="/sys/kernel/config" dev="configfs" ino=11400 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:configfs_t:s0 tclass=dir ---- time->Mon Dec 17 03:19:44 2012 type=SYSCALL msg=audit(1355710784.676:26157): arch=c000003e syscall=4 success=no exit=-13 a0=cf43f0 a1=7fff14836910 a2=7fff14836910 a3=38c8284710 items=0 ppid=22556 pid=22557 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=334 comm="df" exe="/usr/bin/df" subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1355710784.676:26157): avc: denied { getattr } for pid=22557 comm="df" path="/proc/fs/nfsd" dev="nfsd" ino=1 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfsd_fs_t:s0 tclass=dir ---- time->Mon Dec 17 03:19:44 2012 type=SYSCALL msg=audit(1355710784.681:26158): arch=c000003e syscall=4 success=no exit=-13 a0=aad350 a1=7ffff656e200 a2=7ffff656e200 a3=38c8284710 items=0 ppid=22556 pid=22558 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=334 comm="df" exe="/usr/bin/df" subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1355710784.681:26158): avc: denied { getattr } for pid=22558 comm="df" path="/sys/kernel/config" dev="configfs" ino=11400 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:configfs_t:s0 tclass=dir ---- time->Mon Dec 17 03:19:44 2012 type=SYSCALL msg=audit(1355710784.684:26159): arch=c000003e syscall=4 success=no exit=-13 a0=aad3f0 a1=7ffff656e200 a2=7ffff656e200 a3=38c8284710 items=0 ppid=22556 pid=22558 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=334 comm="df" exe="/usr/bin/df" subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1355710784.684:26159): avc: denied { getattr } for pid=22558 comm="df" path="/proc/fs/nfsd" dev="nfsd" ino=1 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfsd_fs_t:s0 tclass=dir Expected results: No denials Additional info:
Fixed in selinux-policy-3.11.1-66.fc18.noarch
selinux-policy-3.11.1-66.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-66.fc18
selinux-policy-3.11.1-66.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.