Hide Forgot
Description of problem: Trying to get filesystem information from tog-pegasus using wbemcli, I'm getting avc denials. Version-Release number of selected component (if applicable): selinux-policy-3.7.19-195.el6_4.3.noarch How reproducible: always Steps to Reproduce: 1. configure cimserver 2. have the appropriate filesystem mounted 3. wbemcli ei -nl http://pegasus:${PASSWORD}@localhost:5988/root/cimv2:Linux_${FILESYSTEM}FileSystem where PASSWORD is obvious and FILESYSTEM stands for ext2, ext3 or ext4 in our test Actual results: type=AVC msg=audit(1365522210.837:2680717): avc: denied { execute } for pid=29747 comm="sh" name="mount" dev=dm-0 ino=3145755 scontext=unconfined_u:system_r:pegasus_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file Expected results: (no denials) Additional info: I believe that this should not be denied, however, adding sblim-cmpi-fsvol maintainer to CC to confirm ...?
Here are AVCs caught in permissive mode: ---- type=PATH msg=audit(04/10/2013 13:54:49.815:126) : item=0 name=/bin/mount inode=137257 dev=08:03 mode=file,suid,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:mount_exec_t:s0 type=CWD msg=audit(04/10/2013 13:54:49.815:126) : cwd=/var/lib/Pegasus/cache/trace type=SYSCALL msg=audit(04/10/2013 13:54:49.815:126) : arch=i386 syscall=access success=yes exit=0 a0=9c86e08 a1=1 a2=3b9ff4 a3=9c86e08 items=1 ppid=6861 pid=6862 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=sh exe=/bin/bash subj=unconfined_u:system_r:pegasus_t:s0 key=(null) type=AVC msg=audit(04/10/2013 13:54:49.815:126) : avc: denied { execute } for pid=6862 comm=sh name=mount dev=sda3 ino=137257 scontext=unconfined_u:system_r:pegasus_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file ---- type=PATH msg=audit(04/10/2013 13:54:49.819:127) : item=1 name=(null) inode=1816 dev=08:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 type=PATH msg=audit(04/10/2013 13:54:49.819:127) : item=0 name=/bin/mount inode=137257 dev=08:03 mode=file,suid,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:mount_exec_t:s0 type=CWD msg=audit(04/10/2013 13:54:49.819:127) : cwd=/var/lib/Pegasus/cache/trace type=EXECVE msg=audit(04/10/2013 13:54:49.819:127) : argc=1 a0=mount type=SYSCALL msg=audit(04/10/2013 13:54:49.819:127) : arch=i386 syscall=execve success=yes exit=0 a0=9c86e08 a1=9c86fb0 a2=9c86360 a3=9c86fb0 items=2 ppid=6861 pid=6862 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=mount exe=/bin/mount subj=unconfined_u:system_r:pegasus_t:s0 key=(null) type=AVC msg=audit(04/10/2013 13:54:49.819:127) : avc: denied { execute_no_trans } for pid=6862 comm=sh path=/bin/mount dev=sda3 ino=137257 scontext=unconfined_u:system_r:pegasus_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file ---- type=PATH msg=audit(04/10/2013 13:54:49.823:128) : item=0 name=/etc/mtab inode=147279 dev=08:03 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:etc_runtime_t:s0 type=CWD msg=audit(04/10/2013 13:54:49.823:128) : cwd=/var/lib/Pegasus/cache/trace type=SYSCALL msg=audit(04/10/2013 13:54:49.823:128) : arch=i386 syscall=access success=yes exit=0 a0=8137b6 a1=2 a2=8189f8 a3=8137b6 items=1 ppid=6861 pid=6862 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=mount exe=/bin/mount subj=unconfined_u:system_r:pegasus_t:s0 key=(null) type=AVC msg=audit(04/10/2013 13:54:49.823:128) : avc: denied { write } for pid=6862 comm=mount name=mtab dev=sda3 ino=147279 scontext=unconfined_u:system_r:pegasus_t:s0 tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=file ----
5a363c5d7b5e69437240e78db4ecf548a174ae3d fixes this in the git repository.
Fixed added.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1598.html