Bug 950103 - selinux denies pegasus to access mount
Summary: selinux denies pegasus to access mount
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.4
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-04-09 15:56 UTC by Karel Volný
Modified: 2013-11-21 10:22 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-3.7.19-219.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-11-21 10:22:42 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:1598 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2013-11-20 21:39:24 UTC

Description Karel Volný 2013-04-09 15:56:32 UTC
Description of problem:
Trying to get filesystem information from tog-pegasus using wbemcli, I'm getting avc denials.

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-195.el6_4.3.noarch

How reproducible:
always

Steps to Reproduce:
1. configure cimserver
2. have the appropriate filesystem mounted
3. wbemcli ei -nl http://pegasus:${PASSWORD}@localhost:5988/root/cimv2:Linux_${FILESYSTEM}FileSystem

where PASSWORD is obvious and FILESYSTEM stands for ext2, ext3 or ext4 in our test
  
Actual results:
type=AVC msg=audit(1365522210.837:2680717): avc:  denied  { execute } for  pid=29747 comm="sh" name="mount" dev=dm-0 ino=3145755 scontext=unconfined_u:system_r:pegasus_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file

Expected results:
(no denials)

Additional info:
I believe that this should not be denied, however, adding sblim-cmpi-fsvol maintainer to CC to confirm ...?

Comment 1 Milos Malik 2013-04-10 11:55:46 UTC
Here are AVCs caught in permissive mode:
----
type=PATH msg=audit(04/10/2013 13:54:49.815:126) : item=0 name=/bin/mount inode=137257 dev=08:03 mode=file,suid,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:mount_exec_t:s0 
type=CWD msg=audit(04/10/2013 13:54:49.815:126) :  cwd=/var/lib/Pegasus/cache/trace 
type=SYSCALL msg=audit(04/10/2013 13:54:49.815:126) : arch=i386 syscall=access success=yes exit=0 a0=9c86e08 a1=1 a2=3b9ff4 a3=9c86e08 items=1 ppid=6861 pid=6862 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=sh exe=/bin/bash subj=unconfined_u:system_r:pegasus_t:s0 key=(null) 
type=AVC msg=audit(04/10/2013 13:54:49.815:126) : avc:  denied  { execute } for  pid=6862 comm=sh name=mount dev=sda3 ino=137257 scontext=unconfined_u:system_r:pegasus_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file 
----
type=PATH msg=audit(04/10/2013 13:54:49.819:127) : item=1 name=(null) inode=1816 dev=08:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 
type=PATH msg=audit(04/10/2013 13:54:49.819:127) : item=0 name=/bin/mount inode=137257 dev=08:03 mode=file,suid,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:mount_exec_t:s0 
type=CWD msg=audit(04/10/2013 13:54:49.819:127) :  cwd=/var/lib/Pegasus/cache/trace 
type=EXECVE msg=audit(04/10/2013 13:54:49.819:127) : argc=1 a0=mount 
type=SYSCALL msg=audit(04/10/2013 13:54:49.819:127) : arch=i386 syscall=execve success=yes exit=0 a0=9c86e08 a1=9c86fb0 a2=9c86360 a3=9c86fb0 items=2 ppid=6861 pid=6862 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=mount exe=/bin/mount subj=unconfined_u:system_r:pegasus_t:s0 key=(null) 
type=AVC msg=audit(04/10/2013 13:54:49.819:127) : avc:  denied  { execute_no_trans } for  pid=6862 comm=sh path=/bin/mount dev=sda3 ino=137257 scontext=unconfined_u:system_r:pegasus_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file 
----
type=PATH msg=audit(04/10/2013 13:54:49.823:128) : item=0 name=/etc/mtab inode=147279 dev=08:03 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:etc_runtime_t:s0 
type=CWD msg=audit(04/10/2013 13:54:49.823:128) :  cwd=/var/lib/Pegasus/cache/trace 
type=SYSCALL msg=audit(04/10/2013 13:54:49.823:128) : arch=i386 syscall=access success=yes exit=0 a0=8137b6 a1=2 a2=8189f8 a3=8137b6 items=1 ppid=6861 pid=6862 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=mount exe=/bin/mount subj=unconfined_u:system_r:pegasus_t:s0 key=(null) 
type=AVC msg=audit(04/10/2013 13:54:49.823:128) : avc:  denied  { write } for  pid=6862 comm=mount name=mtab dev=sda3 ino=147279 scontext=unconfined_u:system_r:pegasus_t:s0 tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=file 
----

Comment 2 Daniel Walsh 2013-04-10 18:18:50 UTC
5a363c5d7b5e69437240e78db4ecf548a174ae3d fixes this in the git repository.

Comment 7 Miroslav Grepl 2013-10-02 12:46:58 UTC
Fixed added.

Comment 9 errata-xmlrpc 2013-11-21 10:22:42 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html


Note You need to log in before you can comment on or make changes to this bug.