950103 – selinux denies pegasus to access mount

Bug 950103 - selinux denies pegasus to access mount

Summary: selinux denies pegasus to access mount

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.4
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-04-09 15:56 UTC by Karel Volný
Modified:	2013-11-21 10:22 UTC (History)
CC List:	3 users (show)
Fixed In Version:	selinux-policy-3.7.19-219.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-11-21 10:22:42 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2013:1598	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2013-11-20 21:39:24 UTC

Description Karel Volný 2013-04-09 15:56:32 UTC

Description of problem:
Trying to get filesystem information from tog-pegasus using wbemcli, I'm getting avc denials.

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-195.el6_4.3.noarch

How reproducible:
always

Steps to Reproduce:
1. configure cimserver
2. have the appropriate filesystem mounted
3. wbemcli ei -nl http://pegasus:${PASSWORD}@localhost:5988/root/cimv2:Linux_${FILESYSTEM}FileSystem

where PASSWORD is obvious and FILESYSTEM stands for ext2, ext3 or ext4 in our test
  
Actual results:
type=AVC msg=audit(1365522210.837:2680717): avc:  denied  { execute } for  pid=29747 comm="sh" name="mount" dev=dm-0 ino=3145755 scontext=unconfined_u:system_r:pegasus_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file

Expected results:
(no denials)

Additional info:
I believe that this should not be denied, however, adding sblim-cmpi-fsvol maintainer to CC to confirm ...?

Comment 1 Milos Malik 2013-04-10 11:55:46 UTC

Here are AVCs caught in permissive mode:
----
type=PATH msg=audit(04/10/2013 13:54:49.815:126) : item=0 name=/bin/mount inode=137257 dev=08:03 mode=file,suid,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:mount_exec_t:s0 
type=CWD msg=audit(04/10/2013 13:54:49.815:126) :  cwd=/var/lib/Pegasus/cache/trace 
type=SYSCALL msg=audit(04/10/2013 13:54:49.815:126) : arch=i386 syscall=access success=yes exit=0 a0=9c86e08 a1=1 a2=3b9ff4 a3=9c86e08 items=1 ppid=6861 pid=6862 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=sh exe=/bin/bash subj=unconfined_u:system_r:pegasus_t:s0 key=(null) 
type=AVC msg=audit(04/10/2013 13:54:49.815:126) : avc:  denied  { execute } for  pid=6862 comm=sh name=mount dev=sda3 ino=137257 scontext=unconfined_u:system_r:pegasus_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file 
----
type=PATH msg=audit(04/10/2013 13:54:49.819:127) : item=1 name=(null) inode=1816 dev=08:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 
type=PATH msg=audit(04/10/2013 13:54:49.819:127) : item=0 name=/bin/mount inode=137257 dev=08:03 mode=file,suid,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:mount_exec_t:s0 
type=CWD msg=audit(04/10/2013 13:54:49.819:127) :  cwd=/var/lib/Pegasus/cache/trace 
type=EXECVE msg=audit(04/10/2013 13:54:49.819:127) : argc=1 a0=mount 
type=SYSCALL msg=audit(04/10/2013 13:54:49.819:127) : arch=i386 syscall=execve success=yes exit=0 a0=9c86e08 a1=9c86fb0 a2=9c86360 a3=9c86fb0 items=2 ppid=6861 pid=6862 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=mount exe=/bin/mount subj=unconfined_u:system_r:pegasus_t:s0 key=(null) 
type=AVC msg=audit(04/10/2013 13:54:49.819:127) : avc:  denied  { execute_no_trans } for  pid=6862 comm=sh path=/bin/mount dev=sda3 ino=137257 scontext=unconfined_u:system_r:pegasus_t:s0 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file 
----
type=PATH msg=audit(04/10/2013 13:54:49.823:128) : item=0 name=/etc/mtab inode=147279 dev=08:03 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:etc_runtime_t:s0 
type=CWD msg=audit(04/10/2013 13:54:49.823:128) :  cwd=/var/lib/Pegasus/cache/trace 
type=SYSCALL msg=audit(04/10/2013 13:54:49.823:128) : arch=i386 syscall=access success=yes exit=0 a0=8137b6 a1=2 a2=8189f8 a3=8137b6 items=1 ppid=6861 pid=6862 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=mount exe=/bin/mount subj=unconfined_u:system_r:pegasus_t:s0 key=(null) 
type=AVC msg=audit(04/10/2013 13:54:49.823:128) : avc:  denied  { write } for  pid=6862 comm=mount name=mtab dev=sda3 ino=147279 scontext=unconfined_u:system_r:pegasus_t:s0 tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=file 
----

Comment 2 Daniel Walsh 2013-04-10 18:18:50 UTC

5a363c5d7b5e69437240e78db4ecf548a174ae3d fixes this in the git repository.

Comment 7 Miroslav Grepl 2013-10-02 12:46:58 UTC

Fixed added.

Comment 9 errata-xmlrpc 2013-11-21 10:22:42 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html

Note You need to log in before you can comment on or make changes to this bug.