954075 – audit2allow generating AVC's , but are not being reported

Bug 954075 - audit2allow generating AVC's , but are not being reported

Summary: audit2allow generating AVC's , but are not being reported

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	18
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-04-20 13:06 UTC by Niki Guldbrand
Modified:	2013-04-27 23:53 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-04-27 23:53:22 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Niki Guldbrand 2013-04-20 13:06:57 UTC

Description of problem:

I can see in my audit log that I'm getting some AVC denial's about audit2allow not being granted access to a file /var/lib/sepolgen/perm_map.
And these aren't being reported like the rest I normally get via email from the system.

I have removed all custom policy fixes, and done a relabel on boot, but they showed up before that too...

Version-Release number of selected component (if applicable):
Policy RPM                    selinux-policy-3.11.1-91.fc18.noarch

How reproducible:
Always...

Steps to Reproduce:
1. Generate an AVC denial
2. Watch the dispatcher do it's thing
3. Examine the audit log, and see the denials
  
Actual results:

# ausearch -ts 14:00:00 -m AVC | grep audit2allow
type=SYSCALL msg=audit(1366460130.791:127): arch=40000003 syscall=5 success=yes exit=3 a0=9132f10 a1=8000 a2=1b6 a3=9134798 items=0 ppid=1666 pid=1677 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="audit2allow" exe="/usr/bin/python2.7" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1366460130.791:127): avc:  denied  { open } for  pid=1677 comm="audit2allow" path="/var/lib/sepolgen/interface_info" dev="dm-1" ino=525984 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1366460130.791:127): avc:  denied  { read } for  pid=1677 comm="audit2allow" name="interface_info" dev="dm-1" ino=525984 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1366460138.361:128): arch=40000003 syscall=5 success=yes exit=3 a0=97d41b0 a1=8000 a2=1b6 a3=ce12380 items=0 ppid=1666 pid=1677 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="audit2allow" exe="/usr/bin/python2.7" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1366460138.361:128): avc:  denied  { open } for  pid=1677 comm="audit2allow" path="/var/lib/sepolgen/perm_map" dev="dm-1" ino=526828 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1366460138.361:128): avc:  denied  { read } for  pid=1677 comm="audit2allow" name="perm_map" dev="dm-1" ino=526828 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file

Expected results:

No AVC denials

Additional info:

# ausearch -ts 14:00:00 -m AVC | grep audit2allow | audit2allow -m mypol -R

policy_module(mypol, 1.0)

require {
	type setroubleshootd_t;
}

#============= setroubleshootd_t ==============
files_read_var_lib_files(setroubleshootd_t)


# ausearch -ts 14:00:00 -m AVC | grep audit2allow | audit2allow -m mypol

module mypol 1.0;

require {
	type setroubleshootd_t;
	type var_lib_t;
	class file { read open };
}

#============= setroubleshootd_t ==============
allow setroubleshootd_t var_lib_t:file { read open };

Comment 1 Miroslav Grepl 2013-04-23 09:01:22 UTC

Ok, this is not a problem with sealert but with "email_alert".

/usr/lib64/python2.7/site-packages/setroubleshoot/server.py:                email_alert(siginfo, to_addrs)

Comment 2 Daniel Walsh 2013-04-23 17:12:29 UTC

Miroslav, Would details trigger it also?  Bugreport?  Or are these only happening in the user session?

I was thinking we should label this content as something other then var_lib_t, but I am not sure what?

Comment 3 Miroslav Grepl 2013-04-24 10:31:13 UTC

Yes, I was also thinking about a new labeling. Details should be ok.

Comment 4 Daniel Walsh 2013-04-24 17:45:11 UTC

86a0f3d735701d8429a530493d0c67c31bb9ad21 fixes this in git.

Comment 5 Fedora Update System 2013-04-26 13:06:04 UTC

selinux-policy-3.11.1-92.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-92.fc18

Comment 6 Fedora Update System 2013-04-27 00:16:33 UTC

Package selinux-policy-3.11.1-92.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-92.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-6769/selinux-policy-3.11.1-92.fc18
then log in and leave karma (feedback).

Comment 7 Fedora Update System 2013-04-27 23:53:24 UTC

selinux-policy-3.11.1-92.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.