Bug 974200 - Persistent AVC caused by accounts-daemon trying to access /var/log
Persistent AVC caused by accounts-daemon trying to access /var/log
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
19
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-13 11:57 EDT by Laine Stump
Modified: 2013-06-14 23:07 EDT (History)
5 users (show)

See Also:
Fixed In Version: selinux-policy-3.12.1-52.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-06-14 23:07:07 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Laine Stump 2013-06-13 11:57:44 EDT
Since I was watching /var/log/messages prior to my lastest yum update and didn't see these messages, I'm pretty sure it's fairly new. The below message in /var/log/messages is repeated about once every 5 seconds "forever", so it's kind of annoying.



Jun 13 11:49:21 vhost-16 setroubleshoot: SELinux is preventing accounts-daemon from read access on the directory /var/log. For complete SELinux messages. run sealert -l 9136c1d3-62c2-4567-9d4f-80f28866858c


root@vhost-16 /home/laine>sealert -l 9136c1d3-62c2-4567-9d4f-80f28866858c
SELinux is preventing accounts-daemon from read access on the directory /var/log.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that accounts-daemon should be allowed read access on the log directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep accounts-daemon /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:accountsd_t:s0
Target Context                system_u:object_r:var_log_t:s0
Target Objects                /var/log [ dir ]
Source                        accounts-daemon
Source Path                   accounts-daemon
Port                          <Unknown>
Host                          vhost-16.laine.org
Source RPM Packages           
Target RPM Packages           filesystem-3.2-10.fc19.x86_64
Policy RPM                    selinux-policy-3.12.1-48.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     vhost-16.laine.org
Platform                      Linux vhost-16.laine.org 3.9.5-301.fc19.x86_64 #1
                              SMP Tue Jun 11 19:39:38 UTC 2013 x86_64 x86_64
Alert Count                   92
First Seen                    2013-06-13 11:43:28 EDT
Last Seen                     2013-06-13 11:49:36 EDT
Local ID                      9136c1d3-62c2-4567-9d4f-80f28866858c

Raw Audit Messages
type=AVC msg=audit(1371138576.672:506): avc:  denied  { read } for  pid=542 comm="accounts-daemon" name="log" dev="dm-0" ino=18350117 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
Jun 13 11:49:21 vhost-16 setroubleshoot: SELinux is preventing accounts-daemon from read access on the directory /var/log. For complete SELinux messages. run sealert -l 9136c1d3-62c2-4567-9d4f-80f28866858c
^C
root@vhost-16 /home/laine>ps -AlF | grep accounts-daemon
4 S root       542     1  0  80   0 - 91591 poll_s  3368   0 11:43 ?        00:00:00 /usr/libexec/accounts-daemon
0 S root      2809  2631  0  80   0 - 28162 pipe_w   880   3 11:49 pts/0    00:00:00 grep --color=auto accounts-daemon
root@vhost-16 /home/laine>sealert -l 9136c1d3-62c2-4567-9d4f-80f28866858c
SELinux is preventing accounts-daemon from read access on the directory /var/log.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that accounts-daemon should be allowed read access on the log directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep accounts-daemon /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:accountsd_t:s0
Target Context                system_u:object_r:var_log_t:s0
Target Objects                /var/log [ dir ]
Source                        accounts-daemon
Source Path                   accounts-daemon
Port                          <Unknown>
Host                          vhost-16.laine.org
Source RPM Packages           
Target RPM Packages           filesystem-3.2-10.fc19.x86_64
Policy RPM                    selinux-policy-3.12.1-48.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     vhost-16.laine.org
Platform                      Linux vhost-16.laine.org 3.9.5-301.fc19.x86_64 #1
                              SMP Tue Jun 11 19:39:38 UTC 2013 x86_64 x86_64
Alert Count                   92
First Seen                    2013-06-13 11:43:28 EDT
Last Seen                     2013-06-13 11:49:36 EDT
Local ID                      9136c1d3-62c2-4567-9d4f-80f28866858c

Raw Audit Messages
type=AVC msg=audit(1371138576.672:506): avc:  denied  { read } for  pid=542 comm="accounts-daemon" name="log" dev="dm-0" ino=18350117 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir


Hash: accounts-daemon,accountsd_t,var_log_t,dir,read
Comment 1 Wolfgang Rupprecht 2013-06-14 01:04:19 EDT
same here.  I'm seeing one entry added to /var/log/messages every 4 seconds and 10% cpu load servicing the fallout from this selinux denial.  

2013-06-13T21:59:04.071296-07:00 arbol setroubleshoot: SELinux is preventing /usr/libexec/accounts-daemon from read access on the directory /var/log. For complete SELinux messages. run sealert -l 14b2e316-045a-4ee4-a2b9-8defd3d61f01
2013-06-13T21:59:08.076532-07:00 arbol setroubleshoot: SELinux is preventing /usr/libexec/accounts-daemon from read access on the directory /var/log. For complete SELinux messages. run sealert -l 14b2e316-045a-4ee4-a2b9-8defd3d61f01
2013-06-13T21:59:12.076820-07:00 arbol setroubleshoot: SELinux is preventing /usr/libexec/accounts-daemon from read access on the directory /var/log. For complete SELinux messages. run sealert -l 14b2e316-045a-4ee4-a2b9-8defd3d61f01
2013-06-13T21:59:16.064170-07:00 arbol setroubleshoot: SELinux is preventing /usr/libexec/accounts-daemon from read access on the directory /var/log. For complete SELinux messages. run sealert -l 14b2e316-045a-4ee4-a2b9-8defd3d61f01

SELinux is preventing /usr/libexec/accounts-daemon from read access on the directory /var/log.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that accounts-daemon should be allowed read access on the log directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep accounts-daemon /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:accountsd_t:s0
Target Context                system_u:object_r:var_log_t:s0
Target Objects                /var/log [ dir ]
Source                        accounts-daemon
Source Path                   /usr/libexec/accounts-daemon
Port                          <Unknown>
Host                          arbol.wsrcc.com
Source RPM Packages           accountsservice-0.6.34-1.fc19.x86_64
Target RPM Packages           filesystem-3.2-10.fc19.x86_64
Policy RPM                    selinux-policy-3.12.1-48.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     arbol.wsrcc.com
Platform                      Linux arbol.wsrcc.com 3.9.5-301.fc19.x86_64 #1 SMP
                              Tue Jun 11 19:39:38 UTC 2013 x86_64 x86_64
Alert Count                   44
First Seen                    2013-06-13 22:00:47 PDT
Last Seen                     2013-06-13 22:03:39 PDT
Local ID                      7a43b499-3378-441a-aa12-fac74b372b87

Raw Audit Messages
type=AVC msg=audit(1371186219.313:6320): avc:  denied  { read } for  pid=480 comm="accounts-daemon" name="log" dev="sda3" ino=1445955 scontext=system_u:system_r:accountsd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir


type=SYSCALL msg=audit(1371186219.313:6320): arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES a0=7 a1=7f0638b94d10 a2=1002fce a3=0 items=0 ppid=1 pid=480 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=accounts-daemon exe=/usr/libexec/accounts-daemon subj=system_u:system_r:accountsd_t:s0 key=(null)

Hash: accounts-daemon,accountsd_t,var_log_t,dir,read
Comment 2 Miroslav Grepl 2013-06-14 01:17:25 EDT
Has been added.
Comment 3 Fedora Update System 2013-06-14 03:24:11 EDT
selinux-policy-3.12.1-52.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-52.fc19
Comment 4 Aaron Sowry 2013-06-14 05:16:59 EDT
Dupe of bug #973849 I guess
Comment 5 Fedora Update System 2013-06-14 23:07:07 EDT
selinux-policy-3.12.1-52.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.