Bug 980819 - Aide cannot be run by root as unconfined_*
Aide cannot be run by root as unconfined_*
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
All Linux
unspecified Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
Depends On:
  Show dependency treegraph
Reported: 2013-07-03 05:59 EDT by Michal Trunecka
Modified: 2014-09-30 19:35 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-07-03 07:49:33 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Michal Trunecka 2013-07-03 05:59:56 EDT
Description of problem:
Aide cannot be run as root with unconfined context, because selinux-policy contain transition from unconfined_t to aide_t, but role permission for unconfined_r to aide_t is missing.

# aide --init
bash: /usr/sbin/aide: Permission denied

from /var/log/messages (auditd wasn't running):
Jul  3 11:39:13 dhcp-25-142 kernel: type=1401 audit(1372844353.325:50992): security_compute_sid:  invalid context unconfined_u:unconfined_r:aide_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:aide_exec_t:s0 tclass=process

# cat mypolicy.te 
require {  type aide_t;  }
role unconfined_r types aide_t;
# make -f /usr/share/selinux/devel/Makefile
# semodule -i mypolicy.pp
# aide --init

AIDE, version 0.14

### AIDE database at /var/lib/aide/aide.db.new.gz initialized.

Version-Release number of selected component (if applicable):
Comment 1 Miroslav Grepl 2013-07-03 07:36:15 EDT
I don't see it.

# sesearch -A -s unconfined_t -t aide_t -c process -p transition
Comment 2 Michal Trunecka 2013-07-03 07:49:33 EDT
I'm stupid. I added the rule a week ago when experimenting with aide and forgot about it.
Comment 3 Miroslav Grepl 2013-07-03 08:02:35 EDT
No problem.

Note You need to log in before you can comment on or make changes to this bug.