986647 – SELinux is preventing /usr/bin/dmesg from 'write' accesses on the file /proc/sys/kernel/printk.

Bug 986647 - SELinux is preventing /usr/bin/dmesg from 'write' accesses on the file /proc/sys/kernel/printk.

Summary: SELinux is preventing /usr/bin/dmesg from 'write' accesses on the file /proc/...

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	19
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:dafa71f88347318b34ea495b1b8...
Duplicates (1):	1022288 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-07-21 09:02 UTC by Zero
Modified:	2014-06-23 13:47 UTC (History)
CC List:	15 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2014-06-23 13:47:20 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Zero 2013-07-21 09:02:49 UTC

Description of problem:
SELinux is preventing /usr/bin/dmesg from 'write' accesses on the file /proc/sys/kernel/printk.

*****  Plugin leaks (86.2 confidence) suggests  ******************************

If you want to ignore dmesg trying to write access the printk file, because you believe it should not need this access.
Then you should report this as a bug.  
You can generate a local policy module to dontaudit this access.
Do
# grep /usr/bin/dmesg /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp

*****  Plugin catchall (14.7 confidence) suggests  ***************************

If you believe that dmesg should be allowed write access on the printk file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep dmesg /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:dmesg_t:s0
Target Context                system_u:object_r:sysctl_kernel_t:s0
Target Objects                /proc/sys/kernel/printk [ file ]
Source                        dmesg
Source Path                   /usr/bin/dmesg
Port                          <Neznámé>
Host                          (removed)
Source RPM Packages           util-linux-2.23.1-3.fc19.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-65.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.9.9-302.fc19.x86_64 #1 SMP Sat
                              Jul 6 13:41:07 UTC 2013 x86_64 x86_64
Alert Count                   1
First Seen                    2013-07-21 09:49:01 CEST
Last Seen                     2013-07-21 09:49:01 CEST
Local ID                      95bdbbc9-a3c1-40bb-bc02-8a2cd6a02962

Raw Audit Messages
type=AVC msg=audit(1374392941.109:409): avc:  denied  { write } for  pid=2847 comm="dmesg" path="/proc/sys/kernel/printk" dev="proc" ino=25469 scontext=system_u:system_r:dmesg_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file


type=SYSCALL msg=audit(1374392941.109:409): arch=x86_64 syscall=execve success=yes exit=0 a0=1c68e20 a1=1c67e10 a2=1c67ca0 a3=7fffcde54510 items=0 ppid=2846 pid=2847 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=dmesg exe=/usr/bin/dmesg subj=system_u:system_r:dmesg_t:s0 key=(null)

Hash: dmesg,dmesg_t,sysctl_kernel_t,file,write

Additional info:
reporter:       libreport-2.1.5
hashmarkername: setroubleshoot
kernel:         3.9.9-302.fc19.x86_64
type:           libreport

Comment 1 Miroslav Grepl 2013-07-22 11:03:12 UTC

What were you doing when this happened?

Comment 2 Daniel Walsh 2013-07-22 19:42:18 UTC

Looks like an program is opening a write fd to /proc/sys/kernel/printk and then fork/exec dmesg?  Without closeing the fd on exec.

Comment 3 Oscar Yanez 2013-07-27 13:37:17 UTC

Description of problem:
On Fedora 19 startup

Additional info:
reporter:       libreport-2.1.5
hashmarkername: setroubleshoot
kernel:         3.9.5-301.fc19.x86_64
type:           libreport

Comment 4 Matthew Saltzman 2013-09-15 16:14:51 UTC

Description of problem:
Alert showed on reboot after system freeze.

Additional info:
reporter:       libreport-2.1.6
hashmarkername: setroubleshoot
kernel:         3.10.11-200.fc19.x86_64
type:           libreport

Comment 5 Matthew Saltzman 2013-10-07 13:59:56 UTC

Description of problem:
Alert appeared on startup after updates applied.

Additional info:
reporter:       libreport-2.1.7
hashmarkername: setroubleshoot
kernel:         3.11.3-201.fc19.x86_64
type:           libreport

Comment 6 Daniel Walsh 2013-10-07 16:02:44 UTC

Can anyone tell us which app they were running when this happened?

Mgrepl, we probably should just dontaudit it.

Comment 7 Julien HENRY 2013-10-14 12:06:13 UTC

Description of problem:
Bumblebee: optirun glxgears -info
Then Ctrl + C

Additional info:
reporter:       libreport-2.1.7
hashmarkername: setroubleshoot
kernel:         3.11.3-201.fc19.x86_64
type:           libreport

Comment 8 Matthew Saltzman 2013-10-14 19:27:33 UTC

Description of problem:
Happened on startup with newly installed kernel-3.11.4-201.fc19.x86_64.

Additional info:
reporter:       libreport-2.1.8
hashmarkername: setroubleshoot
kernel:         3.11.4-201.fc19.x86_64
type:           libreport

Comment 9 Daniel Walsh 2013-10-15 17:08:04 UTC

Added dontaudit for this in 9665afbaf45c4f1a525888222504159aacf98c1e in git.

Comment 10 Lukas Vrabec 2013-10-23 12:23:48 UTC

back ported.

Comment 11 Miroslav Grepl 2013-10-24 14:08:40 UTC

*** Bug 1022288 has been marked as a duplicate of this bug. ***

Comment 12 Fedora Update System 2013-11-08 09:07:15 UTC

selinux-policy-3.12.1-74.12.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.12.fc19

Comment 13 Fedora Update System 2013-11-09 03:35:54 UTC

Package selinux-policy-3.12.1-74.12.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.12.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-20980/selinux-policy-3.12.1-74.12.fc19
then log in and leave karma (feedback).

Comment 14 seanbaskin 2013-11-13 23:51:21 UTC

Description of problem:
Installed Bumblebee (restarted), Primus and Bumblebee-NVIDIA (restarted), then received this error message when I logged in on start up.  

Additional info:
reporter:       libreport-2.1.9
hashmarkername: setroubleshoot
kernel:         3.11.7-200.fc19.x86_64
type:           libreport

Comment 15 Matthew Saltzman 2013-11-19 01:20:23 UTC

Description of problem:
Alert showed up on login after first boot with kernel-3.11.8-200.fc19.x86_64.

Additional info:
reporter:       libreport-2.1.9
hashmarkername: setroubleshoot
kernel:         3.11.8-200.fc19.x86_64
type:           libreport

Comment 16 Zero 2014-06-23 13:47:20 UTC

Iẗ́'s fixed

Note You need to log in before you can comment on or make changes to this bug.