Bug 993012 - Selinux restricts setroubleshootd operation
Selinux restricts setroubleshootd operation
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: setroubleshoot (Show other bugs)
19
x86_64 Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-05 07:59 EDT by Samium Gromoff
Modified: 2013-08-05 14:52 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-08-05 14:52:09 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Samium Gromoff 2013-08-05 07:59:37 EDT
Description of problem:

semodule -DB exposes hidden denials related to setroubleshootd:

type=AVC msg=audit(1375703307.392:525): avc:  denied  { rlimitinh } for  pid=4093 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1375703307.392:525): avc:  denied  { siginh } for  pid=4093 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1375703307.392:525): avc:  denied  { noatsecure } for  pid=4093 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1375703307.392:525): arch=c000003e syscall=59 success=yes exit=0 a0=7f8ee1b8f810 a1=7f8ee1b8f710 a2=7f8ee1b8e010 a3=0 items=0 ppid=4092 pid=4093 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="setroubleshootd" exe="/usr/bin/python2.7" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1375703307.645:526): avc:  denied  { write } for  pid=4093 comm="setroubleshootd" name=".dbenv.lock" dev="dm-3" ino=655370 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1375703307.645:526): arch=c000003e syscall=2 success=no exit=-13 a0=3b23390 a1=42 a2=1a4 a3=0 items=0 ppid=4092 pid=4093 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="setroubleshootd" exe="/usr/bin/python2.7" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)


Version-Release number of selected component (if applicable):
Name        : setroubleshoot
Version     : 3.2.10
Release     : 1.fc19
Name        : selinux-policy-targeted
Version     : 3.12.1
Release     : 69.fc19

How reproducible:
reliably

Steps to Reproduce:
selinux -DB
...launch setroubleshoot GUI...
selinux -B
Comment 1 Daniel Walsh 2013-08-05 14:52:09 EDT
That is intentional.  We don't want to allow setroubleshoot this access.

Note You need to log in before you can comment on or make changes to this bug.