Bug 998763 - sosreport avcs
sosreport avcs
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
19
x86_64 Linux
unspecified Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Ben Levenson
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-19 23:04 EDT by David Highley
Modified: 2013-09-29 20:35 EDT (History)
1 user (show)

See Also:
Fixed In Version: selinux-policy-3.12.1-74.8.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-09-29 20:35:26 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
bzip2 of avcs for sosreport violations (20.88 KB, application/x-bzip)
2013-08-19 23:04 EDT, David Highley
no flags Details
Reboot avcs (20.78 KB, application/x-bzip)
2013-09-01 23:10 EDT, David Highley
no flags Details

  None (edit)
Description David Highley 2013-08-19 23:04:49 EDT
Created attachment 788276 [details]
bzip2 of avcs for sosreport violations

Description of problem:
Lots of avcs for sosreports

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.12.1-69.fc19.noarc

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Created local policy for now. Note that we chose not to let it read the shadow file.
module my_sosreport 1.0;

require {
	type sosreport_t;
	type abrt_var_run_t;
	type configfs_t;
	type devpts_t;
	type initctl_t;
	type lvm_var_run_t;
	type pstorefs_t;
	type shadow_t;
	type var_run_t;
	type automount_var_run_t;
	type dovecot_var_run_t;
	type systemd_logind_inhibit_var_run_t;
	class sock_file { write };
	class chr_file { getattr };
	class dir { getattr write add_name };
	class fifo_file { getattr };
	class capability { sys_ptrace };
	class netlink_kobject_uevent_socket { create };
	class rawip_socket { create getopt };
	class file { getattr read };
	class netlink_kobject_uevent_socket { bind setopt };
}

#============= sosreport_t ==============
allow sosreport_t abrt_var_run_t:sock_file write;
allow sosreport_t configfs_t:dir getattr;
allow sosreport_t devpts_t:chr_file getattr;
allow sosreport_t initctl_t:fifo_file getattr;
allow sosreport_t lvm_var_run_t:fifo_file getattr;
allow sosreport_t pstorefs_t:dir getattr;
allow sosreport_t self:capability sys_ptrace;
allow sosreport_t self:netlink_kobject_uevent_socket create;
allow sosreport_t self:rawip_socket create;
allow sosreport_t shadow_t:file getattr;
allow sosreport_t var_run_t:dir { write add_name };
allow sosreport_t automount_var_run_t:fifo_file getattr;
allow sosreport_t dovecot_var_run_t:fifo_file getattr;
allow sosreport_t self:netlink_kobject_uevent_socket { bind setopt };
allow sosreport_t self:rawip_socket getopt;
allow sosreport_t systemd_logind_inhibit_var_run_t:fifo_file getattr;
dontaudit sosreport_t shadow_t:file read;
Comment 1 Miroslav Grepl 2013-08-20 08:48:24 EDT
Dan added fixes.
Comment 2 Fedora Update System 2013-08-23 11:13:04 EDT
selinux-policy-3.12.1-73.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-73.fc19
Comment 3 Fedora Update System 2013-08-23 19:59:41 EDT
Package selinux-policy-3.12.1-73.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-73.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-15219/selinux-policy-3.12.1-73.fc19
then log in and leave karma (feedback).
Comment 4 Fedora Update System 2013-08-24 18:29:03 EDT
selinux-policy-3.12.1-73.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 David Highley 2013-09-01 23:10:22 EDT
Created attachment 792705 [details]
Reboot avcs

Still not completely fixed. On a reboot see the attached avc.

rpm -q selinux-policy
selinux-policy-3.12.1-73.fc19.noarch
Comment 6 David Highley 2013-09-13 03:32:28 EDT
After updating to selinux-policy-3.12.1-74.2.fc19.noarch, still see on reboot:

time->Fri Sep 13 00:22:06 2013
type=SYSCALL msg=audit(1379056926.562:14297): arch=c000003e syscall=2 success=no exit=-13 a0=6417ae0 a1=0 a2=1b6 a3=3 items=0 ppid=1 pid=2005 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="sosreport" exe="/usr/bin/python2.7" subj=system_u:system_r:sosreport_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1379056926.562:14297): avc:  denied  { read } for  pid=2005 comm="sosreport" name="opasswd" dev="dm-1" ino=134335364 scontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file
Comment 7 Daniel Walsh 2013-09-16 14:23:34 EDT
Does it actually need to read this or should we dontaudit it?  I would not be crazy about a tool that reads shadow files.
Comment 8 David Highley 2013-09-16 23:14:16 EDT
My thinking is to do a dontaudit which is what we did for our local policy. We do not like all these applications trying to read the shadow file.
Comment 9 Daniel Walsh 2013-09-18 11:13:16 EDT
e4b4ac7e56882e004325ecda13656678baf59249 fixes this in git.
Comment 10 Miroslav Grepl 2013-09-25 15:27:37 EDT
Back ported.
Comment 11 Fedora Update System 2013-09-26 05:43:02 EDT
selinux-policy-3.12.1-74.8.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.8.fc19
Comment 12 Fedora Update System 2013-09-26 20:47:57 EDT
Package selinux-policy-3.12.1-74.8.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.8.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-17739/selinux-policy-3.12.1-74.8.fc19
then log in and leave karma (feedback).
Comment 13 Fedora Update System 2013-09-29 20:35:26 EDT
selinux-policy-3.12.1-74.8.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.