www.cendio.com
Bug 5243 - SELinux on RHEL 7 produces AVC denials for access syscalls
: SELinux on RHEL 7 produces AVC denials for access syscalls
Status: CLOSED FIXED
: ThinLinc
Server OS
: 4.2.0
: PC Unknown
: P2 Normal
: 4.3.0
Assigned To:
:
:
:
: 4939
  Show dependency treegraph
 
Reported: 2014-09-05 17:34 by
Modified: 2014-10-06 16:25 (History)
Acceptance Criteria:


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From cendio 2014-09-05 17:34:35
Scenario:

Printing a document to nearest (or just running nearest as cupsd_t).

For each os.access(..) made by hiveconf.py (_check_write_access) to check
whether a file is writable, two lines like this are printed to the audit log
file. syscall=21 on the second line indicates an access call. Everything looks
OK from a SELinux file context point of view, so there's nothing odd there.

>    type=AVC msg=audit(1409906549.883:6665): avc:  denied  { write } for  pid=54979 comm="python-thinlinc" name="webaccess.hconf" dev="dm-0" ino=102197015 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file
>    type=SYSCALL msg=audit(1409906549.883:6665): arch=c000003e syscall=21 success=no exit=-13 a0=1fa2b60 a1=2 a2=7f61620dff88 a3=642e666e6f632f63 items=0 ppid=18452 pid=54979 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="python-thinlinc" exe="/usr/bin/python2.7" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)

Pierre and I tried to understand why this happens only on RHEL 7 and not on
Fedora, but could not figure it out. This needs more investigation.
------- Comment #2 From cendio 2014-09-09 17:33:29 -------
Fixed in r29338 and r29339.

Tester should verify this on both RHEL 7 and RHEL 6, as RHEL 6 has a too old
kernel for the audit_access rule and we need to verify that the module still
compiles there.
------- Comment #3 From cendio 2014-09-10 09:47:23 -------
The autotest machines are having problems with this change. Need to have
another look.
------- Comment #4 From cendio 2014-09-11 11:02:37 -------
Turns out that we do not need the audit_access rule. Tagging the config files
as etc_t instead of usr_t is enough to get rid of the noise.

Fixed in r29343.
------- Comment #5 From cendio 2014-09-24 13:35:17 -------
Verified that context is etc_t and that the AVC is not showing up on both RHEL6
and RHEL7. Using ThinLinc server build 4499.