Bug 5243 - SELinux on RHEL 7 produces AVC denials for access syscalls
Summary: SELinux on RHEL 7 produces AVC denials for access syscalls
Status: CLOSED FIXED
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Server OS (show other bugs)
Version: 4.2.0
Hardware: PC Unknown
: P2 Normal
Target Milestone: 4.3.0
Assignee: Pierre Ossman
URL:
Keywords: hean01_tester, prosaic
Depends on:
Blocks: 4939
  Show dependency treegraph
 
Reported: 2014-09-05 17:34 CEST by Karl Mikaelsson
Modified: 2014-10-06 16:25 CEST (History)
1 user (show)

See Also:
Acceptance Criteria:


Attachments

Description Karl Mikaelsson cendio 2014-09-05 17:34:35 CEST
Scenario:

Printing a document to nearest (or just running nearest as cupsd_t).

For each os.access(..) made by hiveconf.py (_check_write_access) to check whether a file is writable, two lines like this are printed to the audit log file. syscall=21 on the second line indicates an access call. Everything looks OK from a SELinux file context point of view, so there's nothing odd there.

>    type=AVC msg=audit(1409906549.883:6665): avc:  denied  { write } for  pid=54979 comm="python-thinlinc" name="webaccess.hconf" dev="dm-0" ino=102197015 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file
>    type=SYSCALL msg=audit(1409906549.883:6665): arch=c000003e syscall=21 success=no exit=-13 a0=1fa2b60 a1=2 a2=7f61620dff88 a3=642e666e6f632f63 items=0 ppid=18452 pid=54979 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="python-thinlinc" exe="/usr/bin/python2.7" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)

Pierre and I tried to understand why this happens only on RHEL 7 and not on Fedora, but could not figure it out. This needs more investigation.
Comment 2 Pierre Ossman cendio 2014-09-09 17:33:29 CEST
Fixed in r29338 and r29339.

Tester should verify this on both RHEL 7 and RHEL 6, as RHEL 6 has a too old kernel for the audit_access rule and we need to verify that the module still compiles there.
Comment 3 Pierre Ossman cendio 2014-09-10 09:47:23 CEST
The autotest machines are having problems with this change. Need to have another look.
Comment 4 Pierre Ossman cendio 2014-09-11 11:02:37 CEST
Turns out that we do not need the audit_access rule. Tagging the config files as etc_t instead of usr_t is enough to get rid of the noise.

Fixed in r29343.
Comment 5 Henrik Andersson cendio 2014-09-24 13:35:17 CEST
Verified that context is etc_t and that the AVC is not showing up on both RHEL6 and RHEL7. Using ThinLinc server build 4499.

Note You need to log in before you can comment on or make changes to this bug.