From: dac.override@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] write AVC on access()?
Date: Mon, 8 Sep 2014 17:37:04 +0200 [thread overview]
Message-ID: <20140908153703.GA12988@x220.network2> (raw)
In-Reply-To: <20140908092324.1bc7b98a@ossman.lkpg.cendio.se>
On Mon, Sep 08, 2014 at 09:23:24AM +0200, Pierre Ossman wrote:
> Hi,
>
> I have a problem that our software is causing these on (at least)
> Fedora and RHEL:
>
> > type=AVC msg=audit(1409929323.649:42767): avc: denied { write } for pid=31220 comm="python-thinlinc" name="thinlinc.hconf" dev="dm-0" ino=2756323 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file
> > type=SYSCALL msg=audit(1409929323.649:42767): arch=c000003e syscall=21 success=yes exit=0 a0=db4c70 a1=2 a2=33925bff88 a3=0 items=0 ppid=29722 pid=31220 auid=210 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts7 ses=2 comm="python-thinlinc" exe="/usr/bin/python2.7" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
>
> Syscall 21 is access() if I'm reading things correctly, and we are
> indeed doing an access(W_OK) on that file. But given the nature of
> access(), I was not expecting to trigger an AVC with the accompanying
> noise from setroubleshootd and friends. A return code indicating that
> we cannot write is fine and expected, but the warnings are not.
>
> What is the proper way to deal with this? That process will not (and
> should not) write to that file, so allowing writes seems very wrong.
> And putting a noaudit rule also feels like papering over the issue.
>
> (and getting rid of the access() call is non-trivial, so that's not
> really an option at this point)
>
A rule like this should do it:
dontaudit cupsd_t usr_t:file audit_access;
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20140908/85fec7b1/attachment.bin
next prev parent reply other threads:[~2014-09-08 15:37 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-08 7:23 [refpolicy] write AVC on access()? Pierre Ossman
2014-09-08 15:37 ` Dominick Grift [this message]
2014-09-10 9:05 ` Pierre Ossman
2014-09-10 10:13 ` Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140908153703.GA12988@x220.network2 \
--to=dac.override@gmail.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.