Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1534182
Summary: | aide requires "map" privilege | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Alan Hamilton <alanh> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 27 | CC: | dwalsh, john.horne, lvrabec, mgrepl, plautrba, pmoore |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.13.1-283.24.fc27 selinux-policy-3.13.1-284.37.fc27 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-08-08 15:34:16 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Alan Hamilton
2018-01-13 21:42:11 UTC
selinux-policy-3.13.1-283.24.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a144eca5a8 selinux-policy-3.13.1-283.24.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a144eca5a8 I'm still seeing a lot of AVC denials for aide. This is just a short copy/paste taken from the audit log file: ================== type=AVC msg=audit(1517573596.990:90842): avc: denied { map } for pid=20120 comm="aide" path="/usr/sbin/grub2-set-default" dev="sda5" ino=3408710 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bootloader_exec_t:s0 tclass=file permissive=0 type=AVC msg=audit(1517573596.990:90843): avc: denied { map } for pid=20120 comm="aide" path="/usr/sbin/rtcwake" dev="sda5" ino=3414137 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0 type=AVC msg=audit(1517573596.990:90844): avc: denied { map } for pid=20120 comm="aide" path="/usr/sbin/selinuxenabled" dev="sda5" ino=3420379 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0 type=AVC msg=audit(1517573596.990:90845): avc: denied { map } for pid=20120 comm="aide" path="/usr/sbin/btrfs-map-logical" dev="sda5" ino=3409700 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0 type=AVC msg=audit(1517573596.990:90846): avc: denied { map } for pid=20120 comm="aide" path="/usr/sbin/smartctl" dev="sda5" ino=3460902 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fsadm_exec_t:s0 tclass=file permissive=0 type=AVC msg=audit(1517573596.990:90847): avc: denied { map } for pid=20120 comm="aide" path="/usr/sbin/chcpu" dev="sda5" ino=3431555 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0 type=AVC msg=audit(1517573596.993:90848): avc: denied { map } for pid=20120 comm="aide" path="/var/spool/at/.SEQ" dev="sda5" ino=5638750 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_cron_spool_t:s0 tclass=file permissive=0 type=AVC msg=audit(1517573596.993:90849): avc: denied { map } for pid=20120 comm="aide" path="/var/spool/cron/root" dev="sda5" ino=5767495 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_cron_spool_t:s0 tclass=file permissive=0 type=AVC msg=audit(1517573596.993:90850): avc: denied { map } for pid=20120 comm="aide" path="/var/spool/cron/exim" dev="sda5" ino=5767452 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_cron_spool_t:s0 tclass=file permissive=0 type=AVC msg=audit(1517573596.993:90851): avc: denied { map } for pid=20120 comm="aide" path="/var/spool/cron/john" dev="sda5" ino=5768173 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_cron_spool_t:s0 tclass=file permissive=0 ================== rpm -q selinux-policy selinux-policy-3.13.1-283.24.fc27.noarch rpm -q selinux-policy-targeted selinux-policy-targeted-3.13.1-283.24.fc27.noarch I'm still seeing the aide "map" avcs too. selinux-policy-3.13.1-283.24.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. A little bit confused why this has been marked as CLOSED when it still has problems. I included a comment on bodhi as well, but notice that the -1 karma I set has been omitted. As per comments #2 and #5, problems still persist and I have made a note of them in this bug report. Can it be reopened? Yes, it's still an issue. Reopening. The bugfix added files_mmap_usr_files(aide_t) to aide's rights, but that only allows mmaping files labeled usr_t. Anything else will still fail. selinux-policy-3.13.1-284.37.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-4bb4de2d86 selinux-policy-3.13.1-284.37.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-4bb4de2d86 selinux-policy-3.13.1-284.37.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. |