Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1554087

Summary: minidlna service runs as unconfined_service_t because of wrong file context pattern
Product: [Fedora] Fedora Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 27CC: dwalsh, lvrabec, mgrepl, plautrba, pmoore
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-283.28.fc27 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-20 18:17:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Milos Malik 2018-03-11 11:29:34 UTC 
Description of problem:
SELinux policy defines following file context pattern:

# semanage fcontext -l | grep minidlna_exec_t
/usr/sbin/minidlna                                 regular file       system_u:object_r:minidlna_exec_t:s0 
#

but the minidlna package does not bring such a file. The package brings a /usr/sbin/minidlnad file which is labeled bin_t, but it should be labeled minidlna_exec_t.

Version-Release number of selected component (if applicable):
minidlna-1.2.1-1.fc27.x86_64
selinux-policy-3.13.1-283.26.fc27.noarch
selinux-policy-targeted-3.13.1-283.26.fc27.noarch

How reproducible:
 * always

Steps to Reproduce:
1. get a Fedora 27 machine (targeted policy is active)
2. install RPMfusion free repositories
3. install the minidlna package
4. start the minidlna service
5. search for SELinux denials

Actual results:
* the minidlna service runs as unconfined_service_t

Expected results:
* the minidlna service runs as minidlna_t and it does not trigger SELinux denials in default configuration

Additional info:
* if /usr/sbin/minidlnad is labeled minidlna_exec_t, then following SELinux denials appear in permissive mode:
----
time->Sun Mar 11 06:51:54 2018
type=AVC msg=audit(1520765514.286:329): avc:  denied  { read } for  pid=2051 comm="minidlnad" name="cpu" dev="sysfs" ino=33 scontext=system_u:system_r:minidlna_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=1
----
time->Sun Mar 11 06:51:54 2018
type=AVC msg=audit(1520765514.286:330): avc:  denied  { read } for  pid=2051 comm="minidlnad" name="meminfo" dev="sysfs" ino=660 scontext=system_u:system_r:minidlna_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
----
time->Sun Mar 11 06:51:54 2018
type=AVC msg=audit(1520765514.286:331): avc:  denied  { open } for  pid=2051 comm="minidlnad" path="/sys/devices/system/node/node0/meminfo" dev="sysfs" ino=660 scontext=system_u:system_r:minidlna_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
----
time->Sun Mar 11 06:51:54 2018
type=AVC msg=audit(1520765514.286:332): avc:  denied  { getattr } for  pid=2051 comm="minidlnad" path="/sys/devices/system/node/node0/meminfo" dev="sysfs" ino=660 scontext=system_u:system_r:minidlna_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
----
time->Sun Mar 11 06:51:54 2018
type=AVC msg=audit(1520765514.288:333): avc:  denied  { read } for  pid=2051 comm="minidlnad" name="unix" dev="proc" ino=4026532057 scontext=system_u:system_r:minidlna_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=1
----
time->Sun Mar 11 06:51:54 2018
type=AVC msg=audit(1520765514.289:334): avc:  denied  { create } for  pid=2051 comm="minidlnad" scontext=system_u:system_r:minidlna_t:s0 tcontext=system_u:system_r:minidlna_t:s0 tclass=unix_dgram_socket permissive=1
----
time->Sun Mar 11 06:51:54 2018
type=AVC msg=audit(1520765514.289:335): avc:  denied  { ioctl } for  pid=2051 comm="minidlnad" path="socket:[25584]" dev="sockfs" ino=25584 ioctlcmd=0x8933 scontext=system_u:system_r:minidlna_t:s0 tcontext=system_u:system_r:minidlna_t:s0 tclass=unix_dgram_socket permissive=1
----
Comment 1 Fedora Update System 2018-03-12 18:12:49 UTC 
selinux-policy-3.13.1-283.28.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-32ebae3424
Comment 2 Fedora Update System 2018-03-12 18:19:18 UTC 
selinux-policy-3.13.1-283.28.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-32ebae3424
Comment 3 Fedora Update System 2018-03-14 01:35:52 UTC 
selinux-policy-3.13.1-283.28.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-32ebae3424
Comment 4 Fedora Update System 2018-03-20 18:17:26 UTC 
selinux-policy-3.13.1-283.28.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.