Strange AVC

Dominick Grift domg472 at gmail.com
Thu Oct 1 09:51:04 UTC 2009 

On Wed, Sep 30, 2009 at 05:21:56PM -0700, Vadym Chepkov wrote:
> Hi,
> 
> I am puzzled, what could have caused this kind of AVC:
> 
> type=SYSCALL msg=audit(1254270789.862:74347): arch=c000003e syscall=2 success=no exit=-13 a0=7f2929f52532 a1=0 a2=d a3=7fff325c4270 items=0 ppid=18807 pid=18808 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) comm="uptime" exe="/usr/bin/uptime" subj=user_u:system_r:httpd_t:s0 key=(null)
> type=AVC msg=audit(1254270789.862:74347): avc:  denied  { read } for  pid=18808 comm="uptime" name="utmp" dev=sda1 ino=2474106 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file

Well uptime runs in the httpd_t domain and the httpd domain (uptime) tried to read /var/run/utmp file. /var/run/utmp has a object type that is owned by init scripts for object in /var/run.

you can and should check first to see whether the types are correct: should "uptime" in this scenario run in the httpd_t domain (is it called from a webapp (non-cgi) also is the target object labelled properly (matchpathcon /var/run/utmp)

Once that is established you can verify whether httpd_t should be able to access the target type:

sesearch --allow -s httpd_t -t initrc_var_run_t  -c file -p read

With this information you are going to have to make your security decision.

should you allow it or deny it?

I can tell you that in my configuration /var/run/utmp also has type initrc_var_run_t. So i guess that is what it should be.

What i cannot tell you is why and how uptime is executed in this scenario.
All i know is that it runs in the httpd_t domain.
> 
> 
> Sincerely yours,
>   Vadym Chepkov
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20091001/ec33f450/attachment.sig>

More information about the fedora-selinux-list mailing list