Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 413061 - groupadd_t needs read access to default contexts
Summary: groupadd_t needs read access to default contexts
Status: VERIFIED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Hardened (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Sven Vermeulen (RETIRED)
URL:
Whiteboard: sec-policy r9
Keywords:
Depends on: 406819
Blocks:
  Show dependency tree
 
Reported: 2012-04-22 12:13 UTC by Sven Vermeulen (RETIRED)
Modified: 2012-07-30 16:36 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sven Vermeulen (RETIRED) gentoo-dev 2012-04-22 12:13:26 UTC 
When trying to change a group, a failure occurs when SELinux is enabled:

"""
~# groupadd jboss
groupadd: failure while writing changes to /etc/group
"""

In the denial logs, we notice the following:
"""
Apr 22 14:05:35 testsys kernel: [ 3839.470998] type=1400 audit(1335096335.139:168): avc:  denied  { search } for  pid=3521 comm="groupadd" name="contexts" dev="vda1" ino=1091 scontext=root:sysadm_r:groupadd_t tcontext=system_u:object_r:default_context_t tclass=dir
"""

The groupadd application is selinux-aware (linked with libselinux) and needs proper access to the context definitions.

Reproducible: Always
Comment 1 Sven Vermeulen (RETIRED) gentoo-dev 2012-04-22 12:24:07 UTC 
With seutil_read_default_contexts, the following denial occurs:

"""
Apr 22 14:17:11 testsys kernel: [ 4535.791950] type=1400 audit(1335097031.460:178): avc:  denied  { search } for  pid=10737 comm="groupadd" name="files" dev="vda1" ino=1122 scontext=root:sysadm_r:groupadd_t tcontext=system_u:object_r:file_context_t tclass=dir
"""

Adding seutil_read_file_contexts() as well makes things work again.
Comment 2 Sven Vermeulen (RETIRED) gentoo-dev 2012-04-22 12:42:44 UTC 
seutil_read_default_contexts can be eliminated, seutil_read_file_contexts contains the proper rights
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2012-04-22 12:46:25 UTC 
Will be in -r9
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2012-05-15 18:10:02 UTC 
r9 now in hardened-dev overlay
Comment 5 Sven Vermeulen (RETIRED) gentoo-dev 2012-05-20 18:42:40 UTC 
r9 is now ~arch in main tree
Comment 6 Sven Vermeulen (RETIRED) gentoo-dev 2012-07-30 16:36:12 UTC 
Stabilized