From: ossman@cendio.se (Pierre Ossman) Date: Mon, 8 Sep 2014 09:23:24 +0200 Subject: [refpolicy] write AVC on access()? Message-ID: <20140908092324.1bc7b98a@ossman.lkpg.cendio.se> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hi, I have a problem that our software is causing these on (at least) Fedora and RHEL: > type=AVC msg=audit(1409929323.649:42767): avc: denied { write } for pid=31220 comm="python-thinlinc" name="thinlinc.hconf" dev="dm-0" ino=2756323 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file > type=SYSCALL msg=audit(1409929323.649:42767): arch=c000003e syscall=21 success=yes exit=0 a0=db4c70 a1=2 a2=33925bff88 a3=0 items=0 ppid=29722 pid=31220 auid=210 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts7 ses=2 comm="python-thinlinc" exe="/usr/bin/python2.7" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) Syscall 21 is access() if I'm reading things correctly, and we are indeed doing an access(W_OK) on that file. But given the nature of access(), I was not expecting to trigger an AVC with the accompanying noise from setroubleshootd and friends. A return code indicating that we cannot write is fine and expected, but the warnings are not. What is the proper way to deal with this? That process will not (and should not) write to that file, so allowing writes seems very wrong. And putting a noaudit rule also feels like papering over the issue. (and getting rid of the access() call is non-trivial, so that's not really an option at this point) Rgds -- Pierre Ossman Software Development Cendio AB http://cendio.com Teknikringen 8 http://twitter.com/ThinLinc 583 30 Link?ping http://facebook.com/ThinLinc Phone: +46-13-214600 http://plus.google.com/+CendioThinLinc A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20140908/f0e10908/attachment.bin