[DSE-Dev] Bug#697814: selinux-policy-default: exim4 and bitlbee want access to sysctl_crypto_t

Marius Gavrilescu marius at ieval.ro
Wed Jan 9 22:11:17 UTC 2013 

Package: selinux-policy-default
Version: 2:2.20110726-12
Severity: normal

For some reason exim4 and bitlbee are trying to read
/proc/sys/crypto/fips_enabled and SELinux doesn't let them.

These are the audit.log entries concerning exim4:
    type=AVC msg=audit(1357769011.179:17405): avc:  denied  { search } for  pid=1427 comm="exim4" name="crypto" dev=proc ino=5781 scontext=system_u:system_r:exim_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir
    type=AVC msg=audit(1357769011.179:17405): avc:  denied  { read } for  pid=1427 comm="exim4" name="fips_enabled" dev=proc ino=5782 scontext=system_u:system_r:exim_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
    type=AVC msg=audit(1357769011.179:17405): avc:  denied  { open } for  pid=1427 comm="exim4" name="fips_enabled" dev=proc ino=5782 scontext=system_u:system_r:exim_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
    type=SYSCALL msg=audit(1357769011.179:17405): arch=c000003e syscall=2 success=yes exit=4 a0=7ffc609af260 a1=0 a2=1b6 a3=0 items=1 ppid=1426 pid=1427 auid=4294967295 uid=101 gid=103 euid=101 suid=101 fsuid=101 egid=103 sgid=103 fsgid=103 tty=(none) ses=4294967295 comm="exim4" exe="/usr/sbin/exim4" subj=system_u:system_r:exim_t:s0 key=(null)
    type=CWD msg=audit(1357769011.179:17405):  cwd="/var/spool/exim4"
    type=PATH msg=audit(1357769011.179:17405): item=0 name="/proc/sys/crypto/fips_enabled" inode=5782 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:sysctl_crypto_t:s0
    type=AVC msg=audit(1357769011.179:17406): avc:  denied  { getattr } for  pid=1427 comm="exim4" path="/proc/sys/crypto/fips_enabled" dev=proc ino=5782 scontext=system_u:system_r:exim_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
    type=SYSCALL msg=audit(1357769011.179:17406): arch=c000003e syscall=5 success=yes exit=0 a0=4 a1=7fffdd4935e0 a2=7fffdd4935e0 a3=0 items=0 ppid=1426 pid=1427 auid=4294967295 uid=101 gid=103 euid=101 suid=101 fsuid=101 egid=103 sgid=103 fsgid=103 tty=(none) ses=4294967295 comm="exim4" exe="/usr/sbin/exim4" subj=system_u:system_r:exim_t:s0 key=(null)

audi2allow suggests:
    #============= exim_t ==============
    allow exim_t sysctl_crypto_t:dir search;
    allow exim_t sysctl_crypto_t:file { read getattr open };

The same problem happens for bitlbee.

-- System Information:
Debian Release: 7.0
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages selinux-policy-default depends on:
ii  libpam-modules   1.1.3-7.1
ii  libselinux1      2.1.9-5
ii  libsepol1        2.1.4-3
ii  policycoreutils  2.1.10-9
ii  python           2.7.3~rc2-1

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.1.8-2
ii  setools      3.3.7-3

Versions of packages selinux-policy-default suggests:
pn  logcheck        <none>
pn  syslog-summary  <none>

-- Configuration Files:
/etc/selinux/default/modules/active/file_contexts.local [Errno 13] Permission denied: u'/etc/selinux/default/modules/active/file_contexts.local'

-- debconf-show failed

More information about the SELinux-devel mailing list