Bug 613369

Summary: audit2allow -Ral complains: "count not convert (...)<my type> to sid"
Product: [Fedora] Fedora Reporter: Nicolas MONNET <nicolas.monnet>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 13CC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-07-12 21:12:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Description Flags
pipslite.pp none

Description Nicolas MONNET 2010-07-11 00:53:47 UTC
Created attachment 430946 [details]

Description of problem:

I recently created a policy module (attached) for pipslite (Epson-provided printer drivers, attached); it used to work just fine but something's obviously changed a lot with a recent Fedora update, since first of all I had to explictly allow unconfined_u to look at the file's attributes to avoid an avc:

allow unconfined_t pipslite_fifo_t:fifo_file getattr;

The avc was:

type=AVC msg=audit(1278807797.441:5107): avc:  denied  { getattr } for  pid=18094 comm="bash" path="/var/run/pipslitelp0" dev=dm-12 i
no=1032 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:pipslite_fifo_t:s0 tclass=fifo_file
type=SYSCALL msg=audit(1278807797.441:5107): arch=c000003e syscall=4 success=yes exit=0 a0=15b8930 a1=7fff2c5a1980 a2=7fff2c5a1980 a3
=1 items=0 ppid=18093 pid=18094 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=348 comm="bash" exe="/b
in/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

Second, I get weird warnings from audit2allow (Even though it works ...) :

[root@chimpy ~]# audit2allow -Ral
libsepol.context_from_record: type pipslite_socket_t is not defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert system_u:object_r:pipslite_socket_t:s0 to sid
libsepol.context_from_record: type pipslite_socket_t is not defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
(last 4 lines repeated a dozen times)

Version-Release number of selected component (if applicable):


How reproducible:

Every time I run audit2allow 

Steps to Reproduce:
1. install my policy module : semodule -i pipslite.pp
2. audit2allow -Ral
Actual results:

Lots of warnings

Expected results:

No such warnings

Additional info:

System was installed fresh as F10 and updated to F11, then F12 and F13; this has once caused a problem in the past so I mention it.

[root@chimpy ~]# semanage user -l

                Labeling   MLS/       MLS/                          
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

git_shell_u     user       s0         s0                             git_shell_r
guest_u         user       s0         s0                             guest_r
root            user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
staff_u         user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
sysadm_u        user       s0         s0-s0:c0.c1023                 sysadm_r
system_u        user       s0         s0-s0:c0.c1023                 system_r unconfined_r
unconfined_u    user       s0         s0-s0:c0.c1023                 system_r unconfined_r
user_u          user       s0         s0                             user_r
xguest_u        user       s0         s0                             xguest_r

[root@chimpy ~]# semanage login -l

Login Name                SELinux User              MLS/MCS Range            

__default__               unconfined_u              s0-s0:c0.c1023           
root                      unconfined_u              s0-s0:c0.c1023           
system_u                  system_u                  s0-s0:c0.c1023           

[root@chimpy ~]# cat /etc/selinux/targeted/contexts/files/file_contexts.local
# This file is auto-generated by libsemanage
# Do not edit directly.

/home/nico/Music(/.*)?    system_u:object_r:public_content_rw_t:s0

Comment 1 Nicolas MONNET 2010-07-11 00:54:39 UTC
Created attachment 430947 [details]

(pipslite.if empty)

Comment 2 Nicolas MONNET 2010-07-11 00:55:59 UTC
Created attachment 430948 [details]

compiled module

Comment 3 Nicolas MONNET 2010-07-11 00:58:20 UTC
Note that I didn't get any of this 2 weeks ago when I wrote the module, this just happened within the last few days. I was already upgraded to F13.

I also get this strange AVC:


SELinux is preventing /sbin/setfiles "getattr" access on /var/run/pipslitelp0.

Detailed Description:

SELinux denied access requested by restorecon. It is not expected that this
access is required by restorecon and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug

Additional Information:

Source Context                system_u:system_r:setfiles_t:s0-s0:c0.c1023
Target Context                system_u:object_r:pipslite_fifo_t:s0
Target Objects                /var/run/pipslitelp0 [ fifo_file ]
Source                        restorecon
Source Path                   /sbin/setfiles
Port                          <Unknown>
Host                          chimpy.paris.monnet.biz
Source RPM Packages           policycoreutils-2.0.82-31.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-28.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     chimpy.paris.monnet.biz
Platform                      Linux chimpy.paris.monnet.biz
                     #1 SMP Fri Jun 11
                              09:38:12 UTC 2010 x86_64 x86_64
Alert Count                   2
First Seen                    Sat 10 Jul 2010 04:07:43 AM CEST
Last Seen                     Sat 10 Jul 2010 04:07:43 AM CEST
Local ID                      8212d7d2-210f-401d-9aee-a5a1b518f3ea
Line Numbers                  

Raw Audit Messages            

node=chimpy.paris.monnet.biz type=AVC msg=audit(1278727663.651:4748): avc:  denied  { getattr } for  pid=9542 comm="restorecon" name="pipslitelp0" dev=dm-12 ino=1210 scontext=system_u:system_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:pipslite_fifo_t:s0 tclass=fifo_file

node=chimpy.paris.monnet.biz type=SYSCALL msg=audit(1278727663.651:4748): arch=c000003e syscall=192 success=no exit=-13 a0=7fa0d4f680f0 a1=7fa0d2362689 a2=7fa0d5308490 a3=ff items=0 ppid=9415 pid=9542 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecon" exe="/sbin/setfiles" subj=system_u:system_r:setfiles_t:s0-s0:c0.c1023 key=(null)

Comment 4 Daniel Walsh 2010-07-12 19:10:38 UTC
Somewhere along the way you defined pipslite_socket_t which is no longer defined in policy.  The audit2allow command is reading an AVC about this socket and complaining.  Clear your /var/log/audit/audit.log and /var/log/messages and the problem should go away.

Comment 5 Nicolas MONNET 2010-07-12 20:11:13 UTC
Alright, that fixed it. But btw, what's with having to explicitly allow unconfined_u to look at the new type's attribute? Why is it popping up just now, and why at all?

Comment 6 Daniel Walsh 2010-07-12 21:12:08 UTC
It is not a new attribute, it is an undefined attribute. I am guessing you loaded policy that defined the type, then removed it, when you run audit2allow on it, audit2allow is telling you it is an undefined type.

audit2allow has gotten a little smarter and tries to do some analysis on avc messages.  The analysis is causing the problem