Bug 622140

Summary: SELinux is preventing /bin/bash access to a leaked /root file descriptor
Product: [Fedora] Fedora Reporter: Martin Kho <rh-bugzilla>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: benjavalero, dwalsh, john5342, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.8.8-20.fc14 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-09-01 06:02:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Kho 2010-08-07 16:47:52 UTC 
Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by the prelink command. It looks like this is
either a leaked descriptor or prelink output was redirected to a file it is not
allowed to access. Leaks usually can be ignored since SELinux is just closing
the leak and reporting the error. The application does not use the descriptor,
so it will run properly. If this is a redirection, you will not get output in
the /root. You should generate a bugzilla on selinux-policy, and it will get
routed to the appropriate package. You can safely ignore this avc.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385)

Additional Information:

Source Context                system_u:system_r:prelink_cron_system_t:s0-s0:c0.c
                              1023
Target Context                system_u:object_r:admin_home_t:s0
Target Objects                /root [ dir ]
Source                        prelink
Source Path                   /bin/bash
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           bash-4.1.7-4.fc15
Target RPM Packages           filesystem-2.4.35-1.fc14
Policy RPM                    selinux-policy-3.8.8-8.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   leaks
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.36-0.0.rc0.git1.fc15.x86_64 #1 SMP Wed Aug 4
                              16:26:35 UTC 2010 x86_64 x86_64
Alert Count                   1
First Seen                    Sat 07 Aug 2010 11:26:10 AM CEST
Last Seen                     Sat 07 Aug 2010 11:26:10 AM CEST
Local ID                      9a7823b0-0c5d-40dd-8c51-1d2cd135691c
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1281173170.521:24): avc:  denied  { read } for  pid=26133 comm="prelink" path="/root" dev=sda8 ino=742 scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir

node=(removed) type=SYSCALL msg=audit(1281173170.521:24): arch=c000003e syscall=59 success=yes exit=0 a0=1507d70 a1=1507a60 a2=1507530 a3=8 items=0 ppid=2392 pid=26133 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="prelink" exe="/bin/bash" subj=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 key=(null)
Description of problem:

Additional info:
This is a manual report, because /usr/bin/sealert crashed. I'll create a separate report.
Comment 1 Benjamín Valero Espinosa 2010-08-11 08:07:16 UTC 
Información Adicional:

Contexto Fuente               system_u:system_r:prelink_cron_system_t:s0-s0:c0.c
                              1023
Contexto Destino              system_u:object_r:admin_home_t:s0
Objetos Destino               /root [ dir ]
Fuente                        prelink
Dirección de Fuente          /bin/bash
Puerto                        <Desconocido>
Nombre de Equipo              (eliminado)
Paquetes RPM Fuentes          bash-4.1.7-1.fc13
Paquetes RPM Destinos         filesystem-2.4.31-1.fc13
RPM de Políticas             selinux-policy-3.7.19-44.fc13
SELinux Activado              True
Tipo de Política             targeted
Modo Obediente                Permissive
Nombre de Plugin              leaks
Nombre de Equipo              (eliminado)
Plataforma                    Linux localhost.localdomain 2.6.34.2-34.fc13.i686
                              #1 SMP Thu Aug 5 23:34:56 UTC 2010 i686 i686
Cantidad de Alertas           1
Visto por Primera Vez         mié 11 ago 2010 08:49:36 CEST
Visto por Última Vez         mié 11 ago 2010 08:49:36 CEST
ID Local                      8a7ebb30-a3e9-4f6e-95c3-40721e137644
Números de Línea            

Mensajes de Auditoría Crudos 

node=localhost.localdomain type=AVC msg=audit(1281509376.85:24): avc:  denied  { read } for  pid=13985 comm="prelink" path="/root" dev=sda2 ino=307 scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir

node=localhost.localdomain type=SYSCALL msg=audit(1281509376.85:24): arch=40000003 syscall=11 success=yes exit=0 a0=9856c20 a1=9856f08 a2=9853b88 a3=9856f08 items=0 ppid=13798 pid=13985 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="prelink" exe="/bin/bash" subj=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 key=(null)



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 2 Daniel Walsh 2010-08-11 12:24:35 UTC 
You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.8.8-12.fc14
Comment 3 Fedora Update System 2010-08-25 03:10:54 UTC 
selinux-policy-3.8.8-20.fc14 has been submitted as an update for Fedora 14.
http://admin.fedoraproject.org/updates/selinux-policy-3.8.8-20.fc14
Comment 4 Fedora Update System 2010-08-25 13:30:36 UTC 
selinux-policy-3.8.8-20.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.8.8-20.fc14
Comment 5 Fedora Update System 2010-08-26 18:37:00 UTC 
selinux-policy-3.8.8-20.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.8.8-20.fc14
Comment 6 Fedora Update System 2010-09-01 06:01:11 UTC 
selinux-policy-3.8.8-20.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.