| Summary: | AVC when hostname as ksh cmd subs in cluster env | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Filip Krska <fkrska> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.7 | CC: | dwalsh, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde, zpytela |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-03-21 09:49:52 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
Filip Krska
2016-11-30 17:36:28 UTC
Interesting, I can confirm the behaviour, but my ausearch results differ:
# runcon -t cluster_t -r system_r ksh /tmp/hostname.ksh
----
type=PATH msg=audit(12/01/16 10:03:36.854:58) : item=0 name=/bin/ksh inode=525305 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL
type=CWD msg=audit(12/01/16 10:03:36.854:58) : cwd=/root
type=SYSCALL msg=audit(12/01/16 10:03:36.854:58) : arch=x86_64 syscall=execve success=no exit=-13(Permission denied) a0=0x7ffd02228f35 a1=0x7ffd02229160 a2=0x7ffd02229178 a3=0x1f items=1 ppid=5969 pid=6071 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=runcon exe=/usr/bin/runcon subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(12/01/16 10:03:36.854:58) : avc: denied { transition } for pid=6071 comm=runcon path=/bin/ksh93 dev=dm-0 ino=525305 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:cluster_t:s0-s0:c0.c1023 tclass=process
----
# runcon -t cluster_t -r system_r /bin/ksh93 /tmp/hostname.ksh
----
type=PATH msg=audit(12/01/16 10:11:43.767:92) : item=1 name=(null) inode=524597 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL
type=PATH msg=audit(12/01/16 10:11:43.767:92) : item=0 name=/bin/ksh93 inode=525305 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL
type=CWD msg=audit(12/01/16 10:11:43.767:92) : cwd=/root
type=EXECVE msg=audit(12/01/16 10:11:43.767:92) : argc=2 a0=/bin/ksh93 a1=/tmp/hostname.ksh
type=SYSCALL msg=audit(12/01/16 10:11:43.767:92) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x7ffeaf61d666 a1=0x7ffeaf61cdf0 a2=0x7ffeaf61ce08 a3=0x1f items=2 ppid=5969 pid=6177 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=ksh93 exe=/bin/ksh93 subj=unconfined_u:system_r:cluster_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(12/01/16 10:11:43.767:92) : avc: denied { transition } for pid=6177 comm=runcon path=/bin/ksh93 dev=dm-0 ino=525305 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:cluster_t:s0-s0:c0.c1023 tclass=process
----
type=PATH msg=audit(12/01/16 10:11:43.815:98) : item=1 name=(null) inode=524597 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL
type=PATH msg=audit(12/01/16 10:11:43.815:98) : item=0 name=/bin/hostname inode=525286 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:hostname_exec_t:s0 nametype=NORMAL
type=CWD msg=audit(12/01/16 10:11:43.815:98) : cwd=/root
type=EXECVE msg=audit(12/01/16 10:11:43.815:98) : argc=1 a0=/bin/hostname
type=SYSCALL msg=audit(12/01/16 10:11:43.815:98) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x7f91dc7f2958 a1=0x7f91dc7f26f0 a2=0x7f91dc7f2818 a3=0x8 items=2 ppid=6177 pid=6181 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=hostname exe=/bin/hostname subj=unconfined_u:system_r:hostname_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(12/01/16 10:11:43.815:98) : avc: denied { write } for pid=6181 comm=hostname path=/tmp/sf2d.1l8 (deleted) dev=dm-0 ino=522874 scontext=unconfined_u:system_r:hostname_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cluster_tmp_t:s0 tclass=file
----
policy includes dontaudit rules
$ rpm -q ksh selinux-policy
ksh-20120801-33.el6.x86_64
selinux-policy-3.7.19-292.el6_8.2.noarch
$ ls -Z /bin/ksh /etc/alternatives/ksh /bin/ksh93 /tmp/hostname.ksh
lrwxrwxrwx. root root unconfined_u:object_r:bin_t:s0 /bin/ksh -> /etc/alternatives/ksh
-rwxr-xr-x. root root system_u:object_r:shell_exec_t:s0 /bin/ksh93
lrwxrwxrwx. root root unconfined_u:object_r:etc_t:s0 /etc/alternatives/ksh -> /bin/ksh93
-rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 /tmp/hostname.ksh
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2017-0627.html |