Bug 165188
| Summary: | Strict policy breaks ddclient | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | W. Michael Petullo <redhat> | ||||
| Component: | selinux-policy-strict | Assignee: | Daniel Walsh <dwalsh> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | |||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 4 | ||||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | 1.25.4-10 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2005-09-05 05:40:36 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Did you try the policy that was already in the unused directory of strict policy? /etc/selinux/strict/src/policy/domains/program/unused/ddclient.te I did not know strict/src/policy/domains/program/unused/ddclient.te existed.
I don't think /var/cache/ddclient.cache is created with the proper context
(ddclient creates it as root:object_r:var_t.)
Here are the messages that are logged when I use this policy fragment:
type=AVC msg=audit(1123382532.061:6803231): avc: denied { read write } for
pid=11252 comm="ddclient" name="1" dev=devpts ino=3
scontext=root:system_r:ddclient_t tcontext=root:object_r:user_devpts_t
tclass=chr_file
type=SYSCALL msg=audit(1123382532.061:6803231): arch=40000003 syscall=11
success=yes exit=0 a0=82a1340 a1=828e178 a2=828e308 a3=0 items=3 pid=11252
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ddclient"
exe="/usr/bin/perl"
type=CWD msg=audit(1123382532.061:6803231): cwd="/etc/selinux/strict/src/policy"
type=PATH msg=audit(1123382532.061:6803231): item=0 name="/usr/sbin/ddclient"
flags=101 inode=32909 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1123382532.061:6803231): item=1 flags=101 inode=33489
dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1123382532.061:6803231): item=2 flags=101 inode=47064
dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1123382532.084:6803376): avc: denied { ioctl } for
pid=11252 comm="ddclient" name="1" dev=devpts ino=3
scontext=root:system_r:ddclient_t tcontext=root:object_r:user_devpts_t
tclass=chr_file
type=SYSCALL msg=audit(1123382532.084:6803376): arch=40000003 syscall=54
success=yes exit=0 a0=0 a1=5401 a2=bfbb4dd8 a3=bfbb4e18 items=0 pid=11252
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ddclient"
exe="/usr/bin/perl"
type=AVC_PATH msg=audit(1123382532.084:6803376): path="/dev/pts/1"
type=AVC msg=audit(1123382533.231:6805020): avc: denied { search } for
pid=11255 comm="sh" name="/" dev=devpts ino=1 scontext=root:system_r:ddclient_t
tcontext=system_u:object_r:devpts_t tclass=dirtype=SYSCALL
msg=audit(1123382533.231:6805020): arch=40000003 syscall=5 success=yes exit=3
a0=80c78f6 a1=8802 a2=0 a3=8802 items=1 pid=11255 auid=500 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="sh" exe="/bin/bash"
type=CWD msg=audit(1123382533.231:6805020): cwd="/etc/selinux/strict/src/policy"
type=PATH msg=audit(1123382533.231:6805020): item=0 name="/dev/tty" flags=101
inode=2240 dev=00:0d mode=020666 ouid=0 ogid=0 rdev=05:00
type=AVC msg=audit(1123382533.235:6805055): avc: denied { search } for
pid=11255 comm="sh" name="src" dev=hda2 ino=63918
scontext=root:system_r:ddclient_t tcontext=system_u:object_r:policy_src_t tclass=dir
type=AVC msg=audit(1123382533.235:6805055): avc: denied { getattr } for
pid=11255 comm="sh" name="policy" dev=hda2 ino=63919
scontext=root:system_r:ddclient_t tcontext=system_u:object_r:policy_src_t tclass=dir
type=SYSCALL msg=audit(1123382533.235:6805055): arch=40000003 syscall=195
success=yes exit=0 a0=9371830 a1=bfeda0ac a2=229ff4 a3=bfeda0ac items=1
pid=11255 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="sh" exe="/bin/bash"
type=AVC_PATH msg=audit(1123382533.235:6805055):
path="/etc/selinux/strict/src/policy"
type=CWD msg=audit(1123382533.235:6805055): cwd="/etc/selinux/strict/src/policy"
type=PATH msg=audit(1123382533.235:6805055): item=0
name="/etc/selinux/strict/src/policy" flags=1 inode=63919 dev=03:02 mode=040700
ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1123382533.237:6805075): avc: denied { read } for
pid=11255 comm="sh" name="policy" dev=hda2 ino=63919
scontext=root:system_r:ddclient_t tcontext=system_u:object_r:policy_src_t tclass=dir
type=SYSCALL msg=audit(1123382533.237:6805075): arch=40000003 syscall=5
success=yes exit=3 a0=80d39e2 a1=18800 a2=22b8b8 a3=9373588 items=1 pid=11255
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="sh"
exe="/bin/bash"
type=CWD msg=audit(1123382533.237:6805075): cwd="/etc/selinux/strict/src/policy"
type=PATH msg=audit(1123382533.237:6805075): item=0 name="." flags=103
inode=63919 dev=03:02 mode=040700 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1123382533.246:6805157): avc: denied { write } for
pid=11253 comm="ddclient" name="cache" dev=hda2 ino=14648
scontext=root:system_r:ddclient_t tcontext=system_u:object_r:var_t tclass=dir
type=AVC msg=audit(1123382533.246:6805157): avc: denied { add_name } for
pid=11253 comm="ddclient" name="ddclient.cache"
scontext=root:system_r:ddclient_t tcontext=system_u:object_r:var_t tclass=dir
type=AVC msg=audit(1123382533.246:6805157): avc: denied { create } for
pid=11253 comm="ddclient" name="ddclient.cache"
scontext=root:system_r:ddclient_t tcontext=root:object_r:var_t tclass=file
type=SYSCALL msg=audit(1123382533.246:6805157): arch=40000003 syscall=5
success=yes exit=3 a0=9c41e50 a1=8241 a2=1b6 a3=8241 items=1 pid=11253 auid=500
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ddclient"
exe="/usr/bin/perl"
type=CWD msg=audit(1123382533.246:6805157): cwd="/etc/selinux/strict/src/policy"
type=PATH msg=audit(1123382533.246:6805157): item=0
name="/var/cache/ddclient.cache" flags=310 inode=14648 dev=03:02 mode=040755
ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1123382533.248:6805158): avc: denied { ioctl } for
pid=11253 comm="ddclient" name="ddclient.cache" dev=hda2 ino=14933
scontext=root:system_r:ddclient_t tcontext=root:object_r:var_t tclass=file
type=SYSCALL msg=audit(1123382533.248:6805158): arch=40000003 syscall=54
success=no exit=-25 a0=3 a1=5401 a2=bfbb4dd8 a3=bfbb4e18 items=0 pid=11253
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ddclient"
exe="/usr/bin/perl"
type=AVC_PATH msg=audit(1123382533.248:6805158): path="/var/cache/ddclient.cache"
type=AVC msg=audit(1123382533.248:6805160): avc: denied { getattr } for
pid=11253 comm="ddclient" name="ddclient.cache" dev=hda2 ino=14933
scontext=root:system_r:ddclient_t tcontext=root:object_r:var_t tclass=file
type=SYSCALL msg=audit(1123382533.248:6805160): arch=40000003 syscall=197
success=yes exit=0 a0=3 a1=998c068 a2=a46ff4 a3=9c42142 items=0 pid=11253
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ddclient"
exe="/usr/bin/perl"
type=AVC_PATH msg=audit(1123382533.248:6805160): path="/var/cache/ddclient.cache"
type=AVC msg=audit(1123382533.249:6805169): avc: denied { write } for
pid=11253 comm="ddclient" name="ddclient.cache" dev=hda2 ino=14933
scontext=root:system_r:ddclient_t tcontext=root:object_r:var_t tclass=file
type=SYSCALL msg=audit(1123382533.249:6805169): arch=40000003 syscall=4
success=yes exit=276 a0=3 a1=9c53320 a2=114 a3=9c53320 items=0 pid=11253
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ddclient"
exe="/usr/bin/perl"
type=AVC_PATH msg=audit(1123382533.249:6805169): path="/var/cache/ddclient.cache"
Created attachment 117523 [details]
DDclient patch to fix cache creation
If you apply this patch to ddclient.te, does it fix your problems. You might
need to restorecon /var/cache/ddclient*
This patch will be in the next update, although we do not ship ddclient.te...
The patch is comment #3 seems to work. Fixed in policy version 1.25.4-10 |
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.7.10) Gecko/20050720 Epiphany/1.7.2 Description of problem: Fedora Extras provides the ddclient package. Ddclient allows one to update a dyndns.org DNS record automatically. Version-Release number of selected component (if applicable): selinux-policy-strict-1.23.16-6 How reproducible: Always Steps to Reproduce: Try to execute ddclient when SELinux is enforcing the strict policy. Actual Results: type=AVC msg=audit(1123206458.903:2140046): avc: denied { write } for pid=4360 comm="ddclient" name="cache" dev=hda2 ino=14648 scontext=root:system_r:initrc_t tcontext=system_u:object_r:var_t tclass=dir type=AVC msg=audit(1123206458.903:2140046): avc: denied { add_name } for pid=4360 comm="ddclient" name="ddclient.cache" scontext=root:system_r:initrc_t tcontext=system_u:object_r:var_t tclass=dir type=AVC msg=audit(1123206458.903:2140046): avc: denied { create } for pid=4360 comm="ddclient" name="ddclient.cache" scontext=root:system_r:initrc_t tcontext=root:object_r:var_t tclass=file type=SYSCALL msg=audit(1123206458.903:2140046): arch=40000003 syscall=5 success=yes exit=3 a0=99fde50 a1=8241 a2=1b6 a3=8241 items=1 pid=4360 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ddclient" exe="/usr/bin/perl" type=CWD msg=audit(1123206458.903:2140046): cwd="/etc/selinux/strict/src/policy" type=PATH msg=audit(1123206458.903:2140046): item=0 name="/var/cache/ddclient.cache" flags=310 inode=14648 dev=03:02 mode=040755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1123206458.905:2140058): avc: denied { write } for pid=4360 comm="ddclient" name="ddclient.cache" dev=hda2 ino=15053 scontext=root:system_r:initrc_t tcontext=root:object_r:var_t tclass=file type=SYSCALL msg=audit(1123206458.905:2140058): arch=40000003 syscall=4 success=yes exit=276 a0=3 a1=9a0f320 a2=114 a3=9a0f320 items=0 pid=4360 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ddclient" exe="/usr/bin/perl" type=AVC_PATH msg=audit(1123206458.905:2140058): path="/var/cache/ddclient.cache" Additional info: The following seems to allow ddclient to work: /usr/sbin/ddclient -- system_u:object_r:ddclient_exec_t /etc/ddclient.conf -- system_u:object_r:ddclient_etc_t type ddclient_exec_t, file_type, sysadmfile, exec_type; type ddclient_etc_t, file_type, sysadmfile, exec_type; type ddclient_t, domain, privlog, fs_domain; domain_auto_trans(initrc_t, ddclient_exec_t, ddclient_t) can_network(ddclient_t) allow ddclient_t devtty_t:chr_file { read write }; allow ddclient_t var_t:file { read ioctl }; # execute perl: allow ddclient_t { bin_t sbin_t }:dir r_dir_perms; can_exec(ddclient_t, { bin_t sbin_t }) allow ddclient_t bin_t:lnk_file read; # end execute perl allow ddclient_t sshd_t:fd use; allow ddclient_t urandom_device_t:chr_file read; allow ddclient_t proc_t:lnk_file read; allow ddclient_t ddclient_etc_t:file { ioctl read getattr }; allow ddclient_t null_device_t:chr_file { ioctl read }; # macro? : allow ddclient_t var_run_t:dir { add_name }; allow ddclient_t var_run_t:file { create ioctl write }; allow ddclient_t var_t:file { getattr }; allow ddclient_t http_port_t:tcp_socket { name_connect }; allow ddclient_t user_devpts_t:chr_file { ioctl read write }; allow ddclient_t ddclient_t:dir search; allow ddclient_t ddclient_t:lnk_file read; allow ddclient_t lib_t:file { read ioctl };