Bug 1827214
| Summary: | Segfault when executing a bash script from a custom context | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Renaud Métrich <rmetrich> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED NOTABUG | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.8 | CC: | lvrabec, mmalik, omosnace, plautrba, ssekidde, vmojzis |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-04-28 11:52:07 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Description of problem: A customer created his own context "foo_t" and corresponding "foo_exec_t" that is used to run custom processes executed by a confined user mapped to "user_u". He has a custom policy for this (see below the example). Since kernel >= 3.10.0-1127 (RHEL 7.8), execution of a script labeled "foo_exec_t" segfaults. This worked fine with kernel <= 3.10.0-1062.12.1 (RHEL 7.7). foo.te: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- policy_module(foo,1.0.0) require { role user_r; type user_t; } type foo_t; domain_type(foo_t) type foo_exec_t; corecmd_executable_file(foo_exec_t) domain_entry_file(foo_t, foo_exec_t) role user_r types foo_t; domtrans_pattern(user_t, foo_exec_t, foo_t) userdom_search_user_home_dirs(foo_t) userdom_use_user_ptys(foo_t) kernel_dontaudit_read_system_state(foo_t) -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- With the segfault comes the following AVC ("allow foo_t shell_exec_t:file execute"): -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- time->Thu Apr 23 13:44:52 2020 type=PROCTITLE msg=audit(1587642292.537:244): proctitle="(null)" type=SYSCALL msg=audit(1587642292.537:244): arch=c000003e syscall=59 success=no exit=-13 a0=11d7d30 a1=1108640 a2=120d7a0 a3=7ffff7b0aba0 items=0 ppid=2394 pid=2967 auid=1003 uid=1003 gid=1003 euid=1003 suid=1003 fsuid=1003 egid=1003 sgid=1003 fsgid=1003 tty=pts0 ses=6 comm="foo" exe="/usr/bin/bash" subj=user_u:user_r:foo_t:s0 key=(null) type=AVC msg=audit(1587642292.537:244): avc: denied { execute } for pid=2967 comm="foo" path="/usr/bin/bash" dev="dm-0" ino=50369019 scontext=user_u:user_r:foo_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0 -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- The AVC pops up when the kernel tries to execute the bash interpreter (shell_exec_t) Version-Release number of selected component (if applicable): kernel-3.10.0-1127 How reproducible: Always Steps to Reproduce: 1. Create a confined user # useradd -Z user_u user # echo "user" | passwd --stdin user 2. Create the custom policy module # make -f /usr/share/selinux/devel/Makefile foo.pp # semodule -i foo.pp 3. Create the dummy script in /usr/local/bin # cat > /usr/local/bin/foo << EOF #!/bin/bash echo "Hello world" EOF # chmod +x /usr/local/bin/foo # chcon -t foo_exec_t /usr/local/bin/foo 4. Switch to "user" user and execute the script $ id -Z user_u:user_r:user_t:s0 $ /usr/local/bin/foo Actual results: " Segmentation fault " Expected results: " Hello world " Additional info: