Bug 220598
| Summary: | [lspp] unable to run 'ybin' while enforcing mls policy | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Klaus Kiwi (Old account no longer used) <klaus> |
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 5.0 | CC: | iboverma, krisw, sgrubb |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | ppc64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | RC | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2007-02-08 01:59:31 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
forgot to add: [root@zaphod lspp-rpms]# rpm -qa | egrep policy checkpolicy-1.33.1-2.el5 selinux-policy-devel-2.4.6-15.el5 selinux-policy-mls-2.4.6-15.el5 policycoreutils-1.33.6-6.el5 selinux-policy-2.4.6-15.el5 policycoreutils-newrole-1.33.6-6.el5 selinux-policy-targeted-2.4.6-15.el5 [root@zaphod lspp-rpms]# using 1218 refresh on an IBM POWER (lpar) audit2allow yields: allow bootloader_t fixed_disk_device_t:blk_file write; This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux major release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Major release. This request is not yet committed for inclusion. SE linux policy has been updated since this was filed. We are wanting to know if this problem still exists with current selinux policy. Thanks. Seems to be working fine.
There is one thing to notice, though - I tested the above by simply upgrading
the kernel, kernel-dev packages to the latest lspp (.61) versions (it should run
ybin while in %post - well, tested it standalone run as well). There were some
AVC denials in the process. I don't really know if this is of any harm, but
since it's a relatively common task, I'd like you to take a look and see for
yourself (couldn't find any other symptom besides AVC messages)
command:
[root@zaphod klausk_rpms]# rpm -Uvh kernel-*.rpm
Preparing... ########################################### [100%]
1:kernel ########################################### [ 50%]
2:kernel-devel ########################################### [100%]
[root@zaphod klausk_rpms]#
audit.log (covering the whole task above):
type=AVC msg=audit(1168367356.552:222): avc: granted { setexec } for pid=1502
comm="rpm" scontext=root:sysadm_r:rpm_t:s0-s15:c0.c1023
tcontext=root:sysadm_r:rpm_t:s0-s15:c0.c1023 tclass=process
type=SYSCALL msg=audit(1168367356.552:222): arch=14 syscall=4 success=yes
exit=43 a0=14 a1=10618c20 a2=2b a3=fffffffffefefeff items=0 ppid=1500 pid=1502
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=hvc0
comm="rpm" exe="/bin/rpm" subj=root:sysadm_r:rpm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1168367356.736:223): avc: denied { read write } for
pid=1513 comm="depmod" name="hvc0" dev=tmpfs ino=2313
scontext=root:sysadm_r:depmod_t:s0-s15:c0.c1023
tcontext=root:object_r:sysadm_tty_device_t:s0 tclass=chr_file
type=AVC msg=audit(1168367356.736:223): avc: denied { read write } for
pid=1513 comm="depmod" name="hvc0" dev=tmpfs ino=2313
scontext=root:sysadm_r:depmod_t:s0-s15:c0.c1023
tcontext=root:object_r:sysadm_tty_device_t:s0 tclass=chr_file
type=AVC msg=audit(1168367356.736:223): avc: denied { read write } for
pid=1513 comm="depmod" name="hvc0" dev=tmpfs ino=2313
scontext=root:sysadm_r:depmod_t:s0-s15:c0.c1023
tcontext=root:object_r:sysadm_tty_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1168367356.736:223): arch=14 syscall=11 success=yes
exit=0 a0=1011f968 a1=10112860 a2=10115c88 a3=0 items=0 ppid=1505 pid=1513
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
comm="depmod" exe="/sbin/depmod" subj=root:sysadm_r:depmod_t:s0-s15:c0.c1023
key=(null)
type=AVC_PATH msg=audit(1168367356.736:223): path="/dev/hvc0"
type=AVC_PATH msg=audit(1168367356.736:223): path="/dev/hvc0"
type=AVC msg=audit(1168367423.044:224): avc: granted { setexec } for pid=2303
comm="rpm" scontext=root:sysadm_r:rpm_t:s0-s15:c0.c1023
tcontext=root:sysadm_r:rpm_t:s0-s15:c0.c1023 tclass=process
type=SYSCALL msg=audit(1168367423.044:224): arch=14 syscall=4 success=yes
exit=43 a0=15 a1=10a34710 a2=2b a3=fffffffffefefeff items=0 ppid=1500 pid=2303
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=hvc0
comm="rpm" exe="/bin/rpm" subj=root:sysadm_r:rpm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1168367423.104:225): avc: granted { setexec } for pid=2304
comm="rpm" scontext=root:sysadm_r:rpm_t:s0-s15:c0.c1023
tcontext=root:sysadm_r:rpm_t:s0-s15:c0.c1023 tclass=process
type=SYSCALL msg=audit(1168367423.104:225): arch=14 syscall=4 success=yes
exit=43 a0=14 a1=10a34710 a2=2b a3=fffffffffefefeff items=0 ppid=1500 pid=2304
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=hvc0
comm="rpm" exe="/bin/rpm" subj=root:sysadm_r:rpm_t:s0-s15:c0.c1023 key=(null)
You may close the bug. Please contact me if you need a bug report for the above.
Klaus
Fixed in selinux-policy-2.4.6-25 A package has been built which should help the problem described in this bug report. This report is therefore being closed with a resolution of CURRENTRELEASE. You may reopen this bug report if the solution does not work for you. |
Description of problem: [root@zaphod lspp-rpms]# rpm -ivh kernel-* warning: kernel-2.6.18-1.2910.el5.ppc64.rpm: Header V3 DSA signature: NOKEY, key ID 897da07a Preparing... ########################################### [100%] 1:kernel-devel ########################################### [ 50%] 2:kernel ########################################### [100%] ybin: /dev/sda1: Permission denied later: [root@zaphod lspp-rpms]# ybin ybin: /dev/sda1: Permission denied security context: [root@zaphod lspp-rpms]# id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=staff_u:sysadm_r:sysadm_t:SystemLow-SystemHigh Version-Release number of selected component (if applicable): How reproducible: try to run ybin while in enforcing mode Steps to Reproduce: 1.boot RHEL5 with mls policy, enforcing SELinux 2.log-in as root:sysadm_r 3.run 'ybin' Actual results: ybin: /dev/sda1: Permission denied Expected results: to work Additional info: ==AVCs==== type=AVC msg=audit(1166794030.846:472): avc: denied { search } for pid=2496 comm="ybin" name="lspp-rpms" dev=dm-0 ino=1998858 scontext=staff_u:sysadm_r:bootloader_t:s0-s15:c0.c1023 tcontext=root:object_r:sysadm_home_t:s0 tclass=dir type=SYSCALL msg=audit(1166794030.846:472): arch=14 syscall=195 success=no exit=-13 a0=100b0b10 a1=ff1adcf0 a2=ff1adcf0 a3=fffffffffefefeff items=0 ppid=2493 pid=2496 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="ybin" exe="/bin/bash" subj=staff_u:sysadm_r:bootloader_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1166794030.847:473): avc: denied { search } for pid=2495 comm="ybin" name="lspp-rpms" dev=dm-0 ino=1998858 scontext=staff_u:sysadm_r:bootloader_t:s0-s15:c0.c1023 tcontext=root:object_r:sysadm_home_t:s0 tclass=dir type=SYSCALL msg=audit(1166794030.847:473): arch=14 syscall=195 success=no exit=-13 a0=100b0b10 a1=ff1adcf0 a2=ff1adcf0 a3=fffffffffefefeff items=0 ppid=2493 pid=2495 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="ybin" exe="/bin/bash" subj=staff_u:sysadm_r:bootloader_t:s0-s15:c0.c1023 key=(null) ================ current workaround is to run ybin while in permissive mode