Bug 236774
| Summary: | avc denial of useradd writing to /var/log/faillog | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Zack Cerza <zcerza> | ||||||||
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> | ||||||||
| Status: | CLOSED RAWHIDE | QA Contact: | Ben Levenson <benl> | ||||||||
| Severity: | medium | Docs Contact: | |||||||||
| Priority: | medium | ||||||||||
| Version: | rawhide | CC: | benl, dwalsh, grdetil, katzj | ||||||||
| Target Milestone: | --- | Keywords: | Reopened | ||||||||
| Target Release: | --- | ||||||||||
| Hardware: | All | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2007-05-02 21:18:53 UTC | Type: | --- | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Attachments: |
|
||||||||||
This is a labeling problem that should be fixed on initial install of FC7. restorecon -R -v /var/log will fix it. I just installed Fedora 7 Test 4 (6.93), and I got a similar avc error to the one above. For me, it happened when I did a "yum install caching-nameserver". Yum installed "bind" as a dependency, and bind's preinstall script did a useradd to create the "named" user ID. That triggered the error when trying to access faillog. The restorecon command above reset the context for /var/log/faillog, /var/log/tallylog and /var/log/yum.log. They were all var_log_t, and were changed to faillog_t for the first two, and rpm_log_t for yum.log. Whatever should be fixed in FC7 isn't fixed yet in Test 4. Looks like this isn't fixed. Dan, should new bugs be filed for the other two files mentioned in comment #2? Anaconda was supposed to fix up the /var/log directory when it finished the install. Pete did that code get removed? (In reply to comment #4) > Anaconda was supposed to fix up the /var/log directory when it finished the > install. Pete did that code get removed? We've never labeled all of /var/log; /var/log/faillog should get the right label when it's installed as part of the pam package. I'd really like to see the /root/install.log and /var/log/anaconda.log of the system instead of just papering over more of this stuff Created attachment 153812 [details]
anaconda.log
Oddly enough, there is no /root/install.log.
This system was installed via Live USB of Test 3.
Created attachment 153813 [details]
/root/install.log from Fedora 7 Test 4 installation
Created attachment 153814 [details]
/var/log/anaconda.log from Fedora 7 Test 4 installation
I can also provide the corresponding syslogs if you need them too.
Zack -- for the live CD case, things look right with test4 and beyond (there was something a little hurky there with test3) (In reply to comment #2) > I just installed Fedora 7 Test 4 (6.93), and I got a similar avc error to the > one above. For me, it happened when I did a "yum install caching-nameserver". > Yum installed "bind" as a dependency, and bind's preinstall script did a useradd > to create the "named" user ID. That triggered the error when trying to access > faillog. The restorecon command above reset the context for /var/log/faillog, > /var/log/tallylog These two are both part of the pam package and created with install in the %post script. Dan -- I thought that install was supposed to dtrt with setting SELinux contexts? If not, then the pam %post needs to be setting the context also. > and /var/log/yum.log. They were all var_log_t, and were > changed to faillog_t for the first two, and rpm_log_t for yum.log. /var/log/yum.log isn't included in a package and just gets created at runtime. It sounds like a potentially missing transition rule from var_log_t to rpm_log_t for things running in rpm_exec_t? *** Bug 238474 has been marked as a duplicate of this bug. *** No the problem is that the selinux-policy-targeted is not installed before pam. So when pam does the install command the file_context file does not exist so the faillog and tallylog files get created with the default context var_log_t. So our options are to make pam rely on a particular version of selinux-policy or have anaconda fix the labeling in its post. I'm guessing that making pam rely on a particular version of selinux-policy could potentially lead to other problems. I'm also wondering why this isn't a problem with other packages. In my install.log, selinux-policy-targeted is on line 551 of 750 lines, so almost 3/4 of the packages are installed before the policy is in place. Is there no way of telling anaconda to install the selinux packages, if they're selected, before other packages, without making the other packages dependent on selinux if you choose to do without it? Fixing things up at the end would work too, but should this be limited to /var/log, or are there potentially a whole lot of other files that will need fixing too? Should I run "restorecon -R -v /" and attach the output? After talking with dwalsh yesterday, adding /var/log for now, but that's only a temporary fix and for F8, we really need to get back to putting policy with the packages instead of the monolithic blob we have today. |
Description of problem: The following occured when I was installing openoffice.org-writer (and 18 dependencies): avc: denied { read, write } for comm="useradd" dev=sda3 egid=0 euid=0 exe="/usr/sbin/useradd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="faillog" pid=9251 scontext=user_u:system_r:useradd_t:s0 sgid=0 subj=user_u:system_r:useradd_t:s0 suid=0 tclass=file tcontext=system_u:object_r:var_log_t:s0 tty=pts1 uid=0 Version-Release number of selected component (if applicable): shadow-utils-4.0.18.1-13.fc7.i386 selinux-policy-targeted-2.5.12-2.fc7.noarch