Bug 433171

Summary: SELinux is preventing python (unconfined_t) "transition" to /bin/bash (rpm_script_t).
Product: [Fedora] Fedora Reporter: Tim McConnell <timothy.mcconnell>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: low    
Version: 7   
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-02-26 21:44:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tim McConnell 2008-02-17 06:15:28 UTC
Description of problem:
 SELinux denied access requested by python. It is not expected that this
    access is required by python and this access may signal an intrusion
    attempt. It is also possible that the specific version or configuration of
    the application is causing it to require additional access.

Version-Release number of selected component (if applicable):
selinux-policy-strict-2.6.4-70.fc7
selinux-doc-1.26-1.1
selinux-policy-mls-2.6.4-70.fc7
selinux-policy-2.6.4-70.fc7
selinux-policy-devel-2.6.4-70.fc7
selinux-policy-targeted-2.6.4-70.fc7


How reproducible:
attempt to run yum update

Steps to Reproduce:
1. yum -y update 
2. yum updates but SE Troubleshooter throws a warning 
3. view message from SE Troubleshooter
  
Actual results: Receive warnings from SE Troubleshooter when trying to update
system 


Expected results: No nasty grams 


Additional info:
Allowing Access
    You can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                system_u:system_r:unconfined_t
Target Context                system_u:system_r:rpm_script_t
Target Objects                /bin/bash [ process ]
Affected RPM Packages         bash-3.2-20.fc7 [target]
Policy RPM                    selinux-policy-2.6.4-70.fc7
Selinux Enabled               True
Policy Type                   seedit
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall
Host Name                     timmieland.private
Platform                      Linux timmieland.private 2.6.23.14-64.fc7 #1 SMP
                              Sun Jan 20 23:54:08 EST 2008 i686 athlon
Alert Count                   37
First Seen                    Sat 16 Feb 2008 03:50:46 PM MST
Last Seen                     Sat 16 Feb 2008 10:59:32 PM MST
Local ID                      a06ba4c7-a5de-4e93-88fd-ab92f0e56498
Line Numbers                  

Raw Audit Messages            

avc: denied { transition } for comm="python" dev=dm-0 path="/bin/bash" pid=4144
scontext=system_u:system_r:unconfined_t:s0 tclass=process
tcontext=system_u:system_r:rpm_script_t:s0

Comment 1 Daniel Walsh 2008-02-18 17:15:42 UTC
This looks like yum is not labeled rpm_exec_t.  Which is should be in this policy.

ls -lZ PATHTOYUM

restorecon PATHTOYUM 

should fix.

Comment 2 Tim McConnell 2008-02-18 23:47:37 UTC
(In reply to comment #1)
> This looks like yum is not labeled rpm_exec_t.  Which is should be in this policy.
> 
> ls -lZ PATHTOYUM
> 
> restorecon PATHTOYUM 
> 
> should fix.

hmm if I run locate rpm_exec_t it returns nothing. let me force a relabel
(again) and see if anything changes for this and all the other bugs. 

Comment 3 Josef Kubin 2008-02-19 12:56:19 UTC
$ man locate

NAME
       locate - find files by name
...

You probably wanted to use:
$ ls -RZ / | grep rpm_exec_t

for example
$ ls -Z /usr/bin/yum
-rwxr-xr-x  root root system_u:object_r:rpm_exec_t:s0  /usr/bin/yum

if you see different results, your labels are probably in wrong condition
try relabeling as Dan pointed
# fixfiles relabel