Bug 458328

Summary: SELinux preventing Tripwire agent "push" upgrade
Product: Red Hat Enterprise Linux 5 Reporter: Ray <rpesek>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED INSUFFICIENT_DATA QA Contact:
Severity: low Docs Contact:
Priority: medium    
Version: 5.2CC: dwalsh
Target Milestone: rc   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-09-08 19:59:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ray 2008-08-07 16:28:25 UTC 
Description of problem:
Tripwire Enterprise v7.1 allows "push" upgrades of the remote agents installed on servers. When attempting to upgrade an agent, SELinux is blocking the upgrade.

Version-Release number of selected component (if applicable):
Tripwire Agent Version:   	7.1.0.552

How reproducible:
Attempt a push upgrade. The upgrade fails. The following error message is generated when you search on the SELinux alert number:

Summary:

SELinux is preventing rpm (java_t) "transition" to /bin/bash (rpm_script_t).

Detailed Description:

SELinux denied access requested by rpm. It is not expected that this access is
required by rpm and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:java_t
Target Context                system_u:system_r:rpm_script_t
Target Objects                /bin/bash [ process ]
Source                        rpm
Source Path                   /bin/rpm
Port                          <Unknown>
Host                          (server name deleted)
Source RPM Packages           rpm-4.4.2-48.el5
Target RPM Packages           bash-3.2-21.el5
Policy RPM                    selinux-policy-2.4.6-137.1.el5_2
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     scorpius.thirdfed.thirdfederal.local
Platform                      Linux scorpius.thirdfed.thirdfederal.local
                              2.6.18-92.1.10.el5 #1 SMP Wed Jul 23 03:55:54 EDT
                              2008 i686 i686
Alert Count                   1
First Seen                    Thu Aug  7 11:31:33 2008
Last Seen                     Thu Aug  7 11:31:33 2008
Local ID                      6d9c3dcc-c980-46c0-bb2e-97f88f7fddd9
Line Numbers                  

Raw Audit Messages            

host=scorpius.thirdfed.thirdfederal.local type=AVC msg=audit(1218123093.80:491): avc:  denied  { transition } for  pid=1594 comm="rpm" path="/bin/bash" dev=cciss/c0d0p10 ino=8511461 scontext=system_u:system_r:java_t:s0 tcontext=system_u:system_r:rpm_script_t:s0 tclass=process

host=scorpius.thirdfed.thirdfederal.local type=SYSCALL msg=audit(1218123093.80:491): arch=40000003 syscall=11 per=400000 success=no exit=-13 a0=8adeb05 a1=bfb88d00 a2=8aa9c88 a3=0 items=0 ppid=1593 pid=1594 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpm" exe="/bin/rpm" subj=system_u:system_r:java_t:s0 key=(null)


Additional info:
I opened a support case with Tripwire but haven't heard anything yet.
Comment 1 Daniel Walsh 2008-08-08 14:20:09 UTC 
Why is the shell running as java_t?  Is java involved somewhere here or are you running on a badly labeled machine?

What does

> id -Z

Show.  It should show unconfined_t not java_t.