Bug 460733
| Summary: | Cannot execute locally installed daemon (pysieved) from stunnel (permission denied) | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | John W. Linville <linville> |
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 5.2 | CC: | mkoci, mmalik |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2009-01-20 21:30:32 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
John W. Linville
2008-08-30 15:21:22 UTC
Forgot the contents of /etc/stunnel/sieves.conf: cert = /etc/pki/tls/certs/sieves.pem key = /etc/pki/tls/private/sieves.pem exec = /usr/local/lib/pysieved/pysieved.py execargs = /usr/local/lib/pysieved/pysieved.py --inetd Does # restorecon -R -v /usr/local fix the problem? No, sorry...
[root@charlotte ~]# restorecon -R -v /usr/local/
[root@charlotte ~]# tail -f /var/log/audit/audit.log | grep stunn
type=AVC msg=audit(1220387571.412:94093): avc: denied { execute_no_trans } for pid=5388 comm="stunnel" path="/usr/local/lib/pysieved/pysieved-stunnel.py" dev=dm-0 ino=4588686 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=user_u:object_r:lib_t:s0 tclass=file
type=SYSCALL msg=audit(1220387571.412:94093): arch=40000003 syscall=11 success=no exit=-13 a0=8dad078 a1=8dad0e0 a2=bfd74b90 a3=bfd73a00 items=0 ppid=5386 pid=5388 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="stunnel" exe="/usr/sbin/stunnel" subj=user_u:system_r:stunnel_t:s0 s0:c0.c1023 key=(null)
(Changed the name of the .py file for administrative reasons, otherwise it is the same as when I opened the bug...)
Does # chcon -R -t bin_t /usr/local/lib/pysieved Fix the problem? You can make this permanent by executing # semanage fcontext -a -t bin_t '/usr/local/lib/pysieved (/.*)?' If this works I can add this labeling to the policy package. Doesn't like that one either...
[root@charlotte ~]# chcon -R -t bin_t /usr/local/lib/pysieved/
[root@charlotte ~]# tail -f /var/log/audit/audit.log
type=AVC msg=audit(1220450311.221:97676): avc: denied { search } for pid=20837 comm="stunnel" name="pysieved" dev=dm-0 ino=4587589 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=dir
type=SYSCALL msg=audit(1220450311.221:97676): arch=40000003 syscall=11 success=no exit=-13 a0=8732078 a1=87320e0 a2=bf80b630 a3=bf80a4a0 items=0 ppid=20835 pid=20837 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="stunnel" exe="/usr/sbin/stunnel" subj=user_u:system_r:stunnel_t:s0-s0:c0.c1023 key=(null)
And just for verification, I repeated w/ "setenforce 0" and the connection was fine:
[root@charlotte ~]# setenforce 0
[root@charlotte ~]# tail -f /var/log/audit/audit.log
type=AVC msg=audit(1220450863.000:97729): avc: denied { search } for pid=21204 comm="stunnel" name="pysieved" dev=dm-0 ino=4587589 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=dir
type=AVC msg=audit(1220450863.000:97729): avc: denied { execute } for pid=21204 comm="stunnel" name="pysieved-stunnel.py" dev=dm-0 ino=4588686 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=user_u:object_r:bin_t:s0 tclass=file
type=AVC msg=audit(1220450863.000:97729): avc: denied { execute_no_trans } for pid=21204 comm="stunnel" path="/usr/local/lib/pysieved/pysieved-stunnel.py" dev=dm-0 ino=4588686 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=user_u:object_r:bin_t:s0 tclass=file
type=AVC msg=audit(1220450863.000:97729): avc: denied { read } for pid=21204 comm="stunnel" path="/usr/local/lib/pysieved/pysieved-stunnel.py" dev=dm-0 ino=4588686 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=user_u:object_r:bin_t:s0 tclass=file
type=AVC msg=audit(1220450863.000:97729): avc: denied { read } for pid=21204 comm="stunnel" name="env" dev=dm-0 ino=4170776 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file
type=AVC msg=audit(1220450863.000:97729): avc: denied { execute } for pid=21204 comm="stunnel" name="env" dev=dm-0 ino=6422599 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=AVC msg=audit(1220450863.000:97729): avc: denied { read } for pid=21204 comm="stunnel" path="/bin/env" dev=dm-0 ino=6422599 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=SYSCALL msg=audit(1220450863.000:97729): arch=40000003 syscall=11 success=yes exit=0 a0=9267080 a1=92670e8 a2=bfe28140 a3=bfe26fb0 items=0 ppid=21202 pid=21204 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="pysieved-stunne" exe="/bin/env" subj=user_u:system_r:stunnel_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1220450863.002:97730): avc: denied { search } for pid=21204 comm="pysieved-stunne" name="sbin" dev=dm-0 ino=7766017 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sbin_t:s0 tclass=dir
type=SYSCALL msg=audit(1220450863.002:97730): arch=40000003 syscall=11 success=no exit=-2 a0=bfb10f98 a1=bfb110d8 a2=bfb110e8 a3=bfb11f3c items=0 ppid=21202 pid=21204 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="pysieved-stunne" exe="/bin/env" subj=user_u:system_r:stunnel_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1220450863.002:97731): avc: denied { execute_no_trans } for pid=21204 comm="pysieved-stunne" path="/usr/bin/python" dev=dm-0 ino=4168607 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=SYSCALL msg=audit(1220450863.002:97731): arch=40000003 syscall=11 success=yes exit=0 a0=bfb10f95 a1=bfb110d8 a2=bfb110e8 a3=bfb11f51 items=0 ppid=21202 pid=21204 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="python" exe="/usr/bin/python" subj=user_u:system_r:stunnel_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1220450863.004:97732): avc: denied { getattr } for pid=21204 comm="python" path="/usr/local/lib/pysieved/pysieved-stunnel.py" dev=dm-0 ino=4588686 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=user_u:object_r:bin_t:s0 tclass=file
type=SYSCALL msg=audit(1220450863.004:97732): arch=40000003 syscall=197 success=yes exit=0 a0=3 a1=bfbb9874 a2=b5aff4 a3=0 items=0 ppid=21202 pid=21204 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="python" exe="/usr/bin/python" subj=user_u:system_r:stunnel_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1220450863.005:97733): avc: denied { getattr } for pid=21204 comm="python" path="/usr/bin/python" dev=dm-0 ino=4168607 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=SYSCALL msg=audit(1220450863.005:97733): arch=40000003 syscall=195 success=yes exit=0 a0=cc0400 a1=bfbb8a84 a2=b5aff4 a3=4 items=0 ppid=21202 pid=21204 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="python" exe="/usr/bin/python" subj=user_u:system_r:stunnel_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1220450863.021:97734): avc: denied { getattr } for pid=21204 comm="python" path="/usr/local/lib/pysieved" dev=dm-0 ino=4587589 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=dir
type=SYSCALL msg=audit(1220450863.021:97734): arch=40000003 syscall=196 success=yes exit=0 a0=8f42c48 a1=bfbb9748 a2=b5aff4 a3=bfbb9ef3 items=0 ppid=21202 pid=21204 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="python" exe="/usr/bin/python" subj=user_u:system_r:stunnel_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1220450863.021:97735): avc: denied { ioctl } for pid=21204 comm="python" path="/usr/local/lib/pysieved/pysieved-stunnel.py" dev=dm-0 ino=4588686 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=user_u:object_r:bin_t:s0 tclass=file
type=SYSCALL msg=audit(1220450863.021:97735): arch=40000003 syscall=54 success=no exit=-25 a0=3 a1=5401 a2=bfbb9738 a3=bfbb9778 items=0 ppid=21202 pid=21204 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="python" exe="/usr/bin/python" subj=user_u:system_r:stunnel_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1220450863.146:97736): avc: denied { search } for pid=21204 comm="python" name="dovecot" dev=dm-0 ino=6751028 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dovecot_var_run_t:s0 tclass=dir
type=AVC msg=audit(1220450863.146:97736): avc: denied { dac_override } for pid=21204 comm="python" capability=1 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1220450863.146:97736): avc: denied { write } for pid=21204 comm="python" name="auth-client" dev=dm-0 ino=6751100 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=user_u:object_r:dovecot_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1220450863.146:97736): avc: denied { connectto } for pid=21204 comm="python" path="/var/run/dovecot/auth-client" scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=user_u:system_r:dovecot_auth_t:s0 tclass=unix_stream_socket
type=SYSCALL msg=audit(1220450863.146:97736): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bfbb75c0 a2=352118 a3=b7efff38 items=0 ppid=21202 pid=21204 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="python" exe="/usr/bin/python" subj=user_u:system_r:stunnel_t:s0-s0:c0.c1023 key=(null)
(The dovecot bits are there because pysieved talks to dovecot for some auth- and user-related services...)
Hth! Thanks!
Does # chcon -R -t inetd_child_exec_t /usr/local/lib/pysieved Fix the problem? You can make this permanent by executing # semanage fcontext -a -t inetd_child_exec_t '/usr/local/lib/pysieved (/.*)?' If this works I can add this labeling to the policy package. Lather, rinse,... :-)
[root@charlotte ~]# chcon -R -t inetd_child_exec_t /usr/local/lib/pysieved
[root@charlotte ~]# tail -f /var/log/audit/audit.log
type=AVC msg=audit(1220464253.175:98232): avc: denied { search } for pid=25210 comm="stunnel" name="pysieved" dev=dm-0 ino=4587589 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=system_u:object_r:inetd_child_exec_t:s0 tclass=dir
type=SYSCALL msg=audit(1220464253.175:98232): arch=40000003 syscall=11 success=no exit=-13 a0=9a75078 a1=9a750e0 a2=bfff1e10 a3=bfff0c80 items=0 ppid=25208 pid=25210 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="stunnel" exe="/usr/sbin/stunnel" subj=user_u:system_r:stunnel_t:s0-s0:c0.c1023 key=(null)
Ok this should work # restorecon -R -v /usr/local/lib/pysieved # chcon -t inetd_child_exec_t /usr/local/lib/pysieved/pysieved.py Fixed in selinux-policy-2.4.6-152.el5 This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release. Hmmm...do I need the updated selinux-policy package for that to work?
[root@charlotte ~]# restorecon -R -v /usr/local/lib/pysieved/
restorecon reset /usr/local/lib/pysieved/pysieved.py context system_u:object_r:inetd_child_exec_t:s0->system_u:object_r:lib_t:s0
[root@charlotte ~]# chcon -t inetd_child_exec_t /usr/local/lib/pysieved/pysieved.py
[root@charlotte ~]# tail -f /var/log/audit/audit.log
type=AVC msg=audit(1220467354.839:98380): avc: denied { execute_no_trans } for pid=26443 comm="stunnel" path="/usr/local/lib/pysieved/pysieved-stunnel.py" dev=dm-0 ino=4588686 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file
type=SYSCALL msg=audit(1220467354.839:98380): arch=40000003 syscall=11 success=no exit=-13 a0=892c078 a1=892c0e0 a2=bf959f80 a3=bf958df0 items=0 ppid=26441 pid=26443 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="stunnel" exe="/usr/sbin/stunnel" subj=user_u:system_r:stunnel_t:s0-s0:c0.c1023 key=(null)
Sets it context to inetd_child_exec_t also chcon -t inetd_child_exec_t /usr/local/lib/pysieved/pysieved-stunnel.py Ah, I tricked myself with the pysieved-stunnel.py name. Oh well, that does look (incomprehensibly) different! :-)
[root@charlotte ~]# restorecon -R -v /usr/local/
[root@charlotte ~]# chcon -t inetd_child_exec_t /usr/local/lib/pysieved/pysieved-stunnel.py
[root@charlotte ~]# tail -f /var/log/audit/audit.log
type=AVC msg=audit(1220483897.055:98876): avc: denied { search } for pid=30672 comm="stunnel" name="bin" dev=dm-0 ino=4161546 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=dir
type=SYSCALL msg=audit(1220483897.055:98876): arch=40000003 syscall=11 success=no exit=-13 a0=8b8e078 a1=8b8e0e0 a2=bfd5ab80 a3=bfd599f0 items=0 ppid=30670 pid=30672 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="stunnel" exe="/usr/sbin/stunnel" subj=user_u:system_r:stunnel_t:s0-s0:c0.c1023 key=(null)
As requested offline, the audit.log entries I get now w/ setenforc 0:
type=AVC msg=audit(1220539210.157:100337): avc: denied { search } for pid=9957 comm="stunnel" name="bin" dev=dm-0 ino=4161546 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=dir
type=AVC msg=audit(1220539210.157:100337): avc: denied { read } for pid=9957 comm="stunnel" name="env" dev=dm-0 ino=4170776 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file
type=AVC msg=audit(1220539210.157:100337): avc: denied { execute } for pid=9957 comm="stunnel" name="env" dev=dm-0 ino=6422599 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=AVC msg=audit(1220539210.157:100337): avc: denied { read } for pid=9957 comm="stunnel" path="/bin/env" dev=dm-0 ino=6422599 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=SYSCALL msg=audit(1220539210.157:100337): arch=40000003 syscall=11 success=yes exit=0 a0=9419080 a1=94190e8 a2=bf848920 a3=bf847790 items=0 ppid=9955 pid=9957 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="pysieved-stunne" exe="/bin/env" subj=user_u:system_r:inetd_child_t:s0-s0:c0.c1023 key=(null)
ps -eZ | grep pysieved gives nothing. ps -eZ | grep python gives this: [root@charlotte ~]# ps -eZ | grep python user_u:system_r:inetd_child_t:SystemLow-SystemHigh 10120 ? 00:00:00 python Fixed in selinux-policy-2.4.6-153.el5 An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-0163.html |