Bug 478540

Summary: selinux-policy-3.5.13-34.fc10 prevents installation of trustDesk basic
Product: [Fedora] Fedora Reporter: Franz M. Safar <fmsafar>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: low    
Version: 10CC: dwalsh, fmsafar, jkubin, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-11-18 09:49:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Franz M. Safar 2008-12-31 17:13:10 UTC 
Description of problem:


Zusammenfassung:

SELinux hindert cardaccess (java_t) "execmod" am Zugriff auf
/usr/local/bin/tdb-release/cardaccess.Lin/w-form.so (lib_t).

Detaillierte Beschreibung:

SELinux verweigerte den von cardaccess angeforderten Zugriff. Da nicht davon
ausgegangen wird, dass dieser Zugriff von cardaccess benötigt wird,
signalisiert dies möglicherweise einen Einbruchsversuch. Es ist ausserdem
möglich, dass diese spezielle Version oder Konfiguration der Anwendung den
zusätzlichen Zugriff verursacht.

Zugriff erlauben:

Gelegentlich führen Probleme mit der Bezeichnung zu SELinux-Verweigerungen. Sie
können versuchen, den standardmässigen Systemdatei-Kontext für
/usr/local/bin/tdb-release/cardaccess.Lin/w-form.so wiederherzustellen.

restorecon -v '/usr/local/bin/tdb-release/cardaccess.Lin/w-form.so'

Derzeit existiert keine Möglichkeit, diesen Zugriff zu automatisieren.
Alternativ können Sie eine lokales Richtlinien-Modul erstellen, um diesen
Zugriff zu gewähren - werfen Sie einen Blick auf FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) - Sie können auch
den SELinux-Schutz für diese Anwendung komplett deaktivieren. Davon wird jedoch
abgeraten! Bitte reichen Sie einen Fehlerbericht
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) für dieses Paket ein.

Zusätzliche Informationen:

Quellkontext                  unconfined_u:unconfined_r:java_t:s0
Zielkontext                   system_u:object_r:lib_t:s0
Zielobjekte                   /usr/local/bin/tdb-
                              release/cardaccess.Lin/w-form.so [ file ]
Quelle                        cardaccess
Quellen-Pfad                  /usr/local/bin/tdb-
                              release/cardaccess.Lin/cardaccess
Port                          <Unbekannt>
Host                          fmsRflx.FMSNET
Quellen-RPM-Pakete            
Ziel-RPM-Pakete               
RPM-Richtlinie                selinux-policy-3.5.13-34.fc10
SELinux aktiviert             True
Richtlinienversion            targeted
MLS aktiviert                 True
Enforcing-Modus               Enforcing
Plugin-Name                   catchall_file
Hostname                      fmsRflx.FMSNET
Plattform                     Linux fmsRflx.FMSNET 2.6.27.9-159.fc10.i686 #1 SMP
                              Tue Dec 16 15:12:04 EST 2008 i686 i686
Anzahl der Alarme             4
Zuerst gesehen                Mi 31 Dez 2008 16:48:15 CET
Zuletzt gesehen               Mi 31 Dez 2008 17:03:16 CET
Lokale ID                     58cb9c78-aee1-4a94-8a61-8f5ff2195c2b
Zeilennummern                 

Raw-Audit-Meldungen           

node=fmsRflx.FMSNET type=AVC msg=audit(1230739396.702:118): avc:  denied  { execmod } for  pid=6451 comm="cardaccess" path="/usr/local/bin/tdb-release/cardaccess.Lin/w-form.so" dev=dm-0 ino=1163796 scontext=unconfined_u:unconfined_r:java_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file

node=fmsRflx.FMSNET type=SYSCALL msg=audit(1230739396.702:118): arch=40000003 syscall=125 success=no exit=-13 a0=314000 a1=59000 a2=5 a3=bfd00ab0 items=0 ppid=6372 pid=6451 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="cardaccess" exe="/usr/local/bin/tdb-release/cardaccess.Lin/cardaccess" subj=unconfined_u:unconfined_r:java_t:s0 key=(null)


Version-Release number of selected component (if applicable):


How reproducible:

1. download and unpack trustDesk basic binary from http://www.itsolution.at/support/signatur-software-download/trustdesc-basic/linux.html (32bit without Java VM).

2. call setup.sh (http://www.itsolution.at/support/signatur-software-download/trustdesc-basic/linux.html)


  
Actual results:
SELinux prevents installation

Expected results:


Additional info:
Comment 1 Franz M. Safar 2008-12-31 17:17:32 UTC 
for Step 2.) I paisted the wrong command. 
It was: "su -c /usr/local/bin/tdb-release/setup.sh"
Comment 2 Daniel Walsh 2009-01-04 18:54:16 UTC 
You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.5.13-38.fc10
Comment 3 Bug Zapper 2009-11-18 09:43:16 UTC 
This message is a reminder that Fedora 10 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 10.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '10'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 10's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 10 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping