Bug 491749
| Summary: | init srcipt starting part fails due to selinux policy disallowing for transition initrc_t -> unconfined_t | ||
|---|---|---|---|
| Product: | [Retired] 389 | Reporter: | lejeczek <peljasz> |
| Component: | Admin | Assignee: | Rich Megginson <rmeggins> |
| Status: | CLOSED DUPLICATE | QA Contact: | Chandrasekar Kannan <ckannan> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 7.1 | CC: | benl, dwalsh, jkubin, mgrepl |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2009-03-30 18:06:41 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 249650 | ||
selinux-policy-targeted-3.3.1-126.fc9.noarch This is custom policy and would need to be written by you. Not sure what you atr trying to do, but you could set a script as httpd_unconfined_script_exec_t or just add the rules you require using audit2allow. hello there, it is - service dirsrv-admin start - that fails raising these errors have checked fcontext for initscript - ok, as policy aplies it policy's rules that prevent transition I speak of in bug title it all works(starting dirsrv-admin using the same syntax) if only not invoked by "service ..." but from console line when run from initscript, selinux source domain is: initrc_t:s0 $SELINUX_CMD $HTTPD $OMIT_DEFLATE -k start -f /etc/dirsrv/admin-serv/httpd.conf "$@" Source Context: unconfined_u:system_r:initrc_t:s0Target Context: unconfined_u:system_r:unconfined_t:s0Target Objects: /usr/sbin/httpd.worker [ process ] Source: runconSource Path: /usr/bin/runcon when run from console, selinux sdomain is unconfined, right? and below works runcon -t unconfined_t -- /usr/sbin/httpd.worker -DOmitDeflate -k start -f /etc/dirsrv/admin-serv/httpd.conf so there is nothing custom about it, hope I'm being less vague this time, apologies cheers So you are saying this is in the init script? This is wrong, the init script should not be executing runcon and unconfined_t should never be run as a service, this is a user type. yes - for me it's the init script, nothing custom - nothing in scripts, nothing in policy
that is why I think of it as a bug - I believe policy is having broken rules
Source Context unconfined_u:system_r:initrc_t:s0
Target Context unconfined_u:system_r:unconfined_t:s0
Target Objects /usr/sbin/httpd.worker [ process ]
Source runcon
Source Path /usr/bin/runcon
Port <Unknown>
Host pawellap
Source RPM Packages coreutils-6.10-35.fc9
Target RPM Packages httpd-2.2.9-1.fc9
Policy RPM selinux-policy-3.3.1-127.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name pawellap
Platform Linux pawellap 2.6.27.19-78.2.30.fc9.x86_64 #1 SMP
Tue Feb 24 19:44:45 EST 2009 x86_64 x86_64
Alert Count 11
First Seen Tue Mar 17 09:26:40 2009
Last Seen Sat Mar 28 13:50:22 2009
Local ID 11b80595-eae8-4204-8e6b-cf58388f21ba
Line Numbers
Raw Audit Messages
node=pawellap type=AVC msg=audit(1238248222.119:3413): avc: denied { transition } for pid=10321 comm="runcon" path="/usr/sbin/httpd.worker" dev=sda3 ino=50483363 scontext=unconfined_u:system_r:initrc_t:s0 tcontext=unconfined_u:system_r:unconfined_t:s0 tclass=process
node=pawellap type=SYSCALL msg=audit(1238248222.119:3413): arch=c000003e syscall=59 success=no exit=-13 a0=7fffc4f89e96 a1=7fffc4f88c48 a2=7fffc4f88c78 a3=7fffc4f88860 items=0 ppid=10311 pid=10321 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="runcon" exe="/usr/bin/runcon" subj=unconfined_u:system_r:initrc_t:s0 key=(null)
/etc/rc.d/init.d/dirsrv-admin calls /usr/sbin/start-ds-admin - it's rpm's
rpms are up to today availably ones
cheers
Is this issue related to https://bugzilla.redhat.com/show_bug.cgi?id=442228 ? Yes, do not run runcon in an init script. runcon is a testing tool or perhaps can be used by mls people, but we can setup proper rules and transtions to make initrc work correctly. But we need to get back to the original problem you were trying to fix. problem is that when I(or at boot time) invoke: service dirsrv-admin start - I get denials as in my last comment(and there is nothing changed by me in scripts nor in policy, all as rpms installed it)
I initially submitted this bug in Fedora DS - not much of a reply I got - therefore put it here
what more I found, these scripts:
/usr/sbin/start-ds-admin
/etc/init.d/dirsrv-admin
are exact same files on both f9 and f10 (both with latest rpms)
what else I see is that f10 has this:
allow initrc_t unconfined_t : process { transition sigchld }
and f9 has it not
I can remember that I was! working on f9, my guess - there's been change in policy, I cannot remember when I applied these updates
apologies, in last comment - I was! working=it was working and I refer to f10 for this obvious reason - it is working in f10 while, as I mentioned, scripts are the same Yes two things will break here initrc_t is no longer allowed to transiton to unconfined_t, and RBAC can and will start to break this. Finally by using runcon within a script you will break on any non targeted system or any system that plans on running without unconfined.pp being installed. IE Fedora Directory Server will not be allowed to run in secure environments. We are working on adding the patches from https://bugzilla.redhat.com/show_bug.cgi?id=442228 to Fedora Directory Server. I believe if we implement the selinux policy specified in 442228, that will solve this problem, since we won't be using runcon -t unconfined_t anymore. Agreed? If so, I'm going to close this bug as a duplicate of 442228. yes, fine with me it's just a bit peculiar that f10 which natural successor to f9 does not receive these changes in policy around the same time. *** This bug has been marked as a duplicate of bug 442228 *** |
Description of problem: Version-Release number of selected component (if applicable): fedora-ds-dsgw-1.1.1-1.fc9.x86_64 fedora-ds-admin-console-1.1.2-1.fc9.noarch fedora-ds-base-devel-1.1.3-2.fc9.x86_64 fedora-ds-admin-1.1.6-1.fc9.x86_64 fedora-ds-base-1.1.3-2.fc9.x86_64 fedora-ds-console-1.1.2-2.fc9.noarch How reproducible: service dirsrv-admin start Steps to Reproduce: 1. 2. 3. Actual results: node=pawellap type=AVC msg=audit(1237837361.126:2098): avc: denied { transition } for pid=7371 comm="runcon" path="/usr/sbin/httpd.worker" dev=sda3 ino=50483363 scontext=unconfined_u:system_r:initrc_t:s0 tcontext=unconfined_u:system_r:unconfined_t:s0 tclass=process node=pawellap type=SYSCALL msg=audit(1237837361.126:2098): arch=c000003e syscall=59 success=no exit=-13 a0=7fff5e0f2e96 a1=7fff5e0f0db8 a2=7fff5e0f0de8 a3=7fff5e0f09d0 items=0 ppid=7361 pid=7371 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="runcon" exe="/usr/bin/runcon" subj=unconfined_u:system_r:initrc_t:s0 key=(null) Expected results: Additional info: