Bug 584550

Summary: SELinux is preventing /usr/sbin/prelink "setattr" access .
Product: [Fedora] Fedora Reporter: Christian Kujau <redhat>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 13CC: dwalsh, mgrepl, redhat
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:5563c4ef721151795ca9b0372445e8335c59f027d499214381552437d1157298
Fixed In Version: selinux-policy-3.7.19-6.fc13 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-04-28 03:07:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
strace -ff -tt -F -s1024 -o /tmp/strace-firefox.log /usr/lib64/firefox-3.6/firefox -P default
none
strace -ff -tt -F -s1024 -o /tmp/strace-firefox.log /usr/lib64/firefox-3.6/firefox -P tmp none

Description Christian Kujau 2010-04-21 20:27:40 UTC 
Summary:

SELinux is preventing /usr/sbin/prelink "setattr" access .

Detailed Description:

[prelink has a permissive type (prelink_t). This access was not denied.]

SELinux denied access requested by prelink. It is not expected that this access
is required by prelink and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:unconfined_r:prelink_t:s0-s0:c0.c1023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                 [ fifo_file ]
Source                        prelink
Source Path                   /usr/sbin/prelink
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           prelink-0.4.3-2.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-2.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed) 2.6.33.2-57.fc13.x86_64
                              #1 SMP Tue Apr 20 08:57:50 UTC 2010 x86_64 x86_64
Alert Count                   3
First Seen                    Wed 21 Apr 2010 01:19:51 PM PDT
Last Seen                     Wed 21 Apr 2010 01:19:51 PM PDT
Local ID                      f0b22177-e13c-4abd-b975-3bfe1a5d546d
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1271881191.790:23515): avc:  denied  { setattr } for  pid=2737 comm="prelink" name="" dev=pipefs ino=174565 scontext=unconfined_u:unconfined_r:prelink_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=fifo_file

node=(removed) type=SYSCALL msg=audit(1271881191.790:23515): arch=c000003e syscall=93 success=yes exit=128 a0=1 a1=0 a2=0 a3=2 items=0 ppid=2426 pid=2737 auid=1002 uid=1002 gid=100 euid=1002 suid=1002 fsuid=1002 egid=100 sgid=100 fsgid=100 tty=(none) ses=1 comm="prelink" exe="/usr/sbin/prelink" subj=unconfined_u:unconfined_r:prelink_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  catchall,prelink,prelink_t,unconfined_t,fifo_file,setattr
audit2allow suggests:

#============= prelink_t ==============
allow prelink_t unconfined_t:fifo_file setattr;
Comment 1 Christian Kujau 2010-04-21 20:33:16 UTC 
Fresh install of F13 on an Intel iMac. The only big change so far is that /tmp is a tmpfs, /home is mounted via NFS and the system configured as an NIS client:

# egrep 'home|/tmp' /proc/mounts 
tmpfs /tmp tmpfs rw,rootcontext=system_u:object_r:tmp_t:s0,seclabel,nosuid,relatime 0 0
gate:/home /home nfs rw,relatime,vers=3,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=10.200.0.10,mountvers=3,mountport=4002,mountproto=udp,fsc,addr=10.200.0.10 0 0
Comment 2 Christian Kujau 2010-04-21 20:36:45 UTC 
Hm, this looks like #546771 - which said to be "fixed in abrt-1.0.2" (F12/updates-testing), but the bug is still tagged NEW. And rightly so, I guess :-\
Comment 3 Daniel Walsh 2010-04-21 20:46:44 UTC 
No I don't think this is the same.  Did you run prelink in a terminal or were you installing some apps which caused prelink to run?
Comment 4 Christian Kujau 2010-04-22 00:45:54 UTC 
No, I did not use prelink manually. I just "reproduced" this: I'm logging in to Gnome after a fresh reboot, started a terminal, running nothing else. I'm waiting a while for things to calm down. No Yum; PackageKit is uninstalled already. But when I start Firefox I'm presented with the SELinux warning.

Running Firefox through strace(1) reveals a few prelink calls:


stat("/usr/sbin/prelink", {st_mode=S_IFREG|0755, st_size=1262168, ...}) = 0
execve("/usr/sbin/prelink", ["/usr/sbin/prelink", "-u", "-o", "-", "/usr/lib64/libnssdbm3.so"], [/* 55 vars */]) = 0
open("/tmp/undo.#prelink#.iVmjXE", O_RDWR|O_CREAT|O_EXCL, 0600) = 2
utime("/tmp/undo.#prelink#.iVmjXE", [2010/04/21-17:39:23, 2010/04/15-08:43:28]) = 0
read(0, "unconfined_u:unconfined_r:prelink_t:s0-s0:c0.c1023\0", 4095) = 51
setxattr("/tmp/undo.#prelink#.iVmjXE", "security.selinux", "system_u:object_r:lib_t:s0", 27, 0) = 0
unlink("/tmp/undo.#prelink#.iVmjXE")    = 0
execve("/usr/sbin/prelink", ["/usr/sbin/prelink", "-u", "-o", "-", "/usr/lib64/libfreebl3.so"], [/* 55 vars */]) = 0
[...]

and so on.
Comment 5 Christian Kujau 2010-04-22 01:00:34 UTC 
Created attachment 408203 [details]
strace -ff -tt -F -s1024 -o /tmp/strace-firefox.log /usr/lib64/firefox-3.6/firefox -P default
Comment 6 Christian Kujau 2010-04-22 01:01:32 UTC 
Created attachment 408204 [details]
strace -ff -tt -F -s1024 -o /tmp/strace-firefox.log /usr/lib64/firefox-3.6/firefox -P tmp
Comment 7 Christian Kujau 2010-04-22 01:04:28 UTC 
Somehow I cannot reproduce the SELinux warning when I'm starting a pristine Firefox Profile ("tmp") but only when starting Firefox with my "default" profile, where all sorts of things are tuned and stored (esp. password manager, FIPS is enabled). I've created the strace logs, if it is any good....
Comment 8 Daniel Walsh 2010-04-22 12:44:21 UTC 
Ok, I will add a dontaudit in next release.

Fixed in selinux-policy-3.7.19-5.fc13.noarch
Comment 9 Fedora Update System 2010-04-26 19:52:03 UTC 
selinux-policy-3.7.19-6.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-6.fc13
Comment 10 Fedora Update System 2010-04-27 05:49:16 UTC 
selinux-policy-3.7.19-6.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-6.fc13
Comment 11 Fedora Update System 2010-04-28 03:06:41 UTC 
selinux-policy-3.7.19-6.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Christian Kujau 2010-04-28 23:15:27 UTC 
Hm, strange. I had updates-testing enabled anyway, but even "--enablerepo=updates-testing" did not get me 3.7.19-6. Manually downloading selinux-policy and selinux-policy-targeted, forcefully removing the old packages and installing the new ones fix this issue. Now Firefox starts w/o the SELinux warning.

Thanks!
Comment 13 Daniel Walsh 2010-04-29 18:24:28 UTC 
Just means it had not been pushed to your mirror yet.