Bug 586070

Summary: SELinux is preventing /bin/bash "getattr" access on /var/lib/prelink/force.
Product: [Fedora] Fedora Reporter: Gene Snider <genes1122>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 13CC: adam, ahecox, axet, bulk, cvoeten, dpreed, dwalsh, ferry.oude-kotte, gaetan, gavin, hypnose-kroete, isada0, james.brown, jayce.net, jonathan.rushdoony, justin092470, ljhanson, mfojtik, mgrepl, moabi2000, muel, p.zaskorski, quentin, rderooy, rodd, seventhguardian, sundaram
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:1d2506e1fddb2404e02c1d8a063c3d43190940c315d0d4fec97515bc77e91113
Fixed In Version: selinux-policy-3.7.19-10.fc13 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-05-04 23:55:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Gene Snider 2010-04-26 18:26:37 UTC
Summary:

SELinux is preventing /bin/bash "getattr" access on /var/lib/prelink/force.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by prelink. It is not expected that this access
is required by prelink and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:prelink_cron_system_t:s0-s0:c0.c
                              1023
Target Context                unconfined_u:object_r:var_lib_t:s0
Target Objects                /var/lib/prelink/force [ file ]
Source                        prelink
Source Path                   /bin/bash
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           bash-4.1.2-4.fc13
Target RPM Packages           prelink-0.4.3-3.fc13
Policy RPM                    selinux-policy-3.7.19-2.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed) 2.6.33.2-60.fc13.x86_64 #1 SMP Wed
                              Apr 21 18:53:20 UTC 2010 x86_64 x86_64
Alert Count                   1
First Seen                    Sun 25 Apr 2010 02:13:26 PM PDT
Last Seen                     Sun 25 Apr 2010 02:13:26 PM PDT
Local ID                      97f17b7d-4cac-4839-bdc5-73e0c1d6f7cf
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1272230006.730:20128): avc:  denied  { getattr } for  pid=3157 comm="prelink" path="/var/lib/prelink/force" dev=dm-3 ino=134963 scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1272230006.730:20128): arch=c000003e syscall=4 success=yes exit=0 a0=2063630 a1=7fffaff60540 a2=7fffaff60540 a3=8 items=0 ppid=2893 pid=3157 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=8 comm="prelink" exe="/bin/bash" subj=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  catchall,prelink,prelink_cron_system_t,var_lib_t,file,getattr
audit2allow suggests:

#============= prelink_cron_system_t ==============
allow prelink_cron_system_t var_lib_t:file getattr;

Comment 1 Daniel Walsh 2010-04-26 18:38:27 UTC
Fixed in selinux-policy-3.7.19-6.fc13.noarch

Comment 2 Gene Snider 2010-04-27 18:05:47 UTC
Thanks!

Gene

Comment 3 Fedora Update System 2010-04-30 20:07:45 UTC
selinux-policy-3.7.19-10.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-10.fc13

Comment 4 Fedora Update System 2010-04-30 23:50:17 UTC
selinux-policy-3.7.19-10.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-10.fc13

Comment 5 Fedora Update System 2010-05-04 23:55:25 UTC
selinux-policy-3.7.19-10.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 hypnose-kroete 2010-05-18 00:45:19 UTC
Still persists in selinux-policy(3.7.19-15), bash(4.1.2-4), prelink(0.4.3-3). This happens after keeping a login root shell open for a couple of  minutes (15-30min).

node=++.localdomain type=AVC msg=audit(1274088182.275:268): avc:  denied  { getattr } for  pid=6442 comm="prelink" path="/var/lib/prelink/force" dev=sda3 ino=792602 scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file

node=++.localdomain type=SYSCALL msg=audit(1274088182.275:268): arch=c000003e syscall=4 success=no exit=-13 a0=23d6630 a1=7fff02e4c490 a2=7fff02e4c490 a3=8 items=0 ppid=6266 pid=6442 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=27 comm="prelink" exe="/bin/bash" subj=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 key=(null)

Comment 7 Daniel Walsh 2010-05-18 12:41:23 UTC
restorecon -R -v /var/lib/prelink

Should fix the label.