Bug 587669
Summary: | SELinux is preventing /bin/bash "read" access on /home/mark. | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Mark Wielaard <mjw> | |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Aleš Mareček <amarecek> | |
Severity: | medium | Docs Contact: | ||
Priority: | medium | |||
Version: | 6.0 | CC: | amarecek, dgregor, dwalsh, jrieden, notting, sgrubb, syeghiay, xlu | |
Target Milestone: | rc | |||
Target Release: | --- | |||
Hardware: | x86_64 | |||
OS: | Linux | |||
Whiteboard: | setroubleshoot_trace_hash:eaebbbe5d4712447f19b81782c476dc52dcf31425ced21e73710d04dc39947b4 | |||
Fixed In Version: | openswan-2_6_24-4_el6 | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 644333 (view as bug list) | Environment: | ||
Last Closed: | 2010-11-11 14:57:23 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 644333 |
Description
Mark Wielaard
2010-04-30 14:08:35 UTC
Something odd is going on, since _realsetup also seems to poke at a couple of other random files in my homedir: .pulse-cookie, .xinputrc, .gitconfig, .ICEauthority and .Xauthority. Summary: SELinux is preventing /bin/bash "getattr" access on /home/mark/.pulse-cookie. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by _realsetup. It is not expected that this access is required by _realsetup and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:system_r:ipsec_mgmt_t:s0 Target Context unconfined_u:object_r:pulseaudio_home_t:s0 Target Objects /home/mark/.pulse-cookie [ file ] Source _realsetup Source Path /bin/bash Port <Unknown> Host springer.wildebeest.org Source RPM Packages bash-4.1.2-2.el6 Target RPM Packages Policy RPM selinux-policy-3.7.19-9.el6 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name catchall Host Name springer.wildebeest.org Platform Linux springer.wildebeest.org 2.6.32-23.el6.x86_64 #1 SMP Tue Apr 27 21:17:28 EDT 2010 x86_64 x86_64 Alert Count 1 First Seen Fri 30 Apr 2010 04:06:42 PM CEST Last Seen Fri 30 Apr 2010 04:06:42 PM CEST Local ID ed697985-0052-4926-b291-7d053bb68154 Line Numbers Raw Audit Messages node=springer.wildebeest.org type=AVC msg=audit(1272636402.891:207): avc: denied { getattr } for pid=9856 comm="_realsetup" path="/home/mark/.pulse-cookie" dev=dm-1 ino=46 scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=unconfined_u:object_r:pulseaudio_home_t:s0 tclass=file node=springer.wildebeest.org type=SYSCALL msg=audit(1272636402.891:207): arch=c000003e syscall=4 success=yes exit=0 a0=1e35910 a1=7fffc41dc460 a2=7fffc41dc460 a3=51 items=0 ppid=9854 pid=9856 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="_realsetup" exe="/bin/bash" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null) Summary: SELinux is preventing /bin/bash "read" access on /home/mark/.xinputrc. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by _realsetup. It is not expected that this access is required by _realsetup and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:system_r:ipsec_mgmt_t:s0 Target Context unconfined_u:object_r:user_home_t:s0 Target Objects /home/mark/.xinputrc [ lnk_file ] Source _realsetup Source Path /bin/bash Port <Unknown> Host springer.wildebeest.org Source RPM Packages bash-4.1.2-2.el6 Target RPM Packages Policy RPM selinux-policy-3.7.19-9.el6 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name catchall Host Name springer.wildebeest.org Platform Linux springer.wildebeest.org 2.6.32-23.el6.x86_64 #1 SMP Tue Apr 27 21:17:28 EDT 2010 x86_64 x86_64 Alert Count 1 First Seen Fri 30 Apr 2010 04:06:42 PM CEST Last Seen Fri 30 Apr 2010 04:06:42 PM CEST Local ID 9864e37e-5d00-46fd-a714-7b6b2ecf47b7 Line Numbers Raw Audit Messages node=springer.wildebeest.org type=AVC msg=audit(1272636402.891:208): avc: denied { read } for pid=9856 comm="_realsetup" name=".xinputrc" dev=dm-1 ino=96099 scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=lnk_file node=springer.wildebeest.org type=SYSCALL msg=audit(1272636402.891:208): arch=c000003e syscall=4 success=yes exit=0 a0=1e34730 a1=7fffc41dc460 a2=7fffc41dc460 a3=0 items=0 ppid=9854 pid=9856 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="_realsetup" exe="/bin/bash" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null) Summary: SELinux is preventing /bin/bash "getattr" access on /home/mark/.gitconfig. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by _realsetup. It is not expected that this access is required by _realsetup and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:system_r:ipsec_mgmt_t:s0 Target Context unconfined_u:object_r:git_session_content_t:s0 Target Objects /home/mark/.gitconfig [ file ] Source _realsetup Source Path /bin/bash Port <Unknown> Host springer.wildebeest.org Source RPM Packages bash-4.1.2-2.el6 Target RPM Packages Policy RPM selinux-policy-3.7.19-9.el6 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name catchall Host Name springer.wildebeest.org Platform Linux springer.wildebeest.org 2.6.32-23.el6.x86_64 #1 SMP Tue Apr 27 21:17:28 EDT 2010 x86_64 x86_64 Alert Count 1 First Seen Fri 30 Apr 2010 04:06:42 PM CEST Last Seen Fri 30 Apr 2010 04:06:42 PM CEST Local ID be531eb6-2622-4e5f-8023-b1a28904cb40 Line Numbers Raw Audit Messages node=springer.wildebeest.org type=AVC msg=audit(1272636402.891:209): avc: denied { getattr } for pid=9856 comm="_realsetup" path="/home/mark/.gitconfig" dev=dm-1 ino=92310 scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=unconfined_u:object_r:git_session_content_t:s0 tclass=file node=springer.wildebeest.org type=SYSCALL msg=audit(1272636402.891:209): arch=c000003e syscall=4 success=yes exit=0 a0=1e346f0 a1=7fffc41dc460 a2=7fffc41dc460 a3=0 items=0 ppid=9854 pid=9856 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="_realsetup" exe="/bin/bash" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null) Summary: SELinux is preventing /bin/bash "getattr" access on /home/mark/.ICEauthority. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by _realsetup. It is not expected that this access is required by _realsetup and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:system_r:ipsec_mgmt_t:s0 Target Context unconfined_u:object_r:iceauth_home_t:s0 Target Objects /home/mark/.ICEauthority [ file ] Source _realsetup Source Path /bin/bash Port <Unknown> Host springer.wildebeest.org Source RPM Packages bash-4.1.2-2.el6 Target RPM Packages Policy RPM selinux-policy-3.7.19-9.el6 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name catchall Host Name springer.wildebeest.org Platform Linux springer.wildebeest.org 2.6.32-23.el6.x86_64 #1 SMP Tue Apr 27 21:17:28 EDT 2010 x86_64 x86_64 Alert Count 1 First Seen Fri 30 Apr 2010 04:06:42 PM CEST Last Seen Fri 30 Apr 2010 04:06:42 PM CEST Local ID c9bd66fe-d6a3-439a-a090-883f79c8a59f Line Numbers Raw Audit Messages node=springer.wildebeest.org type=AVC msg=audit(1272636402.891:210): avc: denied { getattr } for pid=9856 comm="_realsetup" path="/home/mark/.ICEauthority" dev=dm-1 ino=89964 scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=unconfined_u:object_r:iceauth_home_t:s0 tclass=file node=springer.wildebeest.org type=SYSCALL msg=audit(1272636402.891:210): arch=c000003e syscall=4 success=yes exit=0 a0=1e33d20 a1=7fffc41dc460 a2=7fffc41dc460 a3=c items=0 ppid=9854 pid=9856 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="_realsetup" exe="/bin/bash" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null) Summary: SELinux is preventing /bin/bash "getattr" access on /home/mark/.Xauthority. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by _realsetup. It is not expected that this access is required by _realsetup and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:system_r:ipsec_mgmt_t:s0 Target Context unconfined_u:object_r:xauth_home_t:s0 Target Objects /home/mark/.Xauthority [ file ] Source _realsetup Source Path /bin/bash Port <Unknown> Host springer.wildebeest.org Source RPM Packages bash-4.1.2-2.el6 Target RPM Packages Policy RPM selinux-policy-3.7.19-9.el6 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name catchall Host Name springer.wildebeest.org Platform Linux springer.wildebeest.org 2.6.32-23.el6.x86_64 #1 SMP Tue Apr 27 21:17:28 EDT 2010 x86_64 x86_64 Alert Count 1 First Seen Fri 30 Apr 2010 04:06:42 PM CEST Last Seen Fri 30 Apr 2010 04:06:42 PM CEST Local ID 09eb2eb9-d656-42a3-9328-7e80995a54cb Line Numbers Raw Audit Messages node=springer.wildebeest.org type=AVC msg=audit(1272636402.893:211): avc: denied { getattr } for pid=9856 comm="_realsetup" path="/home/mark/.Xauthority" dev=dm-1 ino=86687 scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=unconfined_u:object_r:xauth_home_t:s0 tclass=file node=springer.wildebeest.org type=SYSCALL msg=audit(1272636402.893:211): arch=c000003e syscall=4 success=yes exit=0 a0=1e1b800 a1=7fffc41dc460 a2=7fffc41dc460 a3=c items=0 ppid=9854 pid=9856 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="_realsetup" exe="/bin/bash" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null) This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux major release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Major release. This request is not yet committed for inclusion. Were you sitting in your homedir when you executed this script? I have no idea why _realsetup is looking at files in your homedir. Maybe it looks at all subdirs of the current directory? Openswan's _realsetup does not have any thing to do with these files .pulse-cookie, .xinputrc, .gitconfig, .ICEauthority and .Xauthority. Yes, this is when sitting in my homedir. But it doesn't look like it is looking at all files in my homedir, there are lots more. It isn't happening anymore. Or at least, I am not able to trigger it easily. Will update the bug report if I see it again. Looking through the _realsetup shell script I don't see anything obvious that could trigger this. I am still seeing the selinux denials from bug #586760 (in Permissive mode) $ rpm -q selinux-policy openswan selinux-policy-3.7.19-10.el6.noarch openswan-2.6.24-3.el6.x86_64 It is probably the bash script that is triggering these. If we add a cd / to the script it probably would not generate these avcs. Found an easy reproducer. Stop the ipsec service when it is already stopped (or just stop it twice in a row) when in your current home directory: $ sudo ipsec setup stop ipsec_setup: Stopping Openswan IPsec... ipsec_setup: stop ordered, but IPsec appears to be already stopped! ipsec_setup: doing cleanup anyway... That will give you (in my case 6) selinux denials on various status/reads of the home directory and some of the dot files. Could you please try the latest selinux-policy-3.7.19-11.el6, and see if it still happens? (In reply to comment #9) > Could you please try the latest selinux-policy-3.7.19-11.el6, and see if it > still happens? Yes it still happens with selinux-policy-3.7.19-11.el6.noarch That version does fix bug #586760 but not this one. If you try the reproducer in comment #8 you should also see this issue with the latest selinux-policy package. But I don't think this is an selinux-policy issue. It seems that ipsec should just not try to stat/read files in the user home directory. Is ipsec a shell script? If it cd / before executing this will fix the problem. This is what the /sbin/service script does. ipsec can also be started/stopped as follow: service ipsec start/stop I believe that that would solve the problem. Mark, can you please check that? Then, we do not need to fix it, right? (In reply to comment #12) > ipsec can also be started/stopped as follow: > > service ipsec start/stop > > I believe that that would solve the problem. Mark, can you please check that? If I run "service ipsec stop" twice in a row it doesn't seem to trigger any accesses to the home directory or any dot files. > Then, we do not need to fix it, right? I don't know what the "correct" way is to use this. I didn't know there was also a service, the documentation I saw (RHEL6InternalBeta) said to execute things by hand to access the vpn. Hello Mark, Thanks for checking this. Although both are correct ways but "service ipsec start/stop" is selinux-friendly and "ipsec setup start/stop" is not. And the reason for this is that, as Dan Walsh stated in his comment 11, /sbin/service has "cd /" . Thats why I asked you to check for "service ipsec start/stop" because now it follows selinux-friendly way. Thanks Avesh Is ipsec a command in /usr/bin or /usr/sbin? Or is it the init script in /etc/init.d/ipsec Both, ipsec is in /usr/sbin/ipsec , and also in /etc/init.d/ipsec . Can you add a cd / to /usr/sbin/ipsec? I can do that. But would help me explain it to Openswan upstream, if you can explain me why does this solve the problem, and makes /use/sbin/ipsec more selinux-friendly? The script _realsetup is for some reason looking at files/directories in the current working directory. I have no idea why, but it might be searching a path. Any files/directories with labels that ipsec is not allowed to touch will generate a getattr AVC message, as we see. Changing working directory also prevents users homedir from potentially influencing the script to do something evil/unexpected. Bill do you have any other history on why service script does the "cd /" It also ensures that someone who happens to start a random service while sitting in a NFS-mounted directory won't have busy references to that NFS filesystem when they try to shut down, for example. '/' is chosen as it's a directory that will always be available. Miroslav the only thing we can do is add files_dontaudit_search_home(ipsec_t) Fixed in selinux-policy-3.7.19-36.el6.noarch. Miroslav you probably need optional_policy(` ipsec_mgmt_dbus_chat(sysadm_t) ') Fixed in selinux-policy-3.7.19-38.el6.noarch Some how /etc/hosts got mislabeled. Did you hand edit it? Yes, I did but it was long time ago. So I wonder why I saw this AVC after long time of using and then some testing of this, and only once. Anyway this is not the issue of this bug, nor blocking it. That's why I moved it to VERIFIED. Red Hat Enterprise Linux 6.0 is now available and should resolve the problem described in this bug report. This report is therefore being closed with a resolution of CURRENTRELEASE. You may reopen this bug report if the solution does not work for you. |