Bug 588390

Summary: SELinux is preventing /bin/cp "relabelfrom" access on /var/lib/misc/prelink.quick.
Product: [Fedora] Fedora Reporter: chrys87
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 13CC: crn1, dwalsh, haanjdj, mgrepl, ulrich.hobelmann, ultima.ratio.regum69, walovaton
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:0286770154e8778a5f148454a354f56b703a4c23fba50e25c354544895612688
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-10-01 06:09:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description chrys87 2010-05-03 16:01:21 UTC 
Zusammenfassung:

SELinux is preventing /bin/cp "relabelfrom" access on
/var/lib/misc/prelink.quick.

Detaillierte Beschreibung:

[cp hat einen zugelassenen Typ (prelink_cron_system_t). Dieser Zugriff wurde
nicht verweigert.]

SELinux denied access requested by cp. It is not expected that this access is
required by cp and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Zugriff erlauben:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report.

Zusätzliche Informationen:

Quellkontext                  system_u:system_r:prelink_cron_system_t:s0-s0:c0.c
                              1023
Zielkontext                   system_u:object_r:prelink_var_lib_t:s0
Zielobjekte                   /var/lib/misc/prelink.quick [ file ]
Quelle                        cp
Quellpfad                     /bin/cp
Port                          <Unbekannt>
Host                          (removed)
RPM-Pakete der Quelle         coreutils-7.6-7.fc12
RPM-Pakete des Ziels          prelink-0.4.2-4.fc12
Richtlinien-RPM               selinux-policy-3.6.32-55.fc12
SELinux aktiviert             True
Richtlinientyp                targeted
Enforcing-Modus               Enforcing
Plugin-Name                   catchall
Rechnername                   (removed)
Plattform                     Linux (removed) 2.6.31.6-166.fc12.i686.PAE #1
                              SMP Wed Dec 9 11:00:30 EST 2009 i686 athlon
Anzahl der Alarme             2
Zuerst gesehen                Mo 11 Jan 2010 21:12:11 CET
Zuletzt gesehen               Mo 11 Jan 2010 21:12:11 CET
Lokale ID                     b2370218-62e6-4eee-82c5-fe5405b36537
Zeilennummern                 

Raw-Audit-Meldungen           

node=(removed) type=AVC msg=audit(1263240731.631:26263): avc:  denied  { relabelfrom } for  pid=5793 comm="cp" name="prelink.quick" dev=sda2 ino=187628 scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:object_r:prelink_var_lib_t:s0 tclass=file

node=(removed) type=AVC msg=audit(1263240731.631:26263): avc:  denied  { relabelto } for  pid=5793 comm="cp" name="prelink.quick" dev=sda2 ino=187628 scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:object_r:prelink_var_lib_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1263240731.631:26263): arch=40000003 syscall=228 success=yes exit=0 a0=5 a1=b7a9cd a2=9d7f498 a3=27 items=0 ppid=5786 pid=5793 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="cp" exe="/bin/cp" subj=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  catchall,cp,prelink_cron_system_t,prelink_var_lib_t,file,relabelfrom
audit2allow suggests:

#============= prelink_cron_system_t ==============
#!!!! This avc is allowed in the current policy

allow prelink_cron_system_t prelink_var_lib_t:file { relabelfrom relabelto };
Comment 1 Daniel Walsh 2010-05-03 17:12:10 UTC 
yum update
Comment 2 Derkjan de Haan 2010-08-18 13:11:44 UTC 
This error still shows in my F13 install.
Comment 3 Daniel Walsh 2010-08-21 10:20:51 UTC 
Please attach the AVC information.

ausearch -m avc -ts recent
Comment 4 Derkjan de Haan 2010-08-23 14:05:48 UTC 
Summary:

SELinux is preventing /bin/cp "relabelfrom" access on /var/lib/prelink/quick.

Detailed Description:

SELinux denied access requested by cp. It is not expected that this access is
required by cp and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:prelink_cron_system_t:s0-s0:c0.c
                              1023
Target Context                unconfined_u:object_r:prelink_var_lib_t:s0
Target Objects                /var/lib/prelink/quick [ file ]
Source                        cp
Source Path                   /bin/cp
Port                          <Unknown>
Host                          bogomip.badmuts.org
Source RPM Packages           coreutils-8.4-8.fc13
Target RPM Packages           prelink-0.4.3-3.fc13
Policy RPM                    selinux-policy-3.7.19-47.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     bogomip.badmuts.org
Platform                      Linux bogomip.badmuts.org
                              2.6.33.6-147.2.4.fc13.x86_64 #1 SMP Fri Jul 23
                              17:14:44 UTC 2010 x86_64 x86_64
Alert Count                   2
First Seen                    Wed 18 Aug 2010 03:07:54 PM CEST
Last Seen                     Wed 18 Aug 2010 03:07:54 PM CEST
Local ID                      7727bf05-ffa3-4ceb-8c36-b619222b6701
Line Numbers                  

Raw Audit Messages            

node=bogomip.badmuts.org type=AVC msg=audit(1282136874.53:25194): avc:  denied  { relabelfrom } for  pid=9986 comm="cp" name="quick" dev=dm-0 ino=253311 scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:prelink_var_lib_t:s0 tclass=file

node=bogomip.badmuts.org type=SYSCALL msg=audit(1282136874.53:25194): arch=c000003e syscall=190 success=no exit=-13 a0=4 a1=7fff6ef6a580 a2=17b5930 a3=2b items=0 ppid=9979 pid=9986 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="cp" exe="/bin/cp" subj=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 key=(null)

ausearch -m avc -ts recent outputs <no matches>
Comment 5 Miroslav Grepl 2010-10-01 06:09:04 UTC 
This is fixed in the latest F13 policy.