Bug 613369
Summary: | audit2allow -Ral complains: "count not convert (...)<my type> to sid" | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Nicolas MONNET <nicolas.monnet> | ||||||||
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> | ||||||||
Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||
Severity: | low | Docs Contact: | |||||||||
Priority: | low | ||||||||||
Version: | 13 | CC: | dwalsh, mgrepl | ||||||||
Target Milestone: | --- | ||||||||||
Target Release: | --- | ||||||||||
Hardware: | All | ||||||||||
OS: | Linux | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||||
Doc Text: | Story Points: | --- | |||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2010-07-12 21:12:18 UTC | Type: | --- | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Attachments: |
|
Created attachment 430947 [details]
pipslite.fc
(pipslite.if empty)
Created attachment 430948 [details]
pipslite.pp
compiled module
Note that I didn't get any of this 2 weeks ago when I wrote the module, this just happened within the last few days. I was already upgraded to F13. I also get this strange AVC: Summary: SELinux is preventing /sbin/setfiles "getattr" access on /var/run/pipslitelp0. Detailed Description: SELinux denied access requested by restorecon. It is not expected that this access is required by restorecon and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:setfiles_t:s0-s0:c0.c1023 Target Context system_u:object_r:pipslite_fifo_t:s0 Target Objects /var/run/pipslitelp0 [ fifo_file ] Source restorecon Source Path /sbin/setfiles Port <Unknown> Host chimpy.paris.monnet.biz Source RPM Packages policycoreutils-2.0.82-31.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-28.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name chimpy.paris.monnet.biz Platform Linux chimpy.paris.monnet.biz 2.6.33.5-124.fc13.x86_64 #1 SMP Fri Jun 11 09:38:12 UTC 2010 x86_64 x86_64 Alert Count 2 First Seen Sat 10 Jul 2010 04:07:43 AM CEST Last Seen Sat 10 Jul 2010 04:07:43 AM CEST Local ID 8212d7d2-210f-401d-9aee-a5a1b518f3ea Line Numbers Raw Audit Messages node=chimpy.paris.monnet.biz type=AVC msg=audit(1278727663.651:4748): avc: denied { getattr } for pid=9542 comm="restorecon" name="pipslitelp0" dev=dm-12 ino=1210 scontext=system_u:system_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:pipslite_fifo_t:s0 tclass=fifo_file node=chimpy.paris.monnet.biz type=SYSCALL msg=audit(1278727663.651:4748): arch=c000003e syscall=192 success=no exit=-13 a0=7fa0d4f680f0 a1=7fa0d2362689 a2=7fa0d5308490 a3=ff items=0 ppid=9415 pid=9542 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecon" exe="/sbin/setfiles" subj=system_u:system_r:setfiles_t:s0-s0:c0.c1023 key=(null) Somewhere along the way you defined pipslite_socket_t which is no longer defined in policy. The audit2allow command is reading an AVC about this socket and complaining. Clear your /var/log/audit/audit.log and /var/log/messages and the problem should go away. Alright, that fixed it. But btw, what's with having to explicitly allow unconfined_u to look at the new type's attribute? Why is it popping up just now, and why at all? It is not a new attribute, it is an undefined attribute. I am guessing you loaded policy that defined the type, then removed it, when you run audit2allow on it, audit2allow is telling you it is an undefined type. audit2allow has gotten a little smarter and tries to do some analysis on avc messages. The analysis is causing the problem |
Created attachment 430946 [details] pipslite.te Description of problem: I recently created a policy module (attached) for pipslite (Epson-provided printer drivers, attached); it used to work just fine but something's obviously changed a lot with a recent Fedora update, since first of all I had to explictly allow unconfined_u to look at the file's attributes to avoid an avc: allow unconfined_t pipslite_fifo_t:fifo_file getattr; The avc was: type=AVC msg=audit(1278807797.441:5107): avc: denied { getattr } for pid=18094 comm="bash" path="/var/run/pipslitelp0" dev=dm-12 i no=1032 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:pipslite_fifo_t:s0 tclass=fifo_file type=SYSCALL msg=audit(1278807797.441:5107): arch=c000003e syscall=4 success=yes exit=0 a0=15b8930 a1=7fff2c5a1980 a2=7fff2c5a1980 a3 =1 items=0 ppid=18093 pid=18094 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=348 comm="bash" exe="/b in/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) Second, I get weird warnings from audit2allow (Even though it works ...) : [root@chimpy ~]# audit2allow -Ral libsepol.context_from_record: type pipslite_socket_t is not defined libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert system_u:object_r:pipslite_socket_t:s0 to sid libsepol.context_from_record: type pipslite_socket_t is not defined libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure (last 4 lines repeated a dozen times) Version-Release number of selected component (if applicable): selinux-policy-3.7.19-33.fc13.noarch How reproducible: Every time I run audit2allow Steps to Reproduce: 1. install my policy module : semodule -i pipslite.pp 2. audit2allow -Ral 3. Actual results: Lots of warnings Expected results: No such warnings Additional info: System was installed fresh as F10 and updated to F11, then F12 and F13; this has once caused a problem in the past so I mention it. [root@chimpy ~]# semanage user -l Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS Range SELinux Roles git_shell_u user s0 s0 git_shell_r guest_u user s0 s0 guest_r root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r sysadm_u user s0 s0-s0:c0.c1023 sysadm_r system_u user s0 s0-s0:c0.c1023 system_r unconfined_r unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r user_u user s0 s0 user_r xguest_u user s0 s0 xguest_r [root@chimpy ~]# semanage login -l Login Name SELinux User MLS/MCS Range __default__ unconfined_u s0-s0:c0.c1023 root unconfined_u s0-s0:c0.c1023 system_u system_u s0-s0:c0.c1023 [root@chimpy ~]# cat /etc/selinux/targeted/contexts/files/file_contexts.local # This file is auto-generated by libsemanage # Do not edit directly. /home/nico/Music(/.*)? system_u:object_r:public_content_rw_t:s0