Bug 660653

Summary: SELinux AVCs during RPM installation
Product: Red Hat Enterprise MRG Reporter: Jan Sarenik <jsarenik>
Component: condorAssignee: Matthew Farrellee <matt>
Status: CLOSED ERRATA QA Contact: Jan Sarenik <jsarenik>
Severity: high Docs Contact:
Priority: high    
Version: 1.3CC: matt
Target Milestone: 1.3.2Keywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: condor-7.4.5-0.3 Doc Type: Bug Fix
Doc Text:
On Red Hat Enterprise Linux 5, the %post scriptlet in the RPM spec file used a pipeline to filter out certain unimportant messages. Consequent to this, various denial messages could be reported by SELinux during the installation of this package. With this update, the %post scriptlet has been adapted no to use pipelines, and such messages no longer appear.
Story Points: ---
Clone Of: Environment:
RHEL5 (up-to-date with RHN)
Last Closed: 2011-02-15 12:12:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Sarenik 2010-12-07 13:58:01 UTC
During installation of Condor RPMs on RHEL5, there is
a in the postinstall scriptlet which reads:

semanage fcontext -a -t unconfined_execmem_exec_t /usr/sbin/condor_startd 2>&1| grep -v "already defined"

This causes AVCs like following:
------------------------------------------------------------
type=SYSCALL msg=audit(1291719121.964:58): arch=c000003e syscall=59 success=yes exit=0 a0=89102a0 a1=b647f40 a2=0 a3=2b27ac67d220 items=0 ppid=25947 pid=25965 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=4294967295 comm="setfiles" exe="/sbin/setfiles" subj=user_u:system_r:setfiles_t:s0 key=(null)
type=AVC msg=audit(1291719121.964:58): avc:  denied  { write } for  pid=25965 comm="setfiles" path="pipe:[149822]" dev=pipefs ino=149822 scontext=user_u:system_r:setfiles_t:s0 tcontext=user_u:system_r:rpm_script_t:s0 tclass=fifo_file
type=AVC msg=audit(1291719121.964:58): avc:  denied  { write } for  pid=25965 comm="setfiles" path="pipe:[149822]" dev=pipefs ino=149822 scontext=user_u:system_r:setfiles_t:s0 tcontext=user_u:system_r:rpm_script_t:s0 tclass=fifo_file
------------------------------------------------------------

Version-Release number of selected component (if applicable):
condor-7.4.4-0.16.el5 (MRG 1.3.0)
condor-7.4.4-0.17.el5 (MRG 1.3.0.1)

How reproducible: 100%

Steps to Reproduce:
1. Install condor RPM package (along with its dependencies: classads, gsoap)
  
Actual results: AVCs get emitted.

Expected results: No AVCs.

Additional info: Put above AVC lines into a file and run "sealert -a file".

Comment 1 Jan Sarenik 2010-12-07 13:58:42 UTC
Just to make it clear: there is no such postinstall line in RHEL4
version of Condor's RPM.

Comment 2 Jan Sarenik 2010-12-08 15:31:14 UTC
This bug prevents me from successful test run in case I install
condor during the test. E.g. see
https://beaker.engineering.redhat.com/jobs/37019

Comment 3 Matthew Farrellee 2010-12-08 18:36:08 UTC
Bug 490108 should have been CLOSED as WONTFIX instead of NOTABUG, which is the case now. This was evaluated, with consultation from SELinux experts, and was not viewed to be an issue worth fixing at the time.

If this becomes an issue that impacts execution of the rpm installation/upgrade or the condor_startd after installation, we can re-evaluate.

Comment 4 Jan Sarenik 2010-12-09 09:58:02 UTC
But I am sure the "|grep" pipe is not vital there.
Simple removal of it would make my Beaker tests pass.
Please consider removing the pipe from postinstall script.

Excuse me for putting this back to ASSIGNED, but I would
like to get at least a reply. Thanks.

Comment 5 Matthew Farrellee 2010-12-09 18:23:16 UTC
Bug 472084 is the source of this.

EL5's current semanage (policycoreutils-1.33.12-14.8.el5) does not complain about duplicate fcontext -a's.

# semanage fcontext -l | grep startd
/usr/sbin/condor_startd                            all files          system_u:object_r:unconfined_execmem_exec_t:s0 
# semanage fcontext -a -t unconfined_execmem_exec_t /usr/sbin/condor_startd

If the change to semanage is intentional then the |grep may be removed altogether.

Comment 6 Matthew Farrellee 2010-12-10 19:52:13 UTC
I'm going to remove the |grep from the semanage line, should be available post 7.4.5-0.2, watch the Fixed In Version field.

Comment 7 Matthew Farrellee 2010-12-10 20:08:12 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
C: On EL5, the condor package's %post install script filtered out an innocuous message when redefining an already defined fcontext with semanage. 
C: The SELinux policy for EL5 would report errors from the pipe usage. Errors are bellow. The errors were non-fatal.
F: semanage no longer produces the innocuous messages and the pipe use in %post has been removed.
R: No more SELinux messages as part of a second install/upgrade.

Comment 8 Jan Sarenik 2010-12-13 09:42:19 UTC
Verified on condor-7.4.5-0.3.el5 on current RHN updated RHEL5.5 x86_64.
Thank you for the fix!

Comment 9 Jan Sarenik 2010-12-17 16:12:58 UTC
There is still an other problem, even after removing the "|grep"
pipe. I will get back with more info when it gets clearer.

Comment 10 Matthew Farrellee 2010-12-17 16:20:21 UTC
If it is a different issue, please file another BZ.

Comment 11 Jan Sarenik 2010-12-21 13:23:13 UTC
The new one is bug 664684.

This one is verified for condor-7.4.5-0.3.el5 according to the spec file.
Also verified practically both on RHEL5 x86_64 and i386.

Comment 12 Jaromir Hradilek 2011-02-09 14:44:45 UTC
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1,4 +1 @@
-C: On EL5, the condor package's %post install script filtered out an innocuous message when redefining an already defined fcontext with semanage. 
+On Red Hat Enterprise Linux 5, the %post scriptlet in the RPM spec file used a pipeline to filter out certain unimportant messages. Consequent to this, various denial messages could be reported by SELinux during the installation of this package. With this update, the %post scriptlet has been adapted no to use pipelines, and such messages no longer appear.-C: The SELinux policy for EL5 would report errors from the pipe usage. Errors are bellow. The errors were non-fatal.
-F: semanage no longer produces the innocuous messages and the pipe use in %post has been removed.
-R: No more SELinux messages as part of a second install/upgrade.

Comment 13 errata-xmlrpc 2011-02-15 12:12:44 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0217.html