Bug 698223

Summary:	SELinux is preventing /bin/bash from 'read' accesses on the lnk_file lock.
Product:	[Fedora] Fedora	Reporter:	Renich Bon Ciric <renich>
Component:	selinux-policy	Assignee:	Miroslav Grepl <mgrepl>
Status:	CLOSED DUPLICATE	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	15	CC:	dev, dwalsh, lukas+fedora, mgrepl, robatino
Target Milestone:	---
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:	setroubleshoot_trace_hash:33718a8d5daa96c58356ee279b154eb2f679637d304e80674c673cd8e4e9e75f
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2011-05-22 18:40:56 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description Renich Bon Ciric 2011-04-20 13:13:41 UTC

SELinux is preventing /bin/bash from 'read' accesses on the lnk_file lock.

*****  Plugin catchall_labels (83.8 confidence) suggests  ********************

If you want to allow bash to have read access on the lock lnk_file
Then you need to change the label on lock
Do
# semanage fcontext -a -t FILE_TYPE 'lock'
where FILE_TYPE is one of the following: textrel_shlib_t, rpm_script_tmp_t, var_lock_t, bin_t, usr_t, device_t, devlog_t, locale_t, var_run_t, etc_t, ipsec_t, proc_t, ipsec_mgmt_exec_t, var_run_t, ipsec_mgmt_t, proc_net_t, ipsec_var_run_t, abrt_t, lib_t, root_t, etc_runtime_t, device_t, ld_so_t, proc_t, ipsec_key_file_t. 
Then execute: 
restorecon -v 'lock'


*****  Plugin catchall (17.1 confidence) suggests  ***************************

If you believe that bash should be allowed read access on the lock lnk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep _realsetup /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:ipsec_mgmt_t:s0
Target Context                system_u:object_r:var_t:s0
Target Objects                lock [ lnk_file ]
Source                        _realsetup
Source Path                   /bin/bash
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           bash-4.2.8-2.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-15.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 2.6.38.2-9.fc15.x86_64 #1 SMP Wed
                              Mar 30 16:55:57 UTC 2011 x86_64 x86_64
Alert Count                   1
First Seen                    Wed 20 Apr 2011 08:11:29 AM CDT
Last Seen                     Wed 20 Apr 2011 08:11:29 AM CDT
Local ID                      45530f89-3720-430c-bef2-dbdd42a3a666

Raw Audit Messages
type=AVC msg=audit(1303305089.964:70): avc:  denied  { read } for  pid=2682 comm="_realsetup" name="lock" dev=dm-1 ino=131701 scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=lnk_file


type=SYSCALL msg=audit(1303305089.964:70): arch=x86_64 syscall=stat success=no exit=EACCES a0=13e4b50 a1=7fff885f95e0 a2=7fff885f95e0 a3=8 items=0 ppid=2643 pid=2682 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=_realsetup exe=/bin/bash subj=system_u:system_r:ipsec_mgmt_t:s0 key=(null)

Hash: _realsetup,ipsec_mgmt_t,var_t,lnk_file,read

audit2allow

#============= ipsec_mgmt_t ==============
allow ipsec_mgmt_t var_t:lnk_file read;

audit2allow -R

#============= ipsec_mgmt_t ==============
allow ipsec_mgmt_t var_t:lnk_file read;

Comment 1 Daniel Walsh 2011-04-20 14:27:17 UTC

ls -lZd /var/lock

Comment 2 Lukas Middendorf 2011-04-26 10:41:30 UTC

This happens when I run system-config-services.


# ls -lZ /var/
lrwxrwxrwx. root root system_u:object_r:var_t:s0       lock -> ../run/lock

# ls -lZ /run/
drwxr-xr-x. root root system_u:object_r:var_lock_t:s0  lock

restorecon does not change the file labels if I run it on /var/lock or /run/lock

Comment 3 Miroslav Grepl 2011-04-26 12:20:28 UTC

# rpm -q systemd

Comment 4 Lukas Middendorf 2011-04-26 12:30:41 UTC

systemd-25-1.fc15.i686

Comment 5 Daniel Walsh 2011-04-26 15:21:32 UTC

matchpathcon /var/lock

Comment 6 Daniel Walsh 2011-04-26 15:27:43 UTC

It is labeled correctly with selinux-policy-3.9.16-17.fc15

Comment 7 Lukas Middendorf 2011-04-29 15:08:56 UTC

# matchpathcon /var/lock
/var/lock       system_u:object_r:var_lock_t:s0

still seeing this with selinux-policy-3.9.16-18.fc15.noarch every time I start system-config-services.

Comment 8 Daniel Walsh 2011-04-29 16:39:34 UTC

Then 
# restorecon /var/lock
# ls -lZ /var/lock

Comment 9 Lukas Middendorf 2011-04-29 16:57:19 UTC

# ls -lZ /var/lock 
lrwxrwxrwx. root root system_u:object_r:var_t:s0       /var/lock -> ../run/lock
# restorecon -v /var/lock
# ls -lZ /var/lock 
lrwxrwxrwx. root root system_u:object_r:var_t:s0       /var/lock -> ../run/lock

Comment 10 Daniel Walsh 2011-04-29 17:15:02 UTC

grep /var/lock /etc/selinux/targeted/contexts/files/file_context

if you run 

yum reinstall selinux-policy-targeted 

Do you see any errors?

Comment 11 Lukas Middendorf 2011-04-29 17:28:47 UTC

# grep /var/lock /etc/selinux/targeted/contexts/files/file_context
grep: /etc/selinux/targeted/contexts/files/file_context: No such file or directory
# grep /var/lock /etc/selinux/targeted/contexts/files/file_contexts
/var/lock(/.*)? system_u:object_r:var_lock_t:s0
/var/lock/lvm(/.*)?     system_u:object_r:lvm_lock_t:s0
/var/lock/mrtg(/.*)?    system_u:object_r:mrtg_lock_t:s0
/var/lock/uucp(/.*)?    system_u:object_r:uucpd_lock_t:s0
/var/lock/iscsi(/.*)?   system_u:object_r:iscsi_lock_t:s0
/var/lock/dirsrv(/.*)?  system_u:object_r:dirsrv_var_lock_t:s0
/var/lock/mailman(/.*)? system_u:object_r:mailman_lock_t:s0
/var/lock       -l      system_u:object_r:var_lock_t:s0
/var/lock/subsys/ipsec  --      system_u:object_r:ipsec_mgmt_lock_t:s0
/var/lock/subsys/denyhosts      --      system_u:object_r:denyhosts_var_lock_t:s0
/var/lock/subsys/shorewall      --      system_u:object_r:shorewall_lock_t:s0
/var/lock/fence_manual\.lock    --      system_u:object_r:fenced_lock_t:s0


reinstalling selinux-policy-targeted seems to work without errors.

Comment 12 Daniel Walsh 2011-04-29 18:03:02 UTC

Ok we are entering bizarro world here.

restorecon -v /var/lock does not change the label of /var/lock to var_lock_t and yet the file context files has

/var/lock(/.*)? system_u:object_r:var_lock_t:s0

And 
matchpathcon /var/lock 

says it should be labeled var_lock_t.

Does 

restorecon -Fv /var/lock

Do anything?

Comment 13 Lukas Middendorf 2011-04-29 18:12:07 UTC

no, -F does not change anything.

I also reinstalled policycoreutils-2.0.85-27.fc15.i686, also no change.

Comment 14 Daniel Walsh 2011-04-29 18:31:24 UTC

# chcon -t var_lock_t /var/lock
# ls -lZ /var/lock
# restorecon -v /var/lock
# ls -lZ /var/lock

Comment 15 Lukas Middendorf 2011-04-29 18:40:33 UTC

# chcon -t var_lock_t /var/lock
# ls -lZ /var/lock
lrwxrwxrwx. root root system_u:object_r:var_t:s0       /var/lock -> ../run/lock
# chcon -h -t var_lock_t /var/lock
# ls -lZ /var/lock
lrwxrwxrwx. root root system_u:object_r:var_lock_t:s0  /var/lock -> ../run/lock
# restorecon -v /var/lock
# ls -lZ /var/lock
lrwxrwxrwx. root root system_u:object_r:var_lock_t:s0  /var/lock -> ../run/lock


looks as if the "restorecon does not follow symbolic links." part of restorecon man page is wrong.

Comment 16 Miroslav Grepl 2011-05-22 18:35:56 UTC

*** Bug 706489 has been marked as a duplicate of this bug. ***

Comment 17 Miroslav Grepl 2011-05-22 18:40:36 UTC

The way how to fix the label in this case is using

# restorecon -R -v /var/

Comment 18 Miroslav Grepl 2011-05-22 18:40:56 UTC


*** This bug has been marked as a duplicate of bug 701575 ***