Bug 704797

Summary: SELinux is preventing output from "service shorewall status"
Product: [Fedora] Fedora Reporter: Mr-4 <mr.dash.four>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED WONTFIX QA Contact: Ben Levenson <benl>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 13CC: dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-06-27 11:44:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Mr-4 2011-05-15 02:01:09 UTC 
Description of problem:
When "service shorewall status" is executed this normally gives status of the shorewall service (it displays useful information regardless of whether or not the service is running), but this is impossible if SELinux is in enforcing mode. There are *no* avcs of any kind (probably because of "dontaudit" statements in shorewall.te)

Version-Release number of selected component (if applicable):
The latest SElinux policy, but previous versions have the same problem (this has been for quite a while now). Any recent shorewall version, which produces this output is suitable for reproducing this bug.

How reproducible:
Always.

Steps to Reproduce:
1. From the console "service shorewall status" (regardless of whether shorewall is currently running or not)
2. There is no output at all
3.
  
Actual results:
Nothing is displayed and no avc are given in the audit file.

Expected results:
The same as when "shorewall status" is executed from the console.

Additional info:
"service shorewall status" runs as expected when I disable SELinux with "echo 0 > /selinux/enforce", so I presume something in shorewall.te is preventing this - can't tell what as there are no avcs shown.
Comment 1 Miroslav Grepl 2011-05-16 06:26:10 UTC 
Could you execute following commands

# rpm -q selinux-policy

# semodule -DB
# semanage permissive -a shorewall_t
# service shorewall status
# ausearch -m avc -ts recent |grep shorewall
Comment 2 Mr-4 2011-05-16 21:31:29 UTC 
selinux-policy-3.7.19-101.fc13.noarch

The execution of "ausearch -m avc -ts recent |grep shorewall" returns this:

type=SYSCALL msg=audit(1305581125.893:32190): arch=c000003e syscall=59 success=yes exit=0 a0=911270 a1=9110a0 a2=91d340 a3=18 items=0 ppid=1220 pid=1223 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="shorewall" exe="/bin/bash" subj=unconfined_u:system_r:shorewall_t:s0 key=(null)
type=AVC msg=audit(1305581126.024:32191): avc:  denied  { read } for  pid=1227 comm="id" name="mls" dev=selinuxfs ino=12 scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file
type=AVC msg=audit(1305581126.024:32191): avc:  denied  { open } for  pid=1227 comm="id" name="mls" dev=selinuxfs ino=12 scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file
type=SYSCALL msg=audit(1305581126.024:32191): arch=c000003e syscall=2 success=yes exit=3 a0=7fffe7244bc0 a1=0 a2=7fffe7244bcc a3=fffffff8 items=0 ppid=1223 pid=1227 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="id" exe="/usr/bin/id" subj=unconfined_u:system_r:shorewall_t:s0 key=(null)
type=AVC msg=audit(1305581126.063:32192): avc:  denied  { getattr } for  pid=1223 comm="shorewall" path="/dev/pts/0" dev=devpts ino=3 scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1305581126.063:32192): arch=c000003e syscall=5 success=yes exit=0 a0=1 a1=7fff7181dba0 a2=7fff7181dba0 a3=ffffffb4 items=0 ppid=1220 pid=1223 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="shorewall" exe="/bin/bash" subj=unconfined_u:system_r:shorewall_t:s0 key=(null)
type=AVC msg=audit(1305581126.064:32193): avc:  denied  { rlimitinh } for  pid=1236 comm="iptables" scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=unconfined_u:system_r:iptables_t:s0 tclass=process
type=AVC msg=audit(1305581126.064:32193): avc:  denied  { siginh } for  pid=1236 comm="iptables" scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=unconfined_u:system_r:iptables_t:s0 tclass=process
type=AVC msg=audit(1305581126.064:32193): avc:  denied  { noatsecure } for  pid=1236 comm="iptables" scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=unconfined_u:system_r:iptables_t:s0 tclass=process
type=SYSCALL msg=audit(1305581126.064:32193): arch=c000003e syscall=59 success=yes exit=0 a0=a1afa0 a1=92f590 a2=a1f620 a3=28 items=0 ppid=1223 pid=1236 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="iptables" exe="/sbin/iptables-multi" subj=unconfined_u:system_r:iptables_t:s0 key=(null)
[root@xp1 ~]# ausearch -m avc -ts recent | grep shorewall
type=SYSCALL msg=audit(1305581126.024:32191): arch=c000003e syscall=2 success=yes exit=3 a0=7fffe7244bc0 a1=0 a2=7fffe7244bcc a3=fffffff8 items=0 ppid=1223 pid=1227 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="id" exe="/usr/bin/id" subj=unconfined_u:system_r:shorewall_t:s0 key=(null)
type=AVC msg=audit(1305581126.024:32191): avc:  denied  { open } for  pid=1227 comm="id" name="mls" dev=selinuxfs ino=12 scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file
type=AVC msg=audit(1305581126.024:32191): avc:  denied  { read } for  pid=1227 comm="id" name="mls" dev=selinuxfs ino=12 scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file
type=SYSCALL msg=audit(1305581125.893:32190): arch=c000003e syscall=59 success=yes exit=0 a0=911270 a1=9110a0 a2=91d340 a3=18 items=0 ppid=1220 pid=1223 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="shorewall" exe="/bin/bash" subj=unconfined_u:system_r:shorewall_t:s0 key=(null)
type=AVC msg=audit(1305581125.893:32190): avc:  denied  { read write } for  pid=1223 comm="shorewall" name="0" dev=devpts ino=3 scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1305581126.063:32192): arch=c000003e syscall=5 success=yes exit=0 a0=1 a1=7fff7181dba0 a2=7fff7181dba0 a3=ffffffb4 items=0 ppid=1220 pid=1223 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="shorewall" exe="/bin/bash" subj=unconfined_u:system_r:shorewall_t:s0 key=(null)
type=AVC msg=audit(1305581126.063:32192): avc:  denied  { getattr } for  pid=1223 comm="shorewall" path="/dev/pts/0" dev=devpts ino=3 scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file
type=AVC msg=audit(1305581126.064:32193): avc:  denied  { noatsecure } for  pid=1236 comm="iptables" scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=unconfined_u:system_r:iptables_t:s0 tclass=process
type=AVC msg=audit(1305581126.064:32193): avc:  denied  { siginh } for  pid=1236 comm="iptables" scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=unconfined_u:system_r:iptables_t:s0 tclass=process
type=AVC msg=audit(1305581126.064:32193): avc:  denied  { rlimitinh } for  pid=1236 comm="iptables" scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=unconfined_u:system_r:iptables_t:s0 tclass=process


Also, I would appreciate it if, in the future, when you send instructions which alter my current selinux policy (semodule -DB in this instance) to also send similar instructions on how to revert to the state of the policy I've had prior to following these!
Comment 3 Miroslav Grepl 2011-05-17 06:49:41 UTC 
Thank you, I apologize.

# setsebool allow_daemons_use_tty on

Will allow it for now.

# semodule -B
# semanage permissive -d shorewall_t

Probably you have already done these steps.
Comment 4 Daniel Walsh 2011-05-17 08:11:31 UTC 
In F16 we can add

userdom_use_inherited_user_ttys(shorewall_t)
userdom_use_inherited_user_ptys(shorewall_t)

We probably need to add this to all releases.
Comment 5 Miroslav Grepl 2011-05-17 13:51:21 UTC 
Fixed in selinux-policy-3.7.19-108.fc13
Comment 6 Bug Zapper 2011-05-30 10:33:50 UTC 
This message is a reminder that Fedora 13 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 13.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '13'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 13's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 13 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 7 Bug Zapper 2011-06-27 11:44:51 UTC 
Fedora 13 changed to end-of-life (EOL) status on 2011-06-25. Fedora 13 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.