| Summary: | Enable third-party ABRT event scripts in SELinux policy | |||
|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Michal Nowak <mnowak> | |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | medium | |||
| Version: | rawhide | CC: | dvlasenk, dwalsh, jmoskovc, kklic, mgrepl, npajkovs, ohudlick | |
| Target Milestone: | --- | |||
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 705768 (view as bug list) | Environment: | ||
| Last Closed: | 2011-11-21 18:02:26 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Bug Depends On: | ||||
| Bug Blocks: | 705768 | |||
This is relevant for Rawhide & F15 since they contain abrt v2. Miroslav, we need a mechanism where these are running unconfined domain abrt_unconfined_t, but also allow admins to write policy for confined abrt scripts. If abrt ships any scripts within its packages, we should have policy to confine these. Well this is more complicated then I thought. Nikola, Karel? Adding also Jiri and Denys. (In reply to comment #2) > If abrt ships any scripts within its packages, we should have policy to confine > these. Correct. ABRT places several scripts to events.d/ and the idea is other packages will do the same in the future, thought not sure this is relevant for you guys. If I understand correctly, ABRT places *.conf files there which are read by ABRT (not executed). And after that these commands are executed. (In reply to comment #0) > Description of problem: > > Script `/etc/abrt/events.d/wall' containing > > echo abrt: Crash in $(cat package) detected: $(cat reason) | wall > Wrongly written script. Must be: EVENT=post-create echo abrt: Crash in $(cat package) detected: $(cat reason) | wall @Miroslav: yes, don't execute them directly, we include them into abrt_event.conf, parse them and after that abrt executes appropriate command > @Miroslav: yes, don't execute them directly, we include them into
> abrt_event.conf, parse them and after that abrt executes appropriate command
Which makes me unhappy.
(In reply to comment #7) > > @Miroslav: yes, don't execute them directly, we include them into > > abrt_event.conf, parse them and after that abrt executes appropriate command > > Which makes me unhappy. I think we've discussed this some time ago and the solution was to turn those inline scripts into a separate files and that's still up to us. Can you please create a ticket (bz or trac) against ABRT and explain a bit why is that selinux friendly... (I remember just the part, that a separate file can have it's own selinux policy..) (In reply to comment #6) > (In reply to comment #0) > > Description of problem: > > > > Script `/etc/abrt/events.d/wall' containing > > > > echo abrt: Crash in $(cat package) detected: $(cat reason) | wall > > > > Wrongly written script. > > Must be: > EVENT=post-create echo abrt: Crash in $(cat package) detected: $(cat reason) | > wall $(cmd) should be quoted, or else it's open to a number of very nasty attacks. Probably best is to quote entire message: EVENT=post-create echo "abrt: Crash in $(cat package) detected: $(cat reason)" | wall (In reply to comment #8) > (In reply to comment #7) > > > @Miroslav: yes, don't execute them directly, we include them into > > > abrt_event.conf, parse them and after that abrt executes appropriate command > > > > Which makes me unhappy. > > I think we've discussed this some time ago and the solution was to turn those > inline scripts into a separate files and that's still up to us. Can you please > create a ticket (bz or trac) against ABRT and explain a bit why is that selinux > friendly... (I remember just the part, that a separate file can have it's own > selinux policy..) The ideal situation is the following ABRT executes event script which executes all commands abrt_t @abrt_event_unconfined_script_exec_t -> abrt_unconfined_script_t @ whatever -> abrt_unconfined_script_t Bu we have ABRT reads event conf files and then executes all commands abrt_t (read) abrt_conf_t -> abrt_t @whatever -> abrt_t Miroslav what is the latest on this bug? Definitely fixed using the "abrt_handle_event" boolean. |
Description of problem: Script `/etc/abrt/events.d/wall' containing echo abrt: Crash in $(cat package) detected: $(cat reason) | wall is blocked with: May 11 11:04:50 x86-64-6s-m1 kernel: type=1400 audit(1305126289.903:39678): avc: denied { read } for pid=19850 comm="wall" name="utmp" dev=sdb1 ino=1810548 scontext=unconfined_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file May 11 11:04:50 x86-64-6s-m1 kernel: type=1400 audit(1305126290.026:39679): avc: denied { read } for pid=19850 comm="wall" name="utmp" dev=sdb1 ino=1810548 scontext=unconfined_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file Please, enable such a third-party scripts.