Bug 725117

Summary: SELinux is preventing /bin/hostname from read access on the chr_file /dev/null
Product: [Fedora] Fedora Reporter: Anthony Messina <amessina>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED WONTFIX QA Contact: Ben Levenson <benl>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 15CC: dwalsh
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.9.16-38.fc15 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-09-07 00:19:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Anthony Messina 2011-07-22 22:51:47 UTC
On my Koji builders, during the build of an RPM in Koji/Mock, I receive the following error about 40 times.  It does not appear to affect the build process even in enforcing mode.


Source Context                system_u:system_r:hostname_t:s0
Target Context                system_u:object_r:mock_var_lib_t:s0
Target Objects                /dev/null [ chr_file ]
Source                        hostname
Source Path                   /bin/hostname
Port                          <Unknown>
Host                          linux-ws1.messinet.com
Source RPM Packages           hostname-3.05-2.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-34.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     linux-ws1.messinet.com
Platform                      Linux linux-ws1.messinet.com
                              2.6.38.8-35.fc15.x86_64 #1 SMP Wed Jul 6 13:58:54
                              UTC 2011 x86_64 x86_64
Alert Count                   5
First Seen                    Fri Jul 22 17:46:33 2011
Last Seen                     Fri Jul 22 17:46:35 2011
Local ID                      f0f2257b-fc69-401a-8999-f4ad87377699

Raw Audit Messages
type=AVC msg=audit(1311374795.784:219): avc:  denied  { read } for  pid=2364 comm="hostname" path="/dev/null" dev=dm-2 ino=12325849 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=chr_file


type=AVC msg=audit(1311374795.784:219): avc:  denied  { write } for  pid=2364 comm="hostname" path="/dev/null" dev=dm-2 ino=12325849 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=chr_file


type=SYSCALL msg=audit(1311374795.784:219): arch=x86_64 syscall=execve success=yes exit=0 a0=9bee80 a1=9c3aa0 a2=9c7030 a3=7fff101b0840 items=0 ppid=2360 pid=2364 auid=4294967295 uid=512 gid=511 euid=512 suid=512 fsuid=512 egid=511 sgid=511 fsgid=511 tty=(none) ses=4294967295 comm=hostname exe=/bin/hostname subj=system_u:system_r:hostname_t:s0 key=(null)

Hash: hostname,hostname_t,mock_var_lib_t,chr_file,read

audit2allow

#============= hostname_t ==============
allow hostname_t mock_var_lib_t:chr_file { read write };

audit2allow -R

#============= hostname_t ==============
allow hostname_t mock_var_lib_t:chr_file { read write };

Comment 1 Miroslav Grepl 2011-07-25 13:42:43 UTC
what does

# rpm -q mock

Comment 2 Anthony Messina 2011-07-25 22:01:08 UTC
mock-1.1.11-1.fc15.noarch

Comment 3 Daniel Walsh 2011-07-26 13:51:35 UTC
It is a leaked file descriptor.  Or hostname is being passed the descriptor as stdout.  But why is mock_t transitioning to hostname_t?  

If processes within the mock environment are transitioning that could cause this problem.  But I don't believe they should do that.

Comment 4 Miroslav Grepl 2011-07-26 14:05:01 UTC
(In reply to comment #3)
> It is a leaked file descriptor.  Or hostname is being passed the descriptor as
> stdout.  But why is mock_t transitioning to hostname_t?  
> 
> If processes within the mock environment are transitioning that could cause
> this problem.  

sesearch -A -s mock_t -c process -p transition
Found 4 semantic av rules:
   allow mock_t ldconfig_t : process transition ; 
   allow domain abrt_helper_t : process transition ; 
   allow mock_t mount_t : process transition ; 
   allow mock_t mock_t : process { fork transition sigchld sigkill signull getsched setsched setpgid noatsecure siginh rlimitinh execmem execstack }

Comment 5 Miroslav Grepl 2011-08-04 09:34:37 UTC
Fixed in selinux-policy-3.9.7-44.fc14

Comment 6 Fedora Update System 2011-08-05 14:00:34 UTC
selinux-policy-3.9.16-37.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-37.fc15

Comment 7 Fedora Update System 2011-08-05 23:56:36 UTC
Package selinux-policy-3.9.16-37.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-37.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-37.fc15
then log in and leave karma (feedback).

Comment 8 Fedora Update System 2011-08-12 18:20:41 UTC
Package selinux-policy-3.9.16-38.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-38.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-38.fc15
then log in and leave karma (feedback).

Comment 9 Fedora Update System 2011-09-07 00:17:54 UTC
selinux-policy-3.9.16-38.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Anthony Messina 2011-09-08 22:40:19 UTC
I also found that this one has come back, now with either hostname or domainname binaries.  This occurs during builds on my private Koji instance.

### hostname:
type=AVC msg=audit(1315518946.77:299): avc:  denied  { write } for  pid=25429 comm="hostname" path="/dev/null" dev=dm-2 ino=9961505 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=chr_file


type=SYSCALL msg=audit(1315518946.77:299): arch=i386 syscall=munmap per=8 success=yes exit=0 a0=9bd1680 a1=9bd0420 a2=9bd2bc8 a3=9bd0420 items=0 ppid=25428 pid=25429 auid=4294967295 uid=512 gid=511 euid=512 suid=512 fsuid=512 egid=511 sgid=511 fsgid=511 tty=(none) ses=4294967295 comm=hostname exe=/bin/hostname subj=system_u:system_r:hostname_t:s0 key=(null)

### domainname:
SELinux is preventing /bin/hostname from write access on the chr_file /dev/null.


type=AVC msg=audit(1315519135.943:370): avc:  denied  { write } for  pid=3375 comm="domainname" path="/dev/null" dev=dm-2 ino=7733282 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=chr_file


type=AVC msg=audit(1315519135.943:370): avc:  denied  { write } for  pid=3375 comm="domainname" path="/dev/null" dev=dm-2 ino=7733282 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=chr_file


type=AVC msg=audit(1315519135.943:370): avc:  denied  { write } for  pid=3375 comm="domainname" path="/dev/null" dev=dm-2 ino=7733282 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=chr_file


type=AVC msg=audit(1315519135.943:370): avc:  denied  { write } for  pid=3375 comm="domainname" path="/dev/null" dev=dm-2 ino=7733282 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=chr_file


type=AVC msg=audit(1315519135.943:370): avc:  denied  { write } for  pid=3375 comm="domainname" path="/dev/null" dev=dm-2 ino=7733282 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=chr_file


type=AVC msg=audit(1315519135.943:370): avc:  denied  { write } for  pid=3375 comm="domainname" path="/dev/null" dev=dm-2 ino=7733282 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=chr_file


type=AVC msg=audit(1315519135.943:370): avc:  denied  { write } for  pid=3375 comm="domainname" path="/dev/null" dev=dm-2 ino=7733282 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=chr_file


type=AVC msg=audit(1315519135.943:370): avc:  denied  { write } for  pid=3375 comm="domainname" path="/dev/null" dev=dm-2 ino=7733282 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=chr_file


type=AVC msg=audit(1315519135.943:370): avc:  denied  { write } for  pid=3375 comm="domainname" path="/dev/null" dev=dm-2 ino=7733282 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=chr_file


type=AVC msg=audit(1315519135.943:370): avc:  denied  { write } for  pid=3375 comm="domainname" path="/dev/null" dev=dm-2 ino=7733282 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=chr_file


type=AVC msg=audit(1315519135.943:370): avc:  denied  { write } for  pid=3375 comm="domainname" path="/dev/null" dev=dm-2 ino=7733282 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=chr_file


type=AVC msg=audit(1315519135.943:370): avc:  denied  { write } for  pid=3375 comm="domainname" path="/dev/null" dev=dm-2 ino=7733282 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=chr_file


type=AVC msg=audit(1315519135.943:370): avc:  denied  { write } for  pid=3375 comm="domainname" path="/dev/null" dev=dm-2 ino=7733282 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=chr_file


type=SYSCALL msg=audit(1315519135.943:370): arch=x86_64 syscall=execve success=yes exit=0 a0=1592e10 a1=1592230 a2=1591e70 a3=7fffb28ecfe0 items=0 ppid=3353 pid=3375 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=domainname exe=/bin/hostname subj=system_u:system_r:hostname_t:s0 key=(null)

Comment 11 Daniel Walsh 2011-09-09 15:34:41 UTC
Miroslav, I think we need to replace 

mount_domtrans 

with 

mount_exec

And libs_domtrans_ldconfi
with 
libs_exec_ldconfig

This will make it more secure and reduce transitions from mock.  Of course it could cause other problems.

Comment 12 Miroslav Grepl 2011-09-12 12:41:10 UTC
Anthony,
could you test it with the latest policy available from koji

http://koji.fedoraproject.org/koji/buildinfo?buildID=263146

Comment 13 Anthony Messina 2011-09-12 16:58:23 UTC
Unfortunately, it did not work.  Now it seems to have reverted from the "domainname" to "hostname" as it was in the initial report.  I received over 60 SELinux AVCs like the following during a build in my Koji instance.

type=AVC msg=audit(1315846430.71:177): avc:  denied  { write } for  pid=23879 comm="hostname" path="/dev/null" dev=dm-2 ino=4593231 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=chr_file


type=SYSCALL msg=audit(1315846430.71:177): arch=x86_64 syscall=execve success=yes exit=0 a0=1fb4ca0 a1=1fb4b00 a2=1fb58e0 a3=7fff268a68d0 items=0 ppid=23878 pid=23879 auid=4294967295 uid=512 gid=511 euid=512 suid=512 fsuid=512 egid=511 sgid=511 fsgid=511 tty=(none) ses=4294967295 comm=hostname exe=/bin/hostname subj=system_u:system_r:hostname_t:s0 key=(null)

Hash: hostname,hostname_t,mock_var_lib_t,chr_file,write

type=AVC msg=audit(1315846436.121:178): avc:  denied  { read } for  pid=25941 comm="hostname" path="/dev/null" dev=dm-2 ino=4593231 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=chr_file


type=AVC msg=audit(1315846436.121:178): avc:  denied  { write } for  pid=25941 comm="hostname" path="/dev/null" dev=dm-2 ino=4593231 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=chr_file


type=SYSCALL msg=audit(1315846436.121:178): arch=x86_64 syscall=execve success=yes exit=0 a0=24f9b60 a1=24f9d10 a2=24f5af0 a3=7fff44485d90 items=0 ppid=25937 pid=25941 auid=4294967295 uid=512 gid=511 euid=512 suid=512 fsuid=512 egid=511 sgid=511 fsgid=511 tty=(none) ses=4294967295 comm=hostname exe=/bin/hostname subj=system_u:system_r:hostname_t:s0 key=(null)

Hash: hostname,hostname_t,mock_var_lib_t,chr_file,read

Comment 14 Daniel Walsh 2011-09-12 19:01:33 UTC
Best to just dontaudit this.

Comment 15 Anthony Messina 2011-09-13 02:54:21 UTC
Are any of Fedora's Koji builders running into this issue?  Or perhaps they (you) are not running F15 on Koji builders yet.

Comment 16 Daniel Walsh 2011-09-13 15:07:47 UTC
I believe the koji builders are running as RHEL6 for Fedora.

Comment 17 Fedora End Of Life 2012-08-06 20:08:03 UTC
This message is a notice that Fedora 15 is now at end of life. Fedora 
has stopped maintaining and issuing updates for Fedora 15. It is 
Fedora's policy to close all bug reports from releases that are no 
longer maintained.  At this time, all open bugs with a Fedora 'version'
of '15' have been closed as WONTFIX.

(Please note: Our normal process is to give advanced warning of this 
occurring, but we forgot to do that. A thousand apologies.)

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, feel free to reopen 
this bug and simply change the 'version' to a later Fedora version.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we were unable to fix it before Fedora 15 reached end of life. If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora, you are encouraged to click on 
"Clone This Bug" (top right of this page) and open it against that 
version of Fedora.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 18 Fedora End Of Life 2012-08-06 20:08:03 UTC
This message is a notice that Fedora 15 is now at end of life. Fedora 
has stopped maintaining and issuing updates for Fedora 15. It is 
Fedora's policy to close all bug reports from releases that are no 
longer maintained.  At this time, all open bugs with a Fedora 'version'
of '15' have been closed as WONTFIX.

(Please note: Our normal process is to give advanced warning of this 
occurring, but we forgot to do that. A thousand apologies.)

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, feel free to reopen 
this bug and simply change the 'version' to a later Fedora version.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we were unable to fix it before Fedora 15 reached end of life. If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora, you are encouraged to click on 
"Clone This Bug" (top right of this page) and open it against that 
version of Fedora.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping