Bug 725117
Summary: | SELinux is preventing /bin/hostname from read access on the chr_file /dev/null | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Anthony Messina <amessina> |
Component: | selinux-policy-targeted | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED WONTFIX | QA Contact: | Ben Levenson <benl> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 15 | CC: | dwalsh |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.9.16-38.fc15 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2011-09-07 00:19:13 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Anthony Messina
2011-07-22 22:51:47 UTC
what does # rpm -q mock mock-1.1.11-1.fc15.noarch It is a leaked file descriptor. Or hostname is being passed the descriptor as stdout. But why is mock_t transitioning to hostname_t? If processes within the mock environment are transitioning that could cause this problem. But I don't believe they should do that. (In reply to comment #3) > It is a leaked file descriptor. Or hostname is being passed the descriptor as > stdout. But why is mock_t transitioning to hostname_t? > > If processes within the mock environment are transitioning that could cause > this problem. sesearch -A -s mock_t -c process -p transition Found 4 semantic av rules: allow mock_t ldconfig_t : process transition ; allow domain abrt_helper_t : process transition ; allow mock_t mount_t : process transition ; allow mock_t mock_t : process { fork transition sigchld sigkill signull getsched setsched setpgid noatsecure siginh rlimitinh execmem execstack } Fixed in selinux-policy-3.9.7-44.fc14 selinux-policy-3.9.16-37.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-37.fc15 Package selinux-policy-3.9.16-37.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-37.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-37.fc15 then log in and leave karma (feedback). Package selinux-policy-3.9.16-38.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-38.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-38.fc15 then log in and leave karma (feedback). selinux-policy-3.9.16-38.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. I also found that this one has come back, now with either hostname or domainname binaries. This occurs during builds on my private Koji instance. ### hostname: type=AVC msg=audit(1315518946.77:299): avc: denied { write } for pid=25429 comm="hostname" path="/dev/null" dev=dm-2 ino=9961505 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=chr_file type=SYSCALL msg=audit(1315518946.77:299): arch=i386 syscall=munmap per=8 success=yes exit=0 a0=9bd1680 a1=9bd0420 a2=9bd2bc8 a3=9bd0420 items=0 ppid=25428 pid=25429 auid=4294967295 uid=512 gid=511 euid=512 suid=512 fsuid=512 egid=511 sgid=511 fsgid=511 tty=(none) ses=4294967295 comm=hostname exe=/bin/hostname subj=system_u:system_r:hostname_t:s0 key=(null) ### domainname: SELinux is preventing /bin/hostname from write access on the chr_file /dev/null. type=AVC msg=audit(1315519135.943:370): avc: denied { write } for pid=3375 comm="domainname" path="/dev/null" dev=dm-2 ino=7733282 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=chr_file type=AVC msg=audit(1315519135.943:370): avc: denied { write } for pid=3375 comm="domainname" path="/dev/null" dev=dm-2 ino=7733282 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=chr_file type=AVC msg=audit(1315519135.943:370): avc: denied { write } for pid=3375 comm="domainname" path="/dev/null" dev=dm-2 ino=7733282 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=chr_file type=AVC msg=audit(1315519135.943:370): avc: denied { write } for pid=3375 comm="domainname" path="/dev/null" dev=dm-2 ino=7733282 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=chr_file type=AVC msg=audit(1315519135.943:370): avc: denied { write } for pid=3375 comm="domainname" path="/dev/null" dev=dm-2 ino=7733282 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=chr_file type=AVC msg=audit(1315519135.943:370): avc: denied { write } for pid=3375 comm="domainname" path="/dev/null" dev=dm-2 ino=7733282 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=chr_file type=AVC msg=audit(1315519135.943:370): avc: denied { write } for pid=3375 comm="domainname" path="/dev/null" dev=dm-2 ino=7733282 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=chr_file type=AVC msg=audit(1315519135.943:370): avc: denied { write } for pid=3375 comm="domainname" path="/dev/null" dev=dm-2 ino=7733282 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=chr_file type=AVC msg=audit(1315519135.943:370): avc: denied { write } for pid=3375 comm="domainname" path="/dev/null" dev=dm-2 ino=7733282 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=chr_file type=AVC msg=audit(1315519135.943:370): avc: denied { write } for pid=3375 comm="domainname" path="/dev/null" dev=dm-2 ino=7733282 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=chr_file type=AVC msg=audit(1315519135.943:370): avc: denied { write } for pid=3375 comm="domainname" path="/dev/null" dev=dm-2 ino=7733282 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=chr_file type=AVC msg=audit(1315519135.943:370): avc: denied { write } for pid=3375 comm="domainname" path="/dev/null" dev=dm-2 ino=7733282 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=chr_file type=AVC msg=audit(1315519135.943:370): avc: denied { write } for pid=3375 comm="domainname" path="/dev/null" dev=dm-2 ino=7733282 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=chr_file type=SYSCALL msg=audit(1315519135.943:370): arch=x86_64 syscall=execve success=yes exit=0 a0=1592e10 a1=1592230 a2=1591e70 a3=7fffb28ecfe0 items=0 ppid=3353 pid=3375 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=domainname exe=/bin/hostname subj=system_u:system_r:hostname_t:s0 key=(null) Miroslav, I think we need to replace mount_domtrans with mount_exec And libs_domtrans_ldconfi with libs_exec_ldconfig This will make it more secure and reduce transitions from mock. Of course it could cause other problems. Anthony, could you test it with the latest policy available from koji http://koji.fedoraproject.org/koji/buildinfo?buildID=263146 Unfortunately, it did not work. Now it seems to have reverted from the "domainname" to "hostname" as it was in the initial report. I received over 60 SELinux AVCs like the following during a build in my Koji instance. type=AVC msg=audit(1315846430.71:177): avc: denied { write } for pid=23879 comm="hostname" path="/dev/null" dev=dm-2 ino=4593231 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=chr_file type=SYSCALL msg=audit(1315846430.71:177): arch=x86_64 syscall=execve success=yes exit=0 a0=1fb4ca0 a1=1fb4b00 a2=1fb58e0 a3=7fff268a68d0 items=0 ppid=23878 pid=23879 auid=4294967295 uid=512 gid=511 euid=512 suid=512 fsuid=512 egid=511 sgid=511 fsgid=511 tty=(none) ses=4294967295 comm=hostname exe=/bin/hostname subj=system_u:system_r:hostname_t:s0 key=(null) Hash: hostname,hostname_t,mock_var_lib_t,chr_file,write type=AVC msg=audit(1315846436.121:178): avc: denied { read } for pid=25941 comm="hostname" path="/dev/null" dev=dm-2 ino=4593231 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=chr_file type=AVC msg=audit(1315846436.121:178): avc: denied { write } for pid=25941 comm="hostname" path="/dev/null" dev=dm-2 ino=4593231 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=chr_file type=SYSCALL msg=audit(1315846436.121:178): arch=x86_64 syscall=execve success=yes exit=0 a0=24f9b60 a1=24f9d10 a2=24f5af0 a3=7fff44485d90 items=0 ppid=25937 pid=25941 auid=4294967295 uid=512 gid=511 euid=512 suid=512 fsuid=512 egid=511 sgid=511 fsgid=511 tty=(none) ses=4294967295 comm=hostname exe=/bin/hostname subj=system_u:system_r:hostname_t:s0 key=(null) Hash: hostname,hostname_t,mock_var_lib_t,chr_file,read Best to just dontaudit this. Are any of Fedora's Koji builders running into this issue? Or perhaps they (you) are not running F15 on Koji builders yet. I believe the koji builders are running as RHEL6 for Fedora. This message is a notice that Fedora 15 is now at end of life. Fedora has stopped maintaining and issuing updates for Fedora 15. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At this time, all open bugs with a Fedora 'version' of '15' have been closed as WONTFIX. (Please note: Our normal process is to give advanced warning of this occurring, but we forgot to do that. A thousand apologies.) Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, feel free to reopen this bug and simply change the 'version' to a later Fedora version. Bug Reporter: Thank you for reporting this issue and we are sorry that we were unable to fix it before Fedora 15 reached end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged to click on "Clone This Bug" (top right of this page) and open it against that version of Fedora. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping This message is a notice that Fedora 15 is now at end of life. Fedora has stopped maintaining and issuing updates for Fedora 15. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At this time, all open bugs with a Fedora 'version' of '15' have been closed as WONTFIX. (Please note: Our normal process is to give advanced warning of this occurring, but we forgot to do that. A thousand apologies.) Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, feel free to reopen this bug and simply change the 'version' to a later Fedora version. Bug Reporter: Thank you for reporting this issue and we are sorry that we were unable to fix it before Fedora 15 reached end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged to click on "Clone This Bug" (top right of this page) and open it against that version of Fedora. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping |