| Summary: | SELinux is preventing /bin/hostname from read access on the chr_file /dev/null | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Anthony Messina <amessina> |
| Component: | selinux-policy-targeted | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED WONTFIX | QA Contact: | Ben Levenson <benl> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 15 | CC: | dwalsh |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.9.16-38.fc15 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-09-07 00:19:13 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
what does # rpm -q mock mock-1.1.11-1.fc15.noarch It is a leaked file descriptor. Or hostname is being passed the descriptor as stdout. But why is mock_t transitioning to hostname_t? If processes within the mock environment are transitioning that could cause this problem. But I don't believe they should do that. (In reply to comment #3) > It is a leaked file descriptor. Or hostname is being passed the descriptor as > stdout. But why is mock_t transitioning to hostname_t? > > If processes within the mock environment are transitioning that could cause > this problem. sesearch -A -s mock_t -c process -p transition Found 4 semantic av rules: allow mock_t ldconfig_t : process transition ; allow domain abrt_helper_t : process transition ; allow mock_t mount_t : process transition ; allow mock_t mock_t : process { fork transition sigchld sigkill signull getsched setsched setpgid noatsecure siginh rlimitinh execmem execstack } Fixed in selinux-policy-3.9.7-44.fc14 selinux-policy-3.9.16-37.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-37.fc15 Package selinux-policy-3.9.16-37.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-37.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-37.fc15 then log in and leave karma (feedback). Package selinux-policy-3.9.16-38.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-38.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-38.fc15 then log in and leave karma (feedback). selinux-policy-3.9.16-38.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. I also found that this one has come back, now with either hostname or domainname binaries. This occurs during builds on my private Koji instance.
### hostname:
type=AVC msg=audit(1315518946.77:299): avc: denied { write } for pid=25429 comm="hostname" path="/dev/null" dev=dm-2 ino=9961505 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1315518946.77:299): arch=i386 syscall=munmap per=8 success=yes exit=0 a0=9bd1680 a1=9bd0420 a2=9bd2bc8 a3=9bd0420 items=0 ppid=25428 pid=25429 auid=4294967295 uid=512 gid=511 euid=512 suid=512 fsuid=512 egid=511 sgid=511 fsgid=511 tty=(none) ses=4294967295 comm=hostname exe=/bin/hostname subj=system_u:system_r:hostname_t:s0 key=(null)
### domainname:
SELinux is preventing /bin/hostname from write access on the chr_file /dev/null.
type=AVC msg=audit(1315519135.943:370): avc: denied { write } for pid=3375 comm="domainname" path="/dev/null" dev=dm-2 ino=7733282 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=chr_file
type=AVC msg=audit(1315519135.943:370): avc: denied { write } for pid=3375 comm="domainname" path="/dev/null" dev=dm-2 ino=7733282 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=chr_file
type=AVC msg=audit(1315519135.943:370): avc: denied { write } for pid=3375 comm="domainname" path="/dev/null" dev=dm-2 ino=7733282 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=chr_file
type=AVC msg=audit(1315519135.943:370): avc: denied { write } for pid=3375 comm="domainname" path="/dev/null" dev=dm-2 ino=7733282 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=chr_file
type=AVC msg=audit(1315519135.943:370): avc: denied { write } for pid=3375 comm="domainname" path="/dev/null" dev=dm-2 ino=7733282 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=chr_file
type=AVC msg=audit(1315519135.943:370): avc: denied { write } for pid=3375 comm="domainname" path="/dev/null" dev=dm-2 ino=7733282 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=chr_file
type=AVC msg=audit(1315519135.943:370): avc: denied { write } for pid=3375 comm="domainname" path="/dev/null" dev=dm-2 ino=7733282 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=chr_file
type=AVC msg=audit(1315519135.943:370): avc: denied { write } for pid=3375 comm="domainname" path="/dev/null" dev=dm-2 ino=7733282 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=chr_file
type=AVC msg=audit(1315519135.943:370): avc: denied { write } for pid=3375 comm="domainname" path="/dev/null" dev=dm-2 ino=7733282 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=chr_file
type=AVC msg=audit(1315519135.943:370): avc: denied { write } for pid=3375 comm="domainname" path="/dev/null" dev=dm-2 ino=7733282 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=chr_file
type=AVC msg=audit(1315519135.943:370): avc: denied { write } for pid=3375 comm="domainname" path="/dev/null" dev=dm-2 ino=7733282 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=chr_file
type=AVC msg=audit(1315519135.943:370): avc: denied { write } for pid=3375 comm="domainname" path="/dev/null" dev=dm-2 ino=7733282 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=chr_file
type=AVC msg=audit(1315519135.943:370): avc: denied { write } for pid=3375 comm="domainname" path="/dev/null" dev=dm-2 ino=7733282 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1315519135.943:370): arch=x86_64 syscall=execve success=yes exit=0 a0=1592e10 a1=1592230 a2=1591e70 a3=7fffb28ecfe0 items=0 ppid=3353 pid=3375 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=domainname exe=/bin/hostname subj=system_u:system_r:hostname_t:s0 key=(null)
Miroslav, I think we need to replace mount_domtrans with mount_exec And libs_domtrans_ldconfi with libs_exec_ldconfig This will make it more secure and reduce transitions from mock. Of course it could cause other problems. Anthony, could you test it with the latest policy available from koji http://koji.fedoraproject.org/koji/buildinfo?buildID=263146 Unfortunately, it did not work. Now it seems to have reverted from the "domainname" to "hostname" as it was in the initial report. I received over 60 SELinux AVCs like the following during a build in my Koji instance.
type=AVC msg=audit(1315846430.71:177): avc: denied { write } for pid=23879 comm="hostname" path="/dev/null" dev=dm-2 ino=4593231 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1315846430.71:177): arch=x86_64 syscall=execve success=yes exit=0 a0=1fb4ca0 a1=1fb4b00 a2=1fb58e0 a3=7fff268a68d0 items=0 ppid=23878 pid=23879 auid=4294967295 uid=512 gid=511 euid=512 suid=512 fsuid=512 egid=511 sgid=511 fsgid=511 tty=(none) ses=4294967295 comm=hostname exe=/bin/hostname subj=system_u:system_r:hostname_t:s0 key=(null)
Hash: hostname,hostname_t,mock_var_lib_t,chr_file,write
type=AVC msg=audit(1315846436.121:178): avc: denied { read } for pid=25941 comm="hostname" path="/dev/null" dev=dm-2 ino=4593231 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=chr_file
type=AVC msg=audit(1315846436.121:178): avc: denied { write } for pid=25941 comm="hostname" path="/dev/null" dev=dm-2 ino=4593231 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1315846436.121:178): arch=x86_64 syscall=execve success=yes exit=0 a0=24f9b60 a1=24f9d10 a2=24f5af0 a3=7fff44485d90 items=0 ppid=25937 pid=25941 auid=4294967295 uid=512 gid=511 euid=512 suid=512 fsuid=512 egid=511 sgid=511 fsgid=511 tty=(none) ses=4294967295 comm=hostname exe=/bin/hostname subj=system_u:system_r:hostname_t:s0 key=(null)
Hash: hostname,hostname_t,mock_var_lib_t,chr_file,read
Best to just dontaudit this. Are any of Fedora's Koji builders running into this issue? Or perhaps they (you) are not running F15 on Koji builders yet. I believe the koji builders are running as RHEL6 for Fedora. This message is a notice that Fedora 15 is now at end of life. Fedora has stopped maintaining and issuing updates for Fedora 15. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At this time, all open bugs with a Fedora 'version' of '15' have been closed as WONTFIX. (Please note: Our normal process is to give advanced warning of this occurring, but we forgot to do that. A thousand apologies.) Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, feel free to reopen this bug and simply change the 'version' to a later Fedora version. Bug Reporter: Thank you for reporting this issue and we are sorry that we were unable to fix it before Fedora 15 reached end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged to click on "Clone This Bug" (top right of this page) and open it against that version of Fedora. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping This message is a notice that Fedora 15 is now at end of life. Fedora has stopped maintaining and issuing updates for Fedora 15. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At this time, all open bugs with a Fedora 'version' of '15' have been closed as WONTFIX. (Please note: Our normal process is to give advanced warning of this occurring, but we forgot to do that. A thousand apologies.) Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, feel free to reopen this bug and simply change the 'version' to a later Fedora version. Bug Reporter: Thank you for reporting this issue and we are sorry that we were unable to fix it before Fedora 15 reached end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged to click on "Clone This Bug" (top right of this page) and open it against that version of Fedora. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping |
On my Koji builders, during the build of an RPM in Koji/Mock, I receive the following error about 40 times. It does not appear to affect the build process even in enforcing mode. Source Context system_u:system_r:hostname_t:s0 Target Context system_u:object_r:mock_var_lib_t:s0 Target Objects /dev/null [ chr_file ] Source hostname Source Path /bin/hostname Port <Unknown> Host linux-ws1.messinet.com Source RPM Packages hostname-3.05-2.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-34.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name linux-ws1.messinet.com Platform Linux linux-ws1.messinet.com 2.6.38.8-35.fc15.x86_64 #1 SMP Wed Jul 6 13:58:54 UTC 2011 x86_64 x86_64 Alert Count 5 First Seen Fri Jul 22 17:46:33 2011 Last Seen Fri Jul 22 17:46:35 2011 Local ID f0f2257b-fc69-401a-8999-f4ad87377699 Raw Audit Messages type=AVC msg=audit(1311374795.784:219): avc: denied { read } for pid=2364 comm="hostname" path="/dev/null" dev=dm-2 ino=12325849 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=chr_file type=AVC msg=audit(1311374795.784:219): avc: denied { write } for pid=2364 comm="hostname" path="/dev/null" dev=dm-2 ino=12325849 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:mock_var_lib_t:s0 tclass=chr_file type=SYSCALL msg=audit(1311374795.784:219): arch=x86_64 syscall=execve success=yes exit=0 a0=9bee80 a1=9c3aa0 a2=9c7030 a3=7fff101b0840 items=0 ppid=2360 pid=2364 auid=4294967295 uid=512 gid=511 euid=512 suid=512 fsuid=512 egid=511 sgid=511 fsgid=511 tty=(none) ses=4294967295 comm=hostname exe=/bin/hostname subj=system_u:system_r:hostname_t:s0 key=(null) Hash: hostname,hostname_t,mock_var_lib_t,chr_file,read audit2allow #============= hostname_t ============== allow hostname_t mock_var_lib_t:chr_file { read write }; audit2allow -R #============= hostname_t ============== allow hostname_t mock_var_lib_t:chr_file { read write };