| Summary: | SELinux is preventing /bin/bash from 'open' accesses on the fifo_file Unknown. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Suren Karapetyan <suren> | ||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
| Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 15 | CC: | 04mvs89, dominick.grift, dwalsh, lilley.rpm, mgrepl | ||||
| Target Milestone: | --- | Keywords: | Reopened | ||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | setroubleshoot_trace_hash:b7bff96b98043c27d24867bab0ea3dbf23106ef18be956098e10addc14b824a1 | ||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2012-08-07 20:09:19 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Attachments: |
|
||||||
Are you still seeing this, it got lost in the flood of bugs. Haven't seen it for a while. In fact I'm not even sure I was able to reproduce it. I see this periodically. I'm wondering if it's coincidental that I get an error message : ------------------------------------------- /etc/cron.daily/logrotate: /etc/init.d/functions: line 58: /dev/stderr: Permission denied Restarting murmur (via systemctl): [ OK ] ------------------------------------------- emailed to me at the same time the alert is generated. I have a mumble server running on this machine. If it helps, rpm -qa | grep murmur returns: murmur-1.2.3-3.fc15.x86_64 (In reply to comment #3) > I see this periodically. I'm wondering if it's coincidental that I get an > error message : > > ------------------------------------------- > /etc/cron.daily/logrotate: > > /etc/init.d/functions: line 58: /dev/stderr: Permission denied > Restarting murmur (via systemctl): [ OK ] > ------------------------------------------- > > emailed to me at the same time the alert is generated. > > I have a mumble server running on this machine. If it helps, rpm -qa | grep > murmur returns: > > murmur-1.2.3-3.fc15.x86_64 can you reproduce this? If so run sudo semodule -DB and then reproduce the issue. enclose the avc denials that you are seeing (ausearch -m avc -ts today). Afterwards run sudo semodule -B to undo the -DB. I suspect this was silently denied. I will also write a SELinux policy for murmur. If you want to help me test the murmur policy let me know, thanks I'm unable to reproduce this by running logrotate as root from the command line. I've queued up an anacron execution with -f -d in hopes that will regenerate the error (which I normally only see once a week), and have changed the murmur file in /etc/logrotate.d to rotate daily. Hopefully I'll be able to capture the error quickly.
As for testing a policy file, I'd be happy to assist.
Actually, in looking at my audit logs for this week, I find the following, which might be helpful:
ausearch -m avc -ts this-week
----
time->Sun Mar 11 03:12:11 2012
type=SYSCALL msg=audit(1331457131.825:660): arch=c000003e syscall=2 success=no exit=-13 a0=20b5ba0 a1=0 a2=1b6 a3=0 items=0 ppid=22807 pid=22808 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=57 comm="service" exe="/bin/bash" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1331457131.825:660): avc: denied { open } for pid=22808 comm="service" dev=pipefs ino=117150 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 tclass=fifo_file
----
time->Sun Mar 11 03:12:11 2012
type=SYSCALL msg=audit(1331457131.828:661): arch=c000003e syscall=2 success=no exit=-13 a0=20b5ba0 a1=0 a2=1b6 a3=0 items=0 ppid=22807 pid=22808 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=57 comm="service" exe="/bin/bash" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1331457131.828:661): avc: denied { open } for pid=22808 comm="service" dev=pipefs ino=117150 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 tclass=fifo_file
----
I guess we should allow it, it is just the service script opening /dev/stderr which is currently owned byt the fifo_file from system_cronjob_t. Miroslav lets add allow $1 crond_t:fifo_file rw_fifo_file_perms; allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms; To cron_system_entry for RHEL6 and F15, F16. Created attachment 569988 [details]
AVC list
Here's the burst of avc messages which occur at the same time I receive the email from anacron, run with semodule -DB set.
Please let me know if I need to do anything further, thanks!
This message is a notice that Fedora 15 is now at end of life. Fedora has stopped maintaining and issuing updates for Fedora 15. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At this time, all open bugs with a Fedora 'version' of '15' have been closed as WONTFIX. (Please note: Our normal process is to give advanced warning of this occurring, but we forgot to do that. A thousand apologies.) Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, feel free to reopen this bug and simply change the 'version' to a later Fedora version. Bug Reporter: Thank you for reporting this issue and we are sorry that we were unable to fix it before Fedora 15 reached end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged to click on "Clone This Bug" (top right of this page) and open it against that version of Fedora. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping |
SELinux is preventing /bin/bash from 'open' accesses on the fifo_file Unknown. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that bash should be allowed open access on the Unknown fifo_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep service /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:logrotate_t:s0-s0:c0.c1023 Target Context system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 Target Objects Unknown [ fifo_file ] Source service Source Path /bin/bash Port <Unknown> Host (removed) Source RPM Packages bash-4.2.10-4.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-34.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.38.8-35.fc15.x86_64 #1 SMP Wed Jul 6 13:58:54 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen Tue 02 Aug 2011 10:39:03 AM AMST Last Seen Tue 02 Aug 2011 10:39:03 AM AMST Local ID 303cdb0a-fe42-48ef-957f-212b9591e11e Raw Audit Messages type=AVC msg=audit(1312263543.372:80): avc: denied { open } for pid=5609 comm="service" dev=pipefs ino=60630 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 tclass=fifo_file type=SYSCALL msg=audit(1312263543.372:80): arch=x86_64 syscall=open success=no exit=EACCES a0=fc1b80 a1=0 a2=1b6 a3=0 items=0 ppid=5608 pid=5609 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm=service exe=/bin/bash subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) Hash: service,logrotate_t,system_cronjob_t,fifo_file,open audit2allow #============= logrotate_t ============== allow logrotate_t system_cronjob_t:fifo_file open; audit2allow -R #============= logrotate_t ============== allow logrotate_t system_cronjob_t:fifo_file open;