| Summary: | SELinux is preventing /usr/lib/iscan/network from 'execute_no_trans' accesses on the file /usr/lib/iscan/network. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Slawomir Czarko <slawomir.czarko> |
| Component: | colord | Assignee: | Richard Hughes <hughsient> |
| Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 15 | CC: | dominick.grift, dwalsh, hughsient, mgrepl, mickey.mouse-1985 |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:d319aaf490f079140a0a0656dfe606ec76cdfeb30b70b5eb97345f543e2ba82f | ||
| Fixed In Version: | selinux-policy-3.9.16-50.fc15 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-08-07 19:51:38 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Fixed in selinux-policy-3.9.16-49.fc15 selinux-policy-3.9.16-50.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-50.fc15 Package selinux-policy-3.9.16-50.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-50.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-17089/selinux-policy-3.9.16-50.fc15 then log in and leave karma (feedback). selinux-policy-3.9.16-50.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. On my system this problem is respawn after the last update. In this update the modified packages are (this is a reduced version of the output of yum history info <id>):
updated curl-7.21.7-5.fc16.x86_64 @?fedora
7.21.7-6.fc16.x86_64 @updates
updated dhclient-12:4.2.3-5.P2.fc16.x86_64 ?
12:4.2.3-6.P2.fc16.x86_64 @updates
updated dhcp-common-12:4.2.3-5.P2.fc16.x86_64 ?
12:4.2.3-6.P2.fc16.x86_64 @updates
updated dhcp-libs-12:4.2.3-5.P2.fc16.x86_64 ?
12:4.2.3-6.P2.fc16.x86_64 @updates
removed kernel-3.1.8-2.fc16.x86_64 ?
installed kernel-3.2.2-1.fc16.x86_64 @updates
removed kernel-devel-3.1.8-2.fc16.x86_64 ?
installed kernel-devel-3.2.2-1.fc16.x86_64 @updates
updated kernel-headers-3.2.1-3.fc16.x86_64 ?
3.2.2-1.fc16.x86_64 @updates
updated kernel-tools-3.2.1-3.fc16.x86_64 ?
3.2.2-1.fc16.x86_64 @updates
updated libblkid-2.20.1-2.1.fc16.x86_64 ?
2.20.1-2.2.fc16.x86_64 @updates
updated libcurl-7.21.7-5.fc16.x86_64 @?fedora
7.21.7-6.fc16.x86_64 @updates
updated libcurl-devel-7.21.7-5.fc16.x86_64 @?fedora
7.21.7-6.fc16.x86_64 @updates
updated libmount-2.20.1-2.1.fc16.x86_64 ?
2.20.1-2.2.fc16.x86_64 @updates
updated libuuid-2.20.1-2.1.fc16.i686 ?
updated libuuid-2.20.1-2.1.fc16.x86_64 ?
2.20.1-2.2.fc16.i686 @updates
2.20.1-2.2.fc16.x86_64 @updates
updated mdadm-3.2.2-15.fc16.x86_64 ?
3.2.3-3.fc16.x86_64 @updates
updated python-kitchen-1.0.0-1.fc16.noarch @?fedora
1.1.0-1.fc16.noarch @updates
updated rsyslog-5.8.5-1.fc16.x86_64 @?fedora
5.8.7-1.fc16.x86_64 @updates
updated setroubleshoot-3.0.45-1.fc16.x86_64 ?
3.1.2-1.fc16.x86_64 @updates
updated setroubleshoot-server-3.0.45-1.fc16.x86_64 ?
3.1.2-1.fc16.x86_64 @updates
updated t1lib-5.1.2-7.fc15.x86_64 @?fedora
5.1.2-9.fc16.x86_64 @updates
updated util-linux-2.20.1-2.1.fc16.x86_64 ?
2.20.1-2.2.fc16.x86_64 @updates
My system is fedora 16 x86_64. After the update I have made a reboot in runlevel 3 for installing the nvidia proprietary driver for the new kernel and after the next reboot the selinux problem is back again.
hope this can help
Please show the AVC's and do not assume this is the same. Ok, here you are ;-)
Some parts of the message were translated in my home language, so I've re-translated them to English.
SELinux is preventing /usr/libexec/colord from execute_no_trans access on the None /usr/lib64/iscan/network.
***** Plugin catchall (100. confidence) suggests ****************************
If you believe that colord should be allowed execute_no_trans access on the network <Unknown> by default.
So you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep colord /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional informations:
Source context system_u:system_r:colord_t:s0-s0:c0.c1023
Target context system_u:object_r:lib_t:s0
Target object /usr/lib64/iscan/network [ None ]
Source colord
Source path /usr/libexec/colord
Port <Sconosciuto>
Host fedora-16
Source RPM Package
Target RPM Package
Policy RPM Package <Sconosciuto>
Selinux enabled True
Policy type targeted
Enforcing mode Enforcing
Host Name fedora-16
Platform Linux fedora-16 3.2.2-1.fc16.x86_64 #1 SMP Thu Jan
26 03:21:58 UTC 2012 x86_64 x86_64
Alert count 4
First seen Sat 28 Jan 2012 2:07:32 PM CET
Last seen Mon 30 Jan 2012 1:36:22 PM CET
local ID 815358c3-8bb0-4dfb-bdaf-c43ab55d41fa
Raw Audit messages
type=AVC msg=audit(1327926982.971:81): avc: denied { execute_no_trans } for pid=2205 comm="colord" path="/usr/lib64/iscan/network" dev=sda11 ino=1446877 scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=filenode=fedora-16 type=SYSCALL msg=audit(1327926982.971:81): arch=c000003e syscall=59 success=no exit=-13 a0=cb2dd0 a1=7fff6d594450 a2=7fff6d596b48 a3=7fff6d596270 items=0 ppid=2175 pid=2205 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="colord" exe="/usr/libexec/colord" subj=system_u:system_r:colord_t:s0-s0:c0.c1023 key=(null)
Hash: colord,colord_t,lib_t,None,execute_no_trans
audit2allow
audit2allow -R
I don't know why SELinux can't see the RPM packages, but on my system they are the following
# yum provides /usr/bin/iscan
[...]
iscan-2.28.0-2.ltdl7.x86_64 : simple, easy to use scanner utility for EPSON scanners
Repo : @/iscan-2.28.0-2.ltdl7.x86_64
Corrispondenza trovata in:
Nome file : /usr/bin/iscan
# yum provides /usr/lib64/iscan/network
[...]
iscan-network-nt-1.1.0-2.x86_64 : Image Scan! Network Plugin
Repo : @/iscan-network-nt-1.1.0-2.x86_64
Corrispondenza trovata in:
Nome file : /usr/lib64/iscan/network
# yum info selinux-policy
Plugin abilitati:langpacks, presto, refresh-packagekit
Pacchetti installati
Nome : selinux-policy
Arch : noarch
Versione : 3.10.0
Rilascio : 72.fc16
Dimensione : 8.8 M
Repo : installed
Dal repo : updates
Sommario : SELinux policy configuration
URL : http://oss.tresys.com/repos/refpolicy/
Licenza : GPLv2+
Descrizione : SELinux Reference Policy - modular.
: Based off of reference policy: Checked out revision 2.20091117
There is a bug in the policy. if you execute # chcon -t bin_t /usr/lib64/iscan/network are you getting more AVC msgs? This has changed things.
After have applied that context to /usr/lib64/iscan/network I have tried a reboot and that AVC was not shown. But now I see another kind of AVC:
SELinux is preventing /usr/libexec/colord from name_connect access on the None .
***** Plugin catchall (100. confidence) suggerisce****************************
Seyou believe that colord should be allowed name_connect access on the <Sconosciuto> by default.
Quindiyou should report this as a bug.
You can generate a local policy module to allow this access.
Fai
allow this access for now by executing:
# grep colord /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Informazioni addizionali:
Contesto della sorgente system_u:system_r:colord_t:s0-s0:c0.c1023
Contesto target system_u:object_r:port_t:s0
Oggetti target [ None ]
Sorgente colord
Percorso della sorgente /usr/libexec/colord
Porta <Sconosciuto>
Host fedora-16
Sorgente Pacchetti RPM
Pacchetti RPM target
RPM della policy <Sconosciuto>
Selinux abilitato True
Tipo di policy targeted
Modalità Enforcing Enforcing
Host Name fedora-16
Piattaforma Linux fedora-16 3.2.2-1.fc16.x86_64 #1 SMP Thu Jan
26 03:21:58 UTC 2012 x86_64 x86_64
Conteggio avvisi 1
Primo visto lun 30 gen 2012 19:33:08 CET
Ultimo visto lun 30 gen 2012 19:33:08 CET
ID locale 66d87bde-d68f-42ce-aa69-b9dde16c3797
Messaggi Raw Audit
type=AVC msg=audit(1327948388.548:101): avc: denied { name_connect } for pid=2231 comm="colord" scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socketnode=fedora-16 type=SYSCALL msg=audit(1327948388.548:101): arch=c000003e syscall=42 success=no exit=-13 a0=c a1=7fffdfd591e0 a2=10 a3=7fffdfd58f40 items=0 ppid=1 pid=2231 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="colord" exe="/usr/libexec/colord" subj=system_u:system_r:colord_t:s0-s0:c0.c1023 key=(null)
Hash: colord,colord_t,port_t,None,name_connect
audit2allow
audit2allow -R
Do you think that a complete iscan reinstall would resolve these problems?
Ok, colord shouldn't need this access. You can either allow it or dontaudit using local policy # grep colord_t /var/log/audit/audit.log | audit2allow -D -M mycolord # semodule -i mycolord.pp This message is a notice that Fedora 15 is now at end of life. Fedora has stopped maintaining and issuing updates for Fedora 15. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At this time, all open bugs with a Fedora 'version' of '15' have been closed as WONTFIX. (Please note: Our normal process is to give advanced warning of this occurring, but we forgot to do that. A thousand apologies.) Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, feel free to reopen this bug and simply change the 'version' to a later Fedora version. Bug Reporter: Thank you for reporting this issue and we are sorry that we were unable to fix it before Fedora 15 reached end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged to click on "Clone This Bug" (top right of this page) and open it against that version of Fedora. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping |
SELinux is preventing /usr/lib/iscan/network from 'execute_no_trans' accesses on the file /usr/lib/iscan/network. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that network should be allowed execute_no_trans access on the network file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep network /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:colord_t:s0-s0:c0.c1023 Target Context system_u:object_r:lib_t:s0 Target Objects /usr/lib/iscan/network [ file ] Source network Source Path /usr/lib/iscan/network Port <Unknown> Host (removed) Source RPM Packages iscan-network-nt-1.1.0-2 Target RPM Packages iscan-network-nt-1.1.0-2 Policy RPM selinux-policy-3.9.16-44.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.41.1-1.fc15.i686.PAE #1 SMP Fri Nov 11 21:43:42 UTC 2011 i686 i686 Alert Count 2 First Seen Wed 23 Nov 2011 10:44:23 AM CET Last Seen Wed 23 Nov 2011 10:47:58 AM CET Local ID 2bc4279f-ff82-4591-a8cd-fc69bf05eaf6 Raw Audit Messages type=AVC msg=audit(1322041678.105:21): avc: denied { execute_no_trans } for pid=1339 comm="colord" path="/usr/lib/iscan/network" dev=dm-1 ino=547904 scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file type=SYSCALL msg=audit(1322041678.105:21): arch=i386 syscall=execve success=yes exit=0 a0=bff88d24 a1=bff87cdc a2=bff8a3bc a3=1 items=0 ppid=1326 pid=1339 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=network exe=/usr/lib/iscan/network subj=system_u:system_r:colord_t:s0-s0:c0.c1023 key=(null) Hash: network,colord_t,lib_t,file,execute_no_trans audit2allow #============= colord_t ============== allow colord_t lib_t:file execute_no_trans; audit2allow -R #============= colord_t ============== allow colord_t lib_t:file execute_no_trans;