| Summary: | SELinux is preventing /bin/bash resp. /bin/rpm from execute resp. execute_no_trans access on the file /bin/rpm | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Peter Backes <rtc> |
| Component: | setroubleshoot | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 16 | CC: | dwalsh, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-07-27 12:36:23 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Description of problem: -------------------------------------------------------------------------------- SELinux is preventing /bin/bash from execute access on the file /bin/rpm. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that bash should be allowed execute access on the rpm file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep sh /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 Target Context system_u:object_r:rpm_exec_t:s0 Target Objects /bin/rpm [ file ] Source sh Source Path /bin/bash Port <Unknown> Host <Unknown> Source RPM Packages bash-4.2.20-1.fc16.i686 Target RPM Packages rpm-4.9.1.2-1.fc16.i686 Policy RPM selinux-policy-3.10.0-72.fc16.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name helen Platform Linux helen 3.2.1-3.fc16.i686.PAE #1 SMP Mon Jan 23 15:37:21 UTC 2012 i686 i686 Alert Count 1 First Seen Fri 27 Jan 2012 11:36:21 PM CET Last Seen Fri 27 Jan 2012 11:36:21 PM CET Local ID e18c48ea-dd23-451d-bebb-ff9b64379c5c Raw Audit Messages type=AVC msg=audit(1327703781.464:5183): avc: denied { execute } for pid=5865 comm="sh" name="rpm" dev=sda1 ino=22010 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file type=SYSCALL msg=audit(1327703781.464:5183): arch=i386 syscall=access success=yes exit=0 a0=9ab2500 a1=1 a2=49713ff4 a3=1 items=0 ppid=1032 pid=5865 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sh exe=/bin/bash subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null) Hash: sh,setroubleshootd_t,rpm_exec_t,file,execute audit2allow #============= setroubleshootd_t ============== allow setroubleshootd_t rpm_exec_t:file execute; audit2allow -R #============= setroubleshootd_t ============== allow setroubleshootd_t rpm_exec_t:file execute; -------------------------------------------------------------------------------- SELinux is preventing /bin/rpm from execute_no_trans access on the file /bin/rpm. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that rpm should be allowed execute_no_trans access on the rpm file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep rpm /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 Target Context system_u:object_r:rpm_exec_t:s0 Target Objects /bin/rpm [ file ] Source rpm Source Path /bin/rpm Port <Unknown> Host <Unknown> Source RPM Packages rpm-4.9.1.2-1.fc16.i686 Target RPM Packages rpm-4.9.1.2-1.fc16.i686 Policy RPM selinux-policy-3.10.0-72.fc16.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name helen Platform Linux helen 3.2.1-3.fc16.i686.PAE #1 SMP Mon Jan 23 15:37:21 UTC 2012 i686 i686 Alert Count 1 First Seen Fri 27 Jan 2012 11:36:21 PM CET Last Seen Fri 27 Jan 2012 11:36:21 PM CET Local ID d44bbdcf-3ed9-4eec-96bc-8bb58afcece9 Raw Audit Messages type=AVC msg=audit(1327703781.464:5184): avc: denied { execute_no_trans } for pid=5866 comm="sh" path="/bin/rpm" dev=sda1 ino=22010 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file type=SYSCALL msg=audit(1327703781.464:5184): arch=i386 syscall=execve success=yes exit=0 a0=9ab2500 a1=9ab2790 a2=9ab1ad0 a3=9ab1ad0 items=0 ppid=5865 pid=5866 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=rpm exe=/bin/rpm subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null) Hash: rpm,setroubleshootd_t,rpm_exec_t,file,execute_no_trans audit2allow #============= setroubleshootd_t ============== allow setroubleshootd_t rpm_exec_t:file execute_no_trans; audit2allow -R #============= setroubleshootd_t ============== allow setroubleshootd_t rpm_exec_t:file execute_no_trans; Version-Release number of selected component (if applicable): setroubleshoot-3.1.2-1.fc16.i686 selinux-policy-targeted-3.10.0-72.fc16.noarch How reproducible: always Steps to Reproduce: 1. Compile and install the following module (to generate food for setroubleshoot): policy_module(trace1, 1.0.0) gen_require(`attribute domain; type tmp_t; ') auditallow domain tmp_t:dir create_dir_perms; 2. reboot 3. log into xfce session Actual results: AVC denial caused by setroubleshoot apparently trying to execute rpm via bash. Expected results: no AVC denial Additional info: permissive mode was on. note that the policy module can cause a lot of avc granted audit log entries to be generated in a short amount of time.