Bug 808368

Summary: Policy doesn't allow write between passwd_t and user_tmp_t
Product: Red Hat Enterprise Linux 6 Reporter: Fabian Deutsch <fdeutsch>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.3CC: dwalsh, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-30 17:47:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 520345    
Attachments:
Description Flags
audit.log from the affected system none

Description Fabian Deutsch 2012-03-30 09:28:52 UTC 
Created attachment 573920 [details]
audit.log from the affected system

Description of problem:
AFAIU There are problems if passwd is called from a script - as in this case.

Version-Release number of selected component (if applicable):
Current in RHEL6.2

How reproducible:
$ rpm -q selinux-policy
selinux-policy-3.10.0-80.fc16.noarch

Steps to Reproduce:
1. Get RHEV-H from http://jenkins.virt.bos.redhat.com/jenkins/job/rhev-hypervisor-6/7/artifact/rhev-hypervisor6-6.3-20120307.2.auto7.el6.iso
2. Boot and install
3. Log into TUI and press F2 to get a console, log at audit.log
  
Actual results:
AVC denials

Expected results:
No AVC denials

Additional info:
<mgrepl> how is created /var/log/ovirt.log?
<fabiand> mgrepl, by redirecting output
<mgrepl> fabiand: are you also redirecting output of passwd
<mgrepl> ?
<fabiand> mgrepl, yes. It's called from a python script, which grabs stdout and stderr
<fabiand> mgrepl, I think it's those lines: http://gerrit.ovirt.org/gitweb?p=ovirt-node.git;a=blob;f=scripts/ovirtfunctions.py;h=7b6993e0b7cee1691d2def54968ba739bb8d9e41;hb=HEAD#l1073
<mgrepl> yes you are right
<fabiand> mgrepl, I can also provide the whole audit.log if you need it, btw.
<mgrepl> we allow ony appen between passwd_t and usr_tmp_t
<mgrepl> how is this script executed 
<fabiand> it's part of a management interface (TUI)
Comment 2 Fabian Deutsch 2012-03-30 10:35:38 UTC 
I queried the selinux policy on the wrong machine.

This is the policy used:
$ rpm -q selinux-policy
selinux-policy-3.7.19-142.el6.noarch
Comment 3 Miroslav Grepl 2012-03-30 12:06:12 UTC 
The problem is a tool is running as unconfined_t and if executes passwd then it ends up as passwd_t.

allow unconfined_t passwd_t : process transition ;

So if you redirect an output, you write to user_tmp_t which is created by a tool and we allow

$ sesearch -A -s passwd_t -t user_tmp_t -c file 
Found 2 semantic av rules:
   allow application_domain_type user_tmp_t : file { getattr append } ; 
   allow passwd_t user_tmp_type : file { ioctl read getattr lock open } ;

So we allow only append operation for this situation.
Comment 4 Fabian Deutsch 2012-03-31 11:38:20 UTC 
So what would be the solution for the tool to prevent this avc message?
Comment 5 Miroslav Grepl 2012-04-02 10:37:09 UTC 
Could you append the file in the /tmp?
Comment 6 Daniel Walsh 2012-04-02 18:45:55 UTC 
passwd | cat > /tmp/blah

Would work around the problem.