1065693 – SELinux is preventing /usr/bin/touch from 'create' accesses on the file .

Bug 1065693 - SELinux is preventing /usr/bin/touch from 'create' accesses on the file .

Summary: SELinux is preventing /usr/bin/touch from 'create' accesses on the file .

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:e77811ddcc6001a4efba9232a8e...
Duplicates (2):	1065691 1065692 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-02-15 22:18 UTC by Nicolas Mailhot
Modified:	2014-02-21 20:47 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-02-21 20:47:49 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Nicolas Mailhot 2014-02-15 22:18:46 UTC

Description of problem:
SELinux is preventing /usr/bin/touch from 'create' accesses on the file .

*****  Plugin catchall (100. confidence) suggests   **************************

If vous pensez que touch devrait être autorisé à accéder create sur  file par défaut.
Then vous devriez rapporter ceci en tant qu'anomalie.
Vous pouvez générer un module de stratégie local pour autoriser cet accès.
Do
autoriser cet accès pour le moment en exécutant :
# grep touch /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:var_lock_t:s0
Target Objects                 [ file ]
Source                        touch
Source Path                   /usr/bin/touch
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           coreutils-8.22-10.fc21.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-24.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 3.14.0-0.rc2.git4.1.fc21.x86_64 #1
                              SMP Fri Feb 14 20:03:13 UTC 2014 x86_64 x86_64
Alert Count                   3
First Seen                    2014-02-15 23:13:04 CET
Last Seen                     2014-02-15 23:15:44 CET
Local ID                      a78f95cb-5e2b-469c-a4fb-894993e09da6

Raw Audit Messages
type=AVC msg=audit(1392502544.2:126): avc:  denied  { create } for  pid=2774 comm="touch" name="iptables" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file


type=AVC msg=audit(1392502544.2:126): avc:  denied  { write open } for  pid=2774 comm="touch" path="/run/lock/subsys/iptables" dev="tmpfs" ino=61815 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file


type=SYSCALL msg=audit(1392502544.2:126): arch=x86_64 syscall=open success=yes exit=ESRCH a0=7fffc5aa4f63 a1=941 a2=1b6 a3=367b48a4c0 items=0 ppid=2765 pid=2774 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=touch exe=/usr/bin/touch subj=system_u:system_r:init_t:s0 key=(null)

Hash: touch,init_t,var_lock_t,file,create

Additional info:
reporter:       libreport-2.1.12
hashmarkername: setroubleshoot
kernel:         3.14.0-0.rc2.git4.1.fc21.x86_64
type:           libreport

Comment 1 Miroslav Grepl 2014-02-17 08:53:04 UTC

Nicolas, it looks you have mislabeled system? What does

# ps -efZ |grep init_t

Comment 2 Miroslav Grepl 2014-02-17 08:55:00 UTC

*** Bug 1065691 has been marked as a duplicate of this bug. ***

Comment 3 Miroslav Grepl 2014-02-17 08:55:23 UTC

*** Bug 1065692 has been marked as a duplicate of this bug. ***

Comment 4 Daniel Walsh 2014-02-17 20:21:38 UTC

THis is caused by the removal of the transition. Isn't init_t an unconfined domain in Rawhide?

Comment 5 Nicolas Mailhot 2014-02-17 22:03:00 UTC

Description of problem:
1. full rawhide dnf update
2. full fixfiles restore
3. clear sealert
4. reboot
5. this avc on startup

Additional info:
reporter:       libreport-2.1.12
hashmarkername: setroubleshoot
kernel:         3.14.0-0.rc3.git0.1.fc21.x86_64
type:           libreport

Comment 6 Nicolas Mailhot 2014-02-17 22:05:55 UTC

additionally iptable services are dead unless I activate permissive mode (not good for security at all)

Comment 7 Nicolas Mailhot 2014-02-17 22:07:28 UTC

#  ps -efZ |grep init_t
system_u:system_r:init_t:s0     root         1     0  0 22:59 ?        00:00:04 /usr/lib/systemd/systemd --switched-root --system --deserialize 23
system_u:system_r:init_t:s0     root       978     1  0 23:00 ?        00:00:00 /usr/lib/systemd/systemd --user
system_u:system_r:init_t:s0     nim        979     1  0 23:00 ?        00:00:00 /usr/lib/systemd/systemd --user
system_u:system_r:init_t:s0     root       989   978  0 23:00 ?        00:00:00 (sd-pam)
system_u:system_r:init_t:s0     nim        990   979  0 23:00 ?        00:00:00 (sd-pam)
system_u:system_r:init_t:s0     gdm       1063     1  0 23:00 ?        00:00:00 /usr/lib/systemd/systemd --user
system_u:system_r:init_t:s0     gdm       1065  1063  0 23:00 ?        00:00:00 (sd-pam)
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 2707 2625  0 23:07 pts/0 00:00:00 grep --color=auto init_t

Comment 8 Miroslav Grepl 2014-02-17 22:54:37 UTC

(In reply to Daniel Walsh from comment #4)
> THis is caused by the removal of the transition. Isn't init_t an unconfined
> domain in Rawhide?

Yeap, just wanted to be sure. I guess Nicolas runs with disabled unconfined module.

Comment 9 Nicolas Mailhot 2014-02-18 15:24:37 UTC

(In reply to Miroslav Grepl from comment #8)
> (In reply to Daniel Walsh from comment #4)
> > THis is caused by the removal of the transition. Isn't init_t an unconfined
> > domain in Rawhide?
> 
> Yeap, just wanted to be sure. I guess Nicolas runs with disabled unconfined
> module.

I don't have any special selinux config, I run whatever is pushed to devel

Comment 10 Miroslav Grepl 2014-02-18 15:28:09 UTC

# semodule -l |grep unconfined

Comment 11 Nicolas Mailhot 2014-02-18 20:33:31 UTC

# semodule -l |grep unconfined
unconfined	3.5.0	
unconfineduser	1.0.0

Comment 12 Nicolas Mailhot 2014-02-21 12:59:07 UTC

Description of problem:
still broken    

Additional info:
reporter:       libreport-2.1.12
hashmarkername: setroubleshoot
kernel:         3.14.0-0.rc3.git5.1.fc21.x86_64
type:           libreport

Comment 13 Daniel Walsh 2014-02-21 20:47:49 UTC

Fixed in selinux-policy-3.13.1-26.fc21

Note You need to log in before you can comment on or make changes to this bug.