Hide Forgot
Description of problem: When hostname is used in ksh scripts inside $() command substitution in cluster environment AVC denial prevents to writ output to tmpfile Analogous to Bug 1040020 Adding allow hostname_t cluster_tmp_t:file { read write }; rule helps to workaround the issue. Version-Release number of selected component (if applicable): selinux-policy-3.7.19-231.el6_5.3.noarch How reproducible: Always Steps to Reproduce: 1. Create script # cat /tmp/hostname.ksh #!/bin/ksh setenforce 1 MYHOST=$(/bin/hostname) echo $MYHOST setenforce 0 2. # setenforce 0 3. # runcon -t cluster_t -r system_r ksh /tmp/hostname.ksh Actual results: empty output Expected results: hostname echoed Additional info: type=AVC msg=audit(1480515061.350:279297): avc: denied { read write } for pid=28277 comm="hostname" path=2F746D702F736631642E72646F202864656C6574656429 dev=dm-0 ino=438189 scontext=unconfined_u:system_r:hostname_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cluster_tmp_t:s0 tclass=file # echo 2F746D702F736631642E72646F202864656C6574656429|sed 's/\(..\)/\1 /g'|hex2bytes |strings /tmp/sf1d.rdo (deleted) ksh uses tmpfiles for temporary storing substituted command's output so there may be more types than just cluster_tmp_t affected.
Interesting, I can confirm the behaviour, but my ausearch results differ: # runcon -t cluster_t -r system_r ksh /tmp/hostname.ksh ---- type=PATH msg=audit(12/01/16 10:03:36.854:58) : item=0 name=/bin/ksh inode=525305 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL type=CWD msg=audit(12/01/16 10:03:36.854:58) : cwd=/root type=SYSCALL msg=audit(12/01/16 10:03:36.854:58) : arch=x86_64 syscall=execve success=no exit=-13(Permission denied) a0=0x7ffd02228f35 a1=0x7ffd02229160 a2=0x7ffd02229178 a3=0x1f items=1 ppid=5969 pid=6071 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=runcon exe=/usr/bin/runcon subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(12/01/16 10:03:36.854:58) : avc: denied { transition } for pid=6071 comm=runcon path=/bin/ksh93 dev=dm-0 ino=525305 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:cluster_t:s0-s0:c0.c1023 tclass=process ---- # runcon -t cluster_t -r system_r /bin/ksh93 /tmp/hostname.ksh ---- type=PATH msg=audit(12/01/16 10:11:43.767:92) : item=1 name=(null) inode=524597 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL type=PATH msg=audit(12/01/16 10:11:43.767:92) : item=0 name=/bin/ksh93 inode=525305 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL type=CWD msg=audit(12/01/16 10:11:43.767:92) : cwd=/root type=EXECVE msg=audit(12/01/16 10:11:43.767:92) : argc=2 a0=/bin/ksh93 a1=/tmp/hostname.ksh type=SYSCALL msg=audit(12/01/16 10:11:43.767:92) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x7ffeaf61d666 a1=0x7ffeaf61cdf0 a2=0x7ffeaf61ce08 a3=0x1f items=2 ppid=5969 pid=6177 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=ksh93 exe=/bin/ksh93 subj=unconfined_u:system_r:cluster_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(12/01/16 10:11:43.767:92) : avc: denied { transition } for pid=6177 comm=runcon path=/bin/ksh93 dev=dm-0 ino=525305 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:cluster_t:s0-s0:c0.c1023 tclass=process ---- type=PATH msg=audit(12/01/16 10:11:43.815:98) : item=1 name=(null) inode=524597 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL type=PATH msg=audit(12/01/16 10:11:43.815:98) : item=0 name=/bin/hostname inode=525286 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:hostname_exec_t:s0 nametype=NORMAL type=CWD msg=audit(12/01/16 10:11:43.815:98) : cwd=/root type=EXECVE msg=audit(12/01/16 10:11:43.815:98) : argc=1 a0=/bin/hostname type=SYSCALL msg=audit(12/01/16 10:11:43.815:98) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x7f91dc7f2958 a1=0x7f91dc7f26f0 a2=0x7f91dc7f2818 a3=0x8 items=2 ppid=6177 pid=6181 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=hostname exe=/bin/hostname subj=unconfined_u:system_r:hostname_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(12/01/16 10:11:43.815:98) : avc: denied { write } for pid=6181 comm=hostname path=/tmp/sf2d.1l8 (deleted) dev=dm-0 ino=522874 scontext=unconfined_u:system_r:hostname_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cluster_tmp_t:s0 tclass=file ---- policy includes dontaudit rules $ rpm -q ksh selinux-policy ksh-20120801-33.el6.x86_64 selinux-policy-3.7.19-292.el6_8.2.noarch $ ls -Z /bin/ksh /etc/alternatives/ksh /bin/ksh93 /tmp/hostname.ksh lrwxrwxrwx. root root unconfined_u:object_r:bin_t:s0 /bin/ksh -> /etc/alternatives/ksh -rwxr-xr-x. root root system_u:object_r:shell_exec_t:s0 /bin/ksh93 lrwxrwxrwx. root root unconfined_u:object_r:etc_t:s0 /etc/alternatives/ksh -> /bin/ksh93 -rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 /tmp/hostname.ksh
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2017-0627.html