146124 – targeted policy: audit(1106666401.707:0): avc: denied { transition }

Bug 146124 - targeted policy: audit(1106666401.707:0): avc: denied { transition }

Summary: targeted policy: audit(1106666401.707:0): avc: denied { transition }

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	rawhide
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-01-25 16:05 UTC by sangu
Modified:	2007-11-30 22:10 UTC (History)
CC List:	1 user (show)
Fixed In Version:	selinux-policy-targeted-1.21.3-2
Clone Of:
Environment:
Last Closed:	2005-04-12 22:00:25 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description sangu 2005-01-25 16:05:04 UTC

Description of problem:
in dmesg
[...]
SELinux: initialized (dev hda8, type ext3), uses xattr
[...]
audit(1106666401.707:0): avc:  denied  { transition } for  pid=4023
exe=/usr/sbin/crond path=/bin/bash dev=hda8 ino=926648
scontext=user_u:system_r:initrc_t tcontext=system_u:system_r:unconfined_t
tclass=process

----
$ mount
/dev/hda8 on / type ext3 (rw)
none on /proc type proc (rw)
none on /sys type sysfs (rw)
none on /dev/pts type devpts (rw,gid=5,mode=620)
none on /dev/shm type tmpfs (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.21.3-1

How reproducible:
always

Steps to Reproduce:
1. booting
2.
3.
  
Actual results:
avc: denied

Expected results:


Additional info:
policy is "targeted".
vixie-cron-4.1-21

 sestatus -v
SELinux status:         enabled
SELinuxfs mount:        /selinux
Current mode:           enforcing
Mode from config file:  enforcing
Policy version:         18
Policy from config file:targeted

Policy booleans:
allow_kerberos          active
allow_ypbind            active
cupsd_disable_trans     inactive
dhcpd_disable_trans     inactive
dovecot_disable_trans   inactive
fingerd_disable_trans   inactive
ftp_home_dir            active
ftpd_disable_trans      inactive
ftpd_is_daemon          active
howl_disable_trans      inactive
httpd_disable_trans     inactive
httpd_enable_cgi        active
httpd_enable_homedirs   active
httpd_ssi_exec          active
httpd_tty_comm          inactive
httpd_unified           active
i18n_input_disable_transinactive
inetd_child_disable_transinactive
inetd_disable_trans     inactive
innd_disable_trans      inactive
kadmind_disable_trans   inactive
krb5kdc_disable_trans   inactive
ktalkd_disable_trans    inactive
lpd_disable_trans       inactive
mysqld_disable_trans    inactive
named_disable_trans     inactive
named_write_master_zonesinactive
nfs_export_all_ro       active
nfs_export_all_rw       active
nmbd_disable_trans      inactive
nscd_disable_trans      inactive
ntpd_disable_trans      inactive
portmap_disable_trans   inactive
postgresql_disable_transinactive
privoxy_disable_trans   inactive
ptal_disable_trans      inactive
radiusd_disable_trans   inactive
radvd_disable_trans     inactive
read_default_t          active
rlogind_disable_trans   inactive
rsync_disable_trans     inactive
samba_enable_home_dirs  inactive
slapd_disable_trans     inactive
smbd_disable_trans      inactive
snmpd_disable_trans     inactive
spamd_disable_trans     inactive
squid_disable_trans     inactive
stunnel_disable_trans   inactive
stunnel_is_daemon       inactive
syslogd_disable_trans   inactive
telnetd_disable_trans   inactive
tftpd_disable_trans     inactive
use_nfs_home_dirs       inactive
use_samba_home_dirs     inactive
winbind_disable_trans   inactive
ypbind_disable_trans    inactive
ypserv_disable_trans    inactive
zebra_disable_trans     inactive

Process contexts:
Current context:        root:system_r:unconfined_t
Init context:           user_u:system_r:unconfined_t
/sbin/mingetty          user_u:system_r:unconfined_t
/usr/sbin/sshd          user_u:system_r:initrc_t

File contexts:
Controlling term:       user_u:object_r:devpts_t
/etc/passwd             system_u:object_r:etc_t
/etc/shadow             system_u:object_r:shadow_t
/bin/bash               system_u:object_r:shell_exec_t
/bin/login              system_u:object_r:bin_t
/bin/sh                 system_u:object_r:bin_t -> system_u:object_r:shell_exec_t
/sbin/agetty            system_u:object_r:sbin_t
/sbin/init              system_u:object_r:init_exec_t
/sbin/mingetty          system_u:object_r:sbin_t
/usr/sbin/sshd          system_u:object_r:sbin_t
/lib/libc.so.6          system_u:object_r:lib_t -> system_u:object_r:shlib_t
/lib/ld-linux.so.2      system_u:object_r:lib_t -> system_u:object_r:ld_so_t

Comment 1 sangu 2005-01-27 16:36:30 UTC

This problem happens again in selinux-policy-targeted-1.21.3-6.

----
in dmesg
[...]
audit(1106839801.270:0): avc:  denied  { transition } for  pid=3881
exe=/usr/sbin/crond path=/bin/bash dev=hda8 ino=926648
scontext=user_u:system_r:system_crond_t tcontext=system_u:system_r:unconfined_t
tclass=process

Comment 2 Alexandre Oliva 2005-01-30 18:13:39 UTC

I get the same here, with yesterday's rawhide, even after relabeling /
(containing usr, var, etc, etc :-) and rebooting.  I get hourly
e-mails indicating permission denied to run /bin/bash or /bin/sh, with
subjects such as:

Cron <root@$host> run-parts /etc/cron.hourly

Cron <root@$host> /usr/bin/mrtg /etc/mrtg/mrtg.cfg --lock-file
/var/lock/mrtg/mrtg_l --confcache-file /var/lib/mrtg/mrtg.ok

Cron <root@$host> /usr/lib/sa/sa1 1 1

Quite annoying :-(

I see there are special provisions for cron in crond.te, but I don't
see any of them making to file_contexts or policy, is that intentional?

Comment 3 Daniel Walsh 2005-01-31 20:47:24 UTC

1.21.5-4 should fix that.  Available now on 
ftp://people.redhat.com/dwalsh/SELinux/Fedora
or tomorrow via Rawhide.

Note You need to log in before you can comment on or make changes to this bug.