Bug 146124 - targeted policy: audit(1106666401.707:0): avc: denied { transition }
targeted policy: audit(1106666401.707:0): avc: denied { transition }
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Depends On:
  Show dependency treegraph
Reported: 2005-01-25 11:05 EST by sangu
Modified: 2007-11-30 17:10 EST (History)
1 user (show)

See Also:
Fixed In Version: selinux-policy-targeted-1.21.3-2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-04-12 18:00:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description sangu 2005-01-25 11:05:04 EST
Description of problem:
in dmesg
SELinux: initialized (dev hda8, type ext3), uses xattr
audit(1106666401.707:0): avc:  denied  { transition } for  pid=4023
exe=/usr/sbin/crond path=/bin/bash dev=hda8 ino=926648
scontext=user_u:system_r:initrc_t tcontext=system_u:system_r:unconfined_t

$ mount
/dev/hda8 on / type ext3 (rw)
none on /proc type proc (rw)
none on /sys type sysfs (rw)
none on /dev/pts type devpts (rw,gid=5,mode=620)
none on /dev/shm type tmpfs (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. booting
Actual results:
avc: denied

Expected results:

Additional info:
policy is "targeted".

 sestatus -v
SELinux status:         enabled
SELinuxfs mount:        /selinux
Current mode:           enforcing
Mode from config file:  enforcing
Policy version:         18
Policy from config file:targeted

Policy booleans:
allow_kerberos          active
allow_ypbind            active
cupsd_disable_trans     inactive
dhcpd_disable_trans     inactive
dovecot_disable_trans   inactive
fingerd_disable_trans   inactive
ftp_home_dir            active
ftpd_disable_trans      inactive
ftpd_is_daemon          active
howl_disable_trans      inactive
httpd_disable_trans     inactive
httpd_enable_cgi        active
httpd_enable_homedirs   active
httpd_ssi_exec          active
httpd_tty_comm          inactive
httpd_unified           active
inetd_disable_trans     inactive
innd_disable_trans      inactive
kadmind_disable_trans   inactive
krb5kdc_disable_trans   inactive
ktalkd_disable_trans    inactive
lpd_disable_trans       inactive
mysqld_disable_trans    inactive
named_disable_trans     inactive
nfs_export_all_ro       active
nfs_export_all_rw       active
nmbd_disable_trans      inactive
nscd_disable_trans      inactive
ntpd_disable_trans      inactive
portmap_disable_trans   inactive
privoxy_disable_trans   inactive
ptal_disable_trans      inactive
radiusd_disable_trans   inactive
radvd_disable_trans     inactive
read_default_t          active
rlogind_disable_trans   inactive
rsync_disable_trans     inactive
samba_enable_home_dirs  inactive
slapd_disable_trans     inactive
smbd_disable_trans      inactive
snmpd_disable_trans     inactive
spamd_disable_trans     inactive
squid_disable_trans     inactive
stunnel_disable_trans   inactive
stunnel_is_daemon       inactive
syslogd_disable_trans   inactive
telnetd_disable_trans   inactive
tftpd_disable_trans     inactive
use_nfs_home_dirs       inactive
use_samba_home_dirs     inactive
winbind_disable_trans   inactive
ypbind_disable_trans    inactive
ypserv_disable_trans    inactive
zebra_disable_trans     inactive

Process contexts:
Current context:        root:system_r:unconfined_t
Init context:           user_u:system_r:unconfined_t
/sbin/mingetty          user_u:system_r:unconfined_t
/usr/sbin/sshd          user_u:system_r:initrc_t

File contexts:
Controlling term:       user_u:object_r:devpts_t
/etc/passwd             system_u:object_r:etc_t
/etc/shadow             system_u:object_r:shadow_t
/bin/bash               system_u:object_r:shell_exec_t
/bin/login              system_u:object_r:bin_t
/bin/sh                 system_u:object_r:bin_t -> system_u:object_r:shell_exec_t
/sbin/agetty            system_u:object_r:sbin_t
/sbin/init              system_u:object_r:init_exec_t
/sbin/mingetty          system_u:object_r:sbin_t
/usr/sbin/sshd          system_u:object_r:sbin_t
/lib/libc.so.6          system_u:object_r:lib_t -> system_u:object_r:shlib_t
/lib/ld-linux.so.2      system_u:object_r:lib_t -> system_u:object_r:ld_so_t
Comment 1 sangu 2005-01-27 11:36:30 EST
This problem happens again in selinux-policy-targeted-1.21.3-6.

in dmesg
audit(1106839801.270:0): avc:  denied  { transition } for  pid=3881
exe=/usr/sbin/crond path=/bin/bash dev=hda8 ino=926648
scontext=user_u:system_r:system_crond_t tcontext=system_u:system_r:unconfined_t
Comment 2 Alexandre Oliva 2005-01-30 13:13:39 EST
I get the same here, with yesterday's rawhide, even after relabeling /
(containing usr, var, etc, etc :-) and rebooting.  I get hourly
e-mails indicating permission denied to run /bin/bash or /bin/sh, with
subjects such as:

Cron <root@$host> run-parts /etc/cron.hourly

Cron <root@$host> /usr/bin/mrtg /etc/mrtg/mrtg.cfg --lock-file
/var/lock/mrtg/mrtg_l --confcache-file /var/lib/mrtg/mrtg.ok

Cron <root@$host> /usr/lib/sa/sa1 1 1

Quite annoying :-(

I see there are special provisions for cron in crond.te, but I don't
see any of them making to file_contexts or policy, is that intentional?
Comment 3 Daniel Walsh 2005-01-31 15:47:24 EST
1.21.5-4 should fix that.  Available now on 
or tomorrow via Rawhide.

Note You need to log in before you can comment on or make changes to this bug.