Bug 165188 - Strict policy breaks ddclient
Strict policy breaks ddclient
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-strict (Show other bugs)
4
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-08-04 21:52 EDT by W. Michael Petullo
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version: 1.25.4-10
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-09-05 01:40:36 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
DDclient patch to fix cache creation (573 bytes, text/x-patch)
2005-08-07 06:05 EDT, Daniel Walsh
no flags Details

  None (edit)
Description W. Michael Petullo 2005-08-04 21:52:54 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.7.10) Gecko/20050720 Epiphany/1.7.2

Description of problem:
Fedora Extras provides the ddclient package.  Ddclient allows one to update a dyndns.org DNS record automatically.

Version-Release number of selected component (if applicable):
selinux-policy-strict-1.23.16-6

How reproducible:
Always

Steps to Reproduce:
Try to execute ddclient when SELinux is enforcing the strict policy.

Actual Results:  type=AVC msg=audit(1123206458.903:2140046): avc:  denied  { write } for  pid=4360 comm="ddclient" name="cache" dev=hda2 ino=14648 scontext=root:system_r:initrc_t tcontext=system_u:object_r:var_t tclass=dir
type=AVC msg=audit(1123206458.903:2140046): avc:  denied  { add_name } for  pid=4360 comm="ddclient" name="ddclient.cache" scontext=root:system_r:initrc_t tcontext=system_u:object_r:var_t tclass=dir
type=AVC msg=audit(1123206458.903:2140046): avc:  denied  { create } for  pid=4360 comm="ddclient" name="ddclient.cache" scontext=root:system_r:initrc_t tcontext=root:object_r:var_t tclass=file
type=SYSCALL msg=audit(1123206458.903:2140046): arch=40000003 syscall=5 success=yes exit=3 a0=99fde50 a1=8241 a2=1b6 a3=8241 items=1 pid=4360 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ddclient" exe="/usr/bin/perl"
type=CWD msg=audit(1123206458.903:2140046):  cwd="/etc/selinux/strict/src/policy"
type=PATH msg=audit(1123206458.903:2140046): item=0 name="/var/cache/ddclient.cache" flags=310  inode=14648 dev=03:02 mode=040755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1123206458.905:2140058): avc:  denied  { write } for  pid=4360 comm="ddclient" name="ddclient.cache" dev=hda2 ino=15053 scontext=root:system_r:initrc_t tcontext=root:object_r:var_t tclass=file
type=SYSCALL msg=audit(1123206458.905:2140058): arch=40000003 syscall=4 success=yes exit=276 a0=3 a1=9a0f320 a2=114 a3=9a0f320 items=0 pid=4360 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ddclient" exe="/usr/bin/perl"
type=AVC_PATH msg=audit(1123206458.905:2140058):  path="/var/cache/ddclient.cache"

Additional info:

The following seems to allow ddclient to work:


/usr/sbin/ddclient      --      system_u:object_r:ddclient_exec_t
/etc/ddclient.conf      --      system_u:object_r:ddclient_etc_t


type ddclient_exec_t, file_type, sysadmfile, exec_type;
type ddclient_etc_t, file_type, sysadmfile, exec_type;
type ddclient_t, domain, privlog, fs_domain;

domain_auto_trans(initrc_t, ddclient_exec_t, ddclient_t)

can_network(ddclient_t)
allow ddclient_t devtty_t:chr_file { read write };
allow ddclient_t var_t:file { read ioctl };
# execute perl:
allow ddclient_t { bin_t sbin_t }:dir r_dir_perms;
can_exec(ddclient_t, { bin_t sbin_t })
allow ddclient_t bin_t:lnk_file read;
# end execute perl
allow ddclient_t sshd_t:fd use;
allow ddclient_t urandom_device_t:chr_file read;
allow ddclient_t proc_t:lnk_file read;
allow ddclient_t ddclient_etc_t:file { ioctl read getattr };
allow ddclient_t null_device_t:chr_file { ioctl read };
# macro? :
allow ddclient_t var_run_t:dir { add_name };
allow ddclient_t var_run_t:file { create ioctl write };
allow ddclient_t var_t:file { getattr };
allow ddclient_t http_port_t:tcp_socket { name_connect };
allow ddclient_t user_devpts_t:chr_file { ioctl read write };
allow ddclient_t ddclient_t:dir search;
allow ddclient_t ddclient_t:lnk_file read;
allow ddclient_t lib_t:file { read ioctl };
Comment 1 Daniel Walsh 2005-08-05 14:02:32 EDT
Did you try the policy that was already in the unused directory of strict policy?

/etc/selinux/strict/src/policy/domains/program/unused/ddclient.te
Comment 2 W. Michael Petullo 2005-08-06 22:46:56 EDT
I did not know strict/src/policy/domains/program/unused/ddclient.te existed.

I don't think /var/cache/ddclient.cache is created with the proper context
(ddclient creates it as root:object_r:var_t.)

Here are the messages that are logged when I use this policy fragment:

type=AVC msg=audit(1123382532.061:6803231): avc:  denied  { read write } for 
pid=11252 comm="ddclient" name="1" dev=devpts ino=3
scontext=root:system_r:ddclient_t tcontext=root:object_r:user_devpts_t
tclass=chr_file
type=SYSCALL msg=audit(1123382532.061:6803231): arch=40000003 syscall=11
success=yes exit=0 a0=82a1340 a1=828e178 a2=828e308 a3=0 items=3 pid=11252
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ddclient"
exe="/usr/bin/perl"
type=CWD msg=audit(1123382532.061:6803231):  cwd="/etc/selinux/strict/src/policy"
type=PATH msg=audit(1123382532.061:6803231): item=0 name="/usr/sbin/ddclient"
flags=101  inode=32909 dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1123382532.061:6803231): item=1 flags=101  inode=33489
dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1123382532.061:6803231): item=2 flags=101  inode=47064
dev=03:02 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1123382532.084:6803376): avc:  denied  { ioctl } for 
pid=11252 comm="ddclient" name="1" dev=devpts ino=3
scontext=root:system_r:ddclient_t tcontext=root:object_r:user_devpts_t
tclass=chr_file
type=SYSCALL msg=audit(1123382532.084:6803376): arch=40000003 syscall=54
success=yes exit=0 a0=0 a1=5401 a2=bfbb4dd8 a3=bfbb4e18 items=0 pid=11252
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ddclient"
exe="/usr/bin/perl"
type=AVC_PATH msg=audit(1123382532.084:6803376):  path="/dev/pts/1"
type=AVC msg=audit(1123382533.231:6805020): avc:  denied  { search } for 
pid=11255 comm="sh" name="/" dev=devpts ino=1 scontext=root:system_r:ddclient_t
tcontext=system_u:object_r:devpts_t tclass=dirtype=SYSCALL
msg=audit(1123382533.231:6805020): arch=40000003 syscall=5 success=yes exit=3
a0=80c78f6 a1=8802 a2=0 a3=8802 items=1 pid=11255 auid=500 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="sh" exe="/bin/bash"
type=CWD msg=audit(1123382533.231:6805020):  cwd="/etc/selinux/strict/src/policy"
type=PATH msg=audit(1123382533.231:6805020): item=0 name="/dev/tty" flags=101 
inode=2240 dev=00:0d mode=020666 ouid=0 ogid=0 rdev=05:00
type=AVC msg=audit(1123382533.235:6805055): avc:  denied  { search } for 
pid=11255 comm="sh" name="src" dev=hda2 ino=63918
scontext=root:system_r:ddclient_t tcontext=system_u:object_r:policy_src_t tclass=dir
type=AVC msg=audit(1123382533.235:6805055): avc:  denied  { getattr } for 
pid=11255 comm="sh" name="policy" dev=hda2 ino=63919
scontext=root:system_r:ddclient_t tcontext=system_u:object_r:policy_src_t tclass=dir
type=SYSCALL msg=audit(1123382533.235:6805055): arch=40000003 syscall=195
success=yes exit=0 a0=9371830 a1=bfeda0ac a2=229ff4 a3=bfeda0ac items=1
pid=11255 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="sh" exe="/bin/bash"
type=AVC_PATH msg=audit(1123382533.235:6805055): 
path="/etc/selinux/strict/src/policy"
type=CWD msg=audit(1123382533.235:6805055):  cwd="/etc/selinux/strict/src/policy"
type=PATH msg=audit(1123382533.235:6805055): item=0
name="/etc/selinux/strict/src/policy" flags=1  inode=63919 dev=03:02 mode=040700
ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1123382533.237:6805075): avc:  denied  { read } for 
pid=11255 comm="sh" name="policy" dev=hda2 ino=63919
scontext=root:system_r:ddclient_t tcontext=system_u:object_r:policy_src_t tclass=dir
type=SYSCALL msg=audit(1123382533.237:6805075): arch=40000003 syscall=5
success=yes exit=3 a0=80d39e2 a1=18800 a2=22b8b8 a3=9373588 items=1 pid=11255
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="sh"
exe="/bin/bash"
type=CWD msg=audit(1123382533.237:6805075):  cwd="/etc/selinux/strict/src/policy"
type=PATH msg=audit(1123382533.237:6805075): item=0 name="." flags=103 
inode=63919 dev=03:02 mode=040700 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1123382533.246:6805157): avc:  denied  { write } for 
pid=11253 comm="ddclient" name="cache" dev=hda2 ino=14648
scontext=root:system_r:ddclient_t tcontext=system_u:object_r:var_t tclass=dir
type=AVC msg=audit(1123382533.246:6805157): avc:  denied  { add_name } for 
pid=11253 comm="ddclient" name="ddclient.cache"
scontext=root:system_r:ddclient_t tcontext=system_u:object_r:var_t tclass=dir
type=AVC msg=audit(1123382533.246:6805157): avc:  denied  { create } for 
pid=11253 comm="ddclient" name="ddclient.cache"
scontext=root:system_r:ddclient_t tcontext=root:object_r:var_t tclass=file
type=SYSCALL msg=audit(1123382533.246:6805157): arch=40000003 syscall=5
success=yes exit=3 a0=9c41e50 a1=8241 a2=1b6 a3=8241 items=1 pid=11253 auid=500
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ddclient"
exe="/usr/bin/perl"
type=CWD msg=audit(1123382533.246:6805157):  cwd="/etc/selinux/strict/src/policy"
type=PATH msg=audit(1123382533.246:6805157): item=0
name="/var/cache/ddclient.cache" flags=310  inode=14648 dev=03:02 mode=040755
ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1123382533.248:6805158): avc:  denied  { ioctl } for 
pid=11253 comm="ddclient" name="ddclient.cache" dev=hda2 ino=14933
scontext=root:system_r:ddclient_t tcontext=root:object_r:var_t tclass=file
type=SYSCALL msg=audit(1123382533.248:6805158): arch=40000003 syscall=54
success=no exit=-25 a0=3 a1=5401 a2=bfbb4dd8 a3=bfbb4e18 items=0 pid=11253
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ddclient"
exe="/usr/bin/perl"
type=AVC_PATH msg=audit(1123382533.248:6805158):  path="/var/cache/ddclient.cache"
type=AVC msg=audit(1123382533.248:6805160): avc:  denied  { getattr } for 
pid=11253 comm="ddclient" name="ddclient.cache" dev=hda2 ino=14933
scontext=root:system_r:ddclient_t tcontext=root:object_r:var_t tclass=file
type=SYSCALL msg=audit(1123382533.248:6805160): arch=40000003 syscall=197
success=yes exit=0 a0=3 a1=998c068 a2=a46ff4 a3=9c42142 items=0 pid=11253
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ddclient"
exe="/usr/bin/perl"
type=AVC_PATH msg=audit(1123382533.248:6805160):  path="/var/cache/ddclient.cache"
type=AVC msg=audit(1123382533.249:6805169): avc:  denied  { write } for 
pid=11253 comm="ddclient" name="ddclient.cache" dev=hda2 ino=14933
scontext=root:system_r:ddclient_t tcontext=root:object_r:var_t tclass=file
type=SYSCALL msg=audit(1123382533.249:6805169): arch=40000003 syscall=4
success=yes exit=276 a0=3 a1=9c53320 a2=114 a3=9c53320 items=0 pid=11253
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="ddclient"
exe="/usr/bin/perl"
type=AVC_PATH msg=audit(1123382533.249:6805169):  path="/var/cache/ddclient.cache"
Comment 3 Daniel Walsh 2005-08-07 06:05:39 EDT
Created attachment 117523 [details]
DDclient patch to fix cache creation

If you apply this patch to ddclient.te, does it fix your problems.  You might
need to restorecon /var/cache/ddclient*

This patch will be in the next update, although we do not ship ddclient.te...
Comment 4 W. Michael Petullo 2005-08-07 22:40:55 EDT
The patch is comment #3 seems to work.
Comment 5 Daniel Walsh 2005-08-25 15:43:33 EDT
Fixed in policy version 1.25.4-10

Note You need to log in before you can comment on or make changes to this bug.