Bug 186317 - useradd/groupadd from smart package manager denied
useradd/groupadd from smart package manager denied
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
6
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-03-22 16:16 EST by Ville Skyttä
Modified: 2007-11-30 17:11 EST (History)
4 users (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-22 10:11:33 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ville Skyttä 2006-03-22 16:16:06 EST
useradd/groupadd from various packages' %pre scriptles appears denied with  
selinux-policy-targeted-2.2.23-15.  Smart package manager is available eg.  
from bug 185239. 
  
Messages generated by "smart install postfix": 
 
Mar 22 23:18:22 viper kernel: audit(1143062302.161:142): avc:  denied  { read  
write } for  pid=6823 comm="groupadd" name="tmpNM65Vi-smart-rpm-out.txt"  
dev=sda3 ino=9647770 scontext=user_u:system_r:groupadd_t:s0  
tcontext=user_u:object_r:rpm_tmp_t:s0 tclass=file  
Mar 22 23:18:22 viper kernel: audit(1143062302.169:143): avc:  denied   
{ ioctl } for  pid=6823 comm="groupadd" name="tmpNM65Vi-smart-rpm-out.txt"  
dev=sda3 ino=9647770 scontext=user_u:system_r:groupadd_t:s0  
tcontext=user_u:object_r:rpm_tmp_t:s0 tclass=file  
Mar 22 23:18:22 viper kernel: audit(1143062302.269:144): avc:  denied  { read  
write } for  pid=6826 comm="useradd" name="tmpNM65Vi-smart-rpm-out.txt"  
dev=sda3 ino=9647770 scontext=user_u:system_r:useradd_t:s0  
tcontext=user_u:object_r:rpm_tmp_t:s0 tclass=file  
Mar 22 23:18:22 viper kernel: audit(1143062302.277:145): avc:  denied  { read  
write } for  pid=6826 comm="useradd" name="lastlog" dev=sda3 ino=12918469  
scontext=user_u:system_r:useradd_t:s0 tcontext=system_u:object_r:var_log_t:s0  
tclass=file  
Mar 22 23:18:22 viper kernel: audit(1143062302.293:146): avc:  denied   
{ ioctl } for  pid=6826 comm="useradd" name="tmpNM65Vi-smart-rpm-out.txt"  
dev=sda3 ino=9647770 scontext=user_u:system_r:useradd_t:s0  
tcontext=user_u:object_r:rpm_tmp_t:s0 tclass=file
Comment 1 Toshio Kuratomi 2006-03-23 12:18:00 EST
This looks like a duplicate of:
Bug #186294
Comment 2 Ville Skyttä 2006-03-23 14:30:46 EST
Yes I saw bug 186294, but it deals with yum shell, and this one with smart. 
Comment 3 Daniel Walsh 2006-04-03 12:35:25 EDT
Fixed in selinux-policy-2.2.25-2.fc5
Comment 4 Ville Skyttä 2006-04-03 16:49:17 EDT
Hm, with selinux-policy-targeted-2.2.25-3.fc5:

Apr  3 23:53:11 viper kernel: audit(1144097591.971:6): avc:  denied  { read
write } for  pid=3787 comm="useradd" name="tmpn8cd2r-smart-rpm-out.txt" dev=sda3
ino=9647919 scontext=user_u:system_r:useradd_t:s0
tcontext=user_u:object_r:rpm_tmp_t:s0 tclass=file
Apr  3 23:53:12 viper kernel: audit(1144097592.167:7): avc:  denied  { read
write } for  pid=3787 comm="useradd" name="lastlog" dev=sda3 ino=12918469
scontext=user_u:system_r:useradd_t:s0 tcontext=system_u:object_r:var_log_t:s0
tclass=file


Anyway, the user is apparently created despite of the above noise, even in
Enforcing mode.  But something's not quite right, right?
Comment 5 Ville Skyttä 2006-04-16 05:15:03 EDT
Still happens with 2.2.29-3.fc5, and add restorecon from %post scripts to the list:

Apr 16 12:17:31 viper kernel: audit(1145179051.978:9): avc:  denied  { read
write } for  pid=27202 comm="restorecon" name="tmpxltSaE-smart-rpm-out.txt"
dev=sda3 ino=9647882 scontext=user_u:system_r:restorecon_t:s0
tcontext=user_u:object_r:rpm_tmp_t:s0 tclass=file
Comment 8 Daniel Walsh 2006-05-09 12:35:25 EDT
This looks like smart package manager is leaking a open descriptor to
name="tmpxltSaE-smart-rpm-out.txt", Also lastlog is labeled incorrectly.
Or it is somehow doing the equivalent of  restorecon > tmpxltSaE-smart-rpm-out.txt
restorecon /var/log/lastlog

Comment 9 Ville Skyttä 2006-05-09 17:11:07 EDT
Regarding the ....-smart-rpm-out.txt messages, looks like this happens when
smart is trying to internally capture stdout and stderr output from %post and
friends scriptlet commands using a tempfile.  I looked at the code and it
confused me a bit, but I couldn't find an obvious leak in it in a quick look.

The code is here:
http://svn.smartpm.python-hosting.com/trunk/smart/backends/rpm/pm.py
See grabOutput() in the RPMCallback class and the invocations a couple of lines
above the class definition.

Re: lastlog, I had it already relabeled ok afterwards, no more those messages.
Comment 10 Ville Skyttä 2006-12-26 06:18:35 EST
Bumping to FC6, I'm still seeing these messages (SELinux in permissive mode).

@Axel: FYI
Comment 11 Ville Skyttä 2006-12-26 06:25:22 EST
Oh, and it's not only useradd/groupadd; semodule, load_policy, setfiles,
genhomedircon, and restorecon seem affected too:

# grep smart-rpm-out.txt /var/log/messages.1
Dec 21 20:23:19 viper kernel: audit(1166725399.837:32): avc:  denied  { read
write } for  pid=17851 comm="semodule" name="tmpftBRrA-smart-rpm-out.txt"
dev=sda3 ino=7260297 scontext=user_u:system_r:semanage_t:s0
tcontext=user_u:object_r:rpm_tmp_t:s0 tclass=file
Dec 21 20:23:25 viper kernel: audit(1166725405.675:33): avc:  denied  { read
write } for  pid=17856 comm="load_policy" name="tmpftBRrA-smart-rpm-out.txt"
dev=sda3 ino=7260297 scontext=user_u:system_r:load_policy_t:s0
tcontext=user_u:object_r:rpm_tmp_t:s0 tclass=file
Dec 21 20:23:26 viper kernel: audit(1166725406.002:35): avc:  denied  { read
write } for  pid=17857 comm="setfiles" name="tmpftBRrA-smart-rpm-out.txt"
dev=sda3 ino=7260297 scontext=user_u:system_r:setfiles_t:s0
tcontext=user_u:object_r:rpm_tmp_t:s0 tclass=file
Dec 21 20:23:26 viper kernel: audit(1166725406.291:36): avc:  denied  { getattr
} for  pid=17858 comm="genhomedircon" name="tmpftBRrA-smart-rpm-out.txt"
dev=sda3 ino=7260297 scontext=user_u:system_r:semanage_t:s0
tcontext=user_u:object_r:rpm_tmp_t:s0 tclass=file
Dec 21 20:23:26 viper kernel: audit(1166725406.510:37): avc:  denied  { ioctl }
for  pid=17858 comm="genhomedircon" name="tmpftBRrA-smart-rpm-out.txt" dev=sda3
ino=7260297 scontext=user_u:system_r:semanage_t:s0
tcontext=user_u:object_r:rpm_tmp_t:s0 tclass=file
Dec 21 20:23:27 viper kernel: audit(1166725407.247:38): avc:  denied  { read
write } for  pid=17888 comm="restorecon" name="tmpftBRrA-smart-rpm-out.txt"
dev=sda3 ino=7260297 scontext=user_u:system_r:restorecon_t:s0
tcontext=user_u:object_r:rpm_tmp_t:s0 tclass=file

# rpm -q selinux-policy-targeted
selinux-policy-targeted-2.4.6-13.fc6.noarch
Comment 12 Axel Thimm 2006-12-26 12:54:16 EST
Should I do some selinux magic in the smart package? E.g. setting the context to
whatever yum and rpm have? If someone (Daniel?) gives me a hint on how to do
that outside of selinux-policy packages, I'll gladly add it.
Comment 13 Daniel Walsh 2007-01-02 10:41:05 EST
What is happening here is that the smart package is reassiging the stdin and
stdout of all daemons to tmpftBRrA-smart-rpm-out.txt  Which is labeled by
default rpm_tmp_t.  When a confined domain starts up it checks whether it has
the expected access to all open file descriptors.  Ordinarilyt this is a
terminal and we have rules that say something like

dontaudit setfiles_t tty_device_t:chr_file rw_file_perms;

But since you are handing it an open file descriptor to rpm_tmp_t, it is
generating AVC messages.  These denials probably do not cause any problems, as
the the kernel just closes the file descriptor and reopens it pointed at /dev/null.

But the AVC's are a pain.  One hack that we have used in the past to get around
this problem is to pipe the output to cat and then have cat output to the file.

So instead of 

genhomedircon > /tmp/out

use

genhomedircon | cat > /tmp/out

This might work.

In our qa lab we actually update the policy during a test run with something like

policy_module(test, 1.0);

require {
      attribute domain;
}

allow domain rpm_tmp_t:file rw_file_perms;
Comment 14 Daniel Walsh 2007-02-14 13:45:25 EST
Added dontaudit to selinux-policy-2.4.6-38
Comment 15 Daniel Walsh 2007-08-22 10:11:33 EDT
Fixed in current release

Note You need to log in before you can comment on or make changes to this bug.