Bug 220598 - [lspp] unable to run 'ybin' while enforcing mls policy
[lspp] unable to run 'ybin' while enforcing mls policy
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.0
ppc64 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-12-22 08:44 EST by Klaus Heinrich Kiwi
Modified: 2007-11-30 17:07 EST (History)
3 users (show)

See Also:
Fixed In Version: RC
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-02-07 20:59:31 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Klaus Heinrich Kiwi 2006-12-22 08:44:22 EST
Description of problem:
[root@zaphod lspp-rpms]# rpm -ivh kernel-*
warning: kernel-2.6.18-1.2910.el5.ppc64.rpm: Header V3 DSA signature: NOKEY, key
ID 897da07a
Preparing...                ########################################### [100%]
   1:kernel-devel           ########################################### [ 50%]
   2:kernel                 ########################################### [100%]
ybin: /dev/sda1: Permission denied

later:
[root@zaphod lspp-rpms]# ybin 
ybin: /dev/sda1: Permission denied

security context:
[root@zaphod lspp-rpms]# id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
context=staff_u:sysadm_r:sysadm_t:SystemLow-SystemHigh


Version-Release number of selected component (if applicable):


How reproducible:
try to run ybin while in enforcing mode

Steps to Reproduce:
1.boot RHEL5 with mls policy, enforcing SELinux
2.log-in as root:sysadm_r
3.run 'ybin'
  
Actual results:
ybin: /dev/sda1: Permission denied

Expected results:
to work

Additional info:
==AVCs====
type=AVC msg=audit(1166794030.846:472): avc:  denied  { search } for  pid=2496
comm="ybin" name="lspp-rpms" dev=dm-0 ino=1998858
scontext=staff_u:sysadm_r:bootloader_t:s0-s15:c0.c1023
tcontext=root:object_r:sysadm_home_t:s0 tclass=dir
type=SYSCALL msg=audit(1166794030.846:472): arch=14 syscall=195 success=no
exit=-13 a0=100b0b10 a1=ff1adcf0 a2=ff1adcf0 a3=fffffffffefefeff items=0
ppid=2493 pid=2496 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts0 comm="ybin" exe="/bin/bash"
subj=staff_u:sysadm_r:bootloader_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1166794030.847:473): avc:  denied  { search } for  pid=2495
comm="ybin" name="lspp-rpms" dev=dm-0 ino=1998858
scontext=staff_u:sysadm_r:bootloader_t:s0-s15:c0.c1023
tcontext=root:object_r:sysadm_home_t:s0 tclass=dir
type=SYSCALL msg=audit(1166794030.847:473): arch=14 syscall=195 success=no
exit=-13 a0=100b0b10 a1=ff1adcf0 a2=ff1adcf0 a3=fffffffffefefeff items=0
ppid=2493 pid=2495 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts0 comm="ybin" exe="/bin/bash"
subj=staff_u:sysadm_r:bootloader_t:s0-s15:c0.c1023 key=(null)
================

current workaround is to run ybin while in permissive mode
Comment 1 Klaus Heinrich Kiwi 2006-12-22 08:47:33 EST
forgot to add:
[root@zaphod lspp-rpms]# rpm -qa | egrep policy
checkpolicy-1.33.1-2.el5
selinux-policy-devel-2.4.6-15.el5
selinux-policy-mls-2.4.6-15.el5
policycoreutils-1.33.6-6.el5
selinux-policy-2.4.6-15.el5
policycoreutils-newrole-1.33.6-6.el5
selinux-policy-targeted-2.4.6-15.el5
[root@zaphod lspp-rpms]# 

using 1218 refresh on an IBM POWER (lpar)
Comment 2 Klaus Heinrich Kiwi 2006-12-22 09:50:11 EST
audit2allow yields:

allow bootloader_t fixed_disk_device_t:blk_file write;
Comment 3 RHEL Product and Program Management 2007-01-03 11:00:59 EST
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.
Comment 6 Steve Grubb 2007-01-09 11:53:40 EST
SE linux policy has been updated since this was filed. We are wanting to know if
this problem still exists with current selinux policy. Thanks.
Comment 7 Klaus Heinrich Kiwi 2007-01-09 14:12:00 EST
Seems to be working fine.
There is one thing to notice, though - I tested the above by simply upgrading
the kernel, kernel-dev packages to the latest lspp (.61) versions (it should run
ybin while in %post - well, tested it standalone run as well). There were some
AVC denials in the process. I don't really know if this is of any harm, but
since it's a relatively common task, I'd like you to take a look and see for
yourself (couldn't find any other symptom besides AVC messages)

command:
[root@zaphod klausk_rpms]# rpm -Uvh kernel-*.rpm
Preparing...                ########################################### [100%]
   1:kernel                 ########################################### [ 50%]
   2:kernel-devel           ########################################### [100%]
[root@zaphod klausk_rpms]#

audit.log (covering the whole task above):
type=AVC msg=audit(1168367356.552:222): avc:  granted  { setexec } for  pid=1502
comm="rpm" scontext=root:sysadm_r:rpm_t:s0-s15:c0.c1023
tcontext=root:sysadm_r:rpm_t:s0-s15:c0.c1023 tclass=process
type=SYSCALL msg=audit(1168367356.552:222): arch=14 syscall=4 success=yes
exit=43 a0=14 a1=10618c20 a2=2b a3=fffffffffefefeff items=0 ppid=1500 pid=1502
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=hvc0
comm="rpm" exe="/bin/rpm" subj=root:sysadm_r:rpm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1168367356.736:223): avc:  denied  { read write } for 
pid=1513 comm="depmod" name="hvc0" dev=tmpfs ino=2313
scontext=root:sysadm_r:depmod_t:s0-s15:c0.c1023
tcontext=root:object_r:sysadm_tty_device_t:s0 tclass=chr_file
type=AVC msg=audit(1168367356.736:223): avc:  denied  { read write } for 
pid=1513 comm="depmod" name="hvc0" dev=tmpfs ino=2313
scontext=root:sysadm_r:depmod_t:s0-s15:c0.c1023
tcontext=root:object_r:sysadm_tty_device_t:s0 tclass=chr_file
type=AVC msg=audit(1168367356.736:223): avc:  denied  { read write } for 
pid=1513 comm="depmod" name="hvc0" dev=tmpfs ino=2313
scontext=root:sysadm_r:depmod_t:s0-s15:c0.c1023
tcontext=root:object_r:sysadm_tty_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1168367356.736:223): arch=14 syscall=11 success=yes
exit=0 a0=1011f968 a1=10112860 a2=10115c88 a3=0 items=0 ppid=1505 pid=1513
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
comm="depmod" exe="/sbin/depmod" subj=root:sysadm_r:depmod_t:s0-s15:c0.c1023
key=(null)
type=AVC_PATH msg=audit(1168367356.736:223):  path="/dev/hvc0"
type=AVC_PATH msg=audit(1168367356.736:223):  path="/dev/hvc0"
type=AVC msg=audit(1168367423.044:224): avc:  granted  { setexec } for  pid=2303
comm="rpm" scontext=root:sysadm_r:rpm_t:s0-s15:c0.c1023
tcontext=root:sysadm_r:rpm_t:s0-s15:c0.c1023 tclass=process
type=SYSCALL msg=audit(1168367423.044:224): arch=14 syscall=4 success=yes
exit=43 a0=15 a1=10a34710 a2=2b a3=fffffffffefefeff items=0 ppid=1500 pid=2303
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=hvc0
comm="rpm" exe="/bin/rpm" subj=root:sysadm_r:rpm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1168367423.104:225): avc:  granted  { setexec } for  pid=2304
comm="rpm" scontext=root:sysadm_r:rpm_t:s0-s15:c0.c1023
tcontext=root:sysadm_r:rpm_t:s0-s15:c0.c1023 tclass=process
type=SYSCALL msg=audit(1168367423.104:225): arch=14 syscall=4 success=yes
exit=43 a0=14 a1=10a34710 a2=2b a3=fffffffffefefeff items=0 ppid=1500 pid=2304
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=hvc0
comm="rpm" exe="/bin/rpm" subj=root:sysadm_r:rpm_t:s0-s15:c0.c1023 key=(null)

You may close the bug. Please contact me if you need a bug report for the above.

 Klaus
Comment 8 Daniel Walsh 2007-01-11 14:58:40 EST
Fixed in selinux-policy-2.4.6-25
Comment 9 RHEL Product and Program Management 2007-02-07 20:59:31 EST
A package has been built which should help the problem described in 
this bug report. This report is therefore being closed with a resolution 
of CURRENTRELEASE. You may reopen this bug report if the solution does 
not work for you.

Note You need to log in before you can comment on or make changes to this bug.