Bug 222498 - various AVCs with setroubleshootd
various AVCs with setroubleshootd
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: setroubleshoot (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: John Dennis
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-01-12 18:14 EST by Tom London
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-03-28 10:43:32 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
AVCs from 'service setroubleshoot start' (9.50 KB, text/plain)
2007-01-12 18:14 EST, Tom London
no flags Details
Enforcing mode audit log (14.41 KB, text/plain)
2007-02-08 10:46 EST, Tom London
no flags Details
Permissive mode audit log (6.40 KB, text/plain)
2007-02-08 10:47 EST, Tom London
no flags Details
/var/log/audit/audit.log with setroubleshoot AVCs (10.39 KB, text/plain)
2007-02-14 10:20 EST, Tom London
no flags Details
Feb FC7T1 install and updates - final avc status. (8.58 KB, text/plain)
2007-02-16 03:11 EST, Darwin H. Webb
no flags Details
new avc messages from logwatch, anacron, prelink. (10.19 KB, application/octet-stream)
2007-02-16 10:44 EST, Darwin H. Webb
no flags Details
avc messages remining (14.54 KB, text/plain)
2007-02-23 19:07 EST, Darwin H. Webb
no flags Details

  None (edit)
Description Tom London 2007-01-12 18:14:22 EST
Description of problem:
Running targeted/enforcing, when starting setroubleshootd (via 'service
setroubleshoot start') after editing comma into
/usr/lib/python2.5/site-packages/rhpl/__init__.py, I get numerous AVCs (see
attached log file).  'audit2allow -i log' produces:

allow setroubleshootd_t ld_so_t:file execute_no_trans;
allow setroubleshootd_t ldconfig_exec_t:file { execute getattr };
allow setroubleshootd_t lib_t:dir write;
allow setroubleshootd_t root_t:file unlink;
allow setroubleshootd_t tmp_t:dir write;


Version-Release number of selected component (if applicable):
setroubleshoot-1.8.14-1.fc7

How reproducible:
every time

Steps to Reproduce:
1. 'service setroubleshoot start' (first add missing comma to __init__.py)
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Tom London 2007-01-12 18:14:22 EST
Created attachment 145495 [details]
AVCs from 'service setroubleshoot start'
Comment 2 Tom London 2007-01-13 13:20:23 EST
Update to rhpl-0.201-2 fixes the lib_t:dir write AVC, but the others remain.

The 'root_t' AVC link to files in '/'; I now appear to have 30-40 of them
littering /.  Here is a snippet from 'ls /':

drwxr-xr-x 106 root root 12288 2007-01-13 09:59 etc
drwxr-xr-x   2 root root  4096 2007-01-13 09:58 media
drwxr-xr-x   2 root root     0 2007-01-13 09:58 net
drwxr-xr-x   2 root root     0 2007-01-13 09:58 misc
-rw-------   1 root root     4 2007-01-13 09:58 jql-Nf
-rw-------   1 root root     4 2007-01-13 09:58 miIZiq
drwxr-xr-x   4 root root     0 2007-01-13 09:57 selinux
drwxr-xr-x  11 root root     0 2007-01-13 09:57 sys
dr-xr-xr-x 178 root root     0 2007-01-13 09:57 proc
-rw-------   1 root root     4 2007-01-13 09:26 PXg1az
-rw-------   1 root root     4 2007-01-13 09:26 q5aIuX
drwxr-xr-x   2 root root 12288 2007-01-13 09:18 sbin
drwxr-xr-x  15 root root  4096 2007-01-13 09:18 lib
drwxr-xr-x   2 root root  4096 2007-01-13 09:17 bin
-rw-------   1 root root     4 2007-01-13 08:45 iAhIbM
-rw-------   1 root root     4 2007-01-13 08:45 xuIxiw
-rw-------   1 root root     4 2007-01-12 16:06 TWba1B
-rw-------   1 root root     4 2007-01-12 16:05 31fgzJ

although there are many more....  Here are the one(s) referred in above AVCs:
-rw-------   1 root root     4 2007-01-12 15:05 e3CqDz
-rw-------   1 root root     4 2007-01-12 15:05 -tYpe9

Looks like I'm getting 2 of these each time I boot.

Contents appears to be the string "blat".
Comment 3 Tom London 2007-01-27 13:33:56 EST
The "blat" files appear to be coming from _get_default_tempdir() in
/usr/lib/python2.5/tempfile.py (guessing from a call to mkstemp()?).

_get_default_tempdir() tries to create a file, write the string "blat", close
and then unlink the file (apparently testing create/write/unlink) in that directory.

These files are being created and written in "/" with label "root_t", and
appears the following AVC blocks the unlink:

type=AVC msg=audit(1168643147.575:103): avc:  denied  { unlink } for  pid=13888
comm="setroubleshootd" name="e3CqDz" dev=dm-0 ino=100203
scontext=user_u:system_r:setroubleshootd_t:s0 tcontext=user_u:object_r:root_t:s0
tclass=file
type=SYSCALL msg=audit(1168643147.575:103): arch=40000003 syscall=10 success=no
exit=-13 a0=8891c38 a1=1 a2=4c7f20b4 a3=87981b0 items=0 ppid=1 pid=13888
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
comm="setroubleshootd" exe="/usr/bin/python"
subj=user_u:system_r:setroubleshootd_t:s0 key=(null)

/usr/sbin/setroubleshootd cd's to "/".  That causing this?

Comment 4 Tom London 2007-02-01 10:05:47 EST
Still having AVC problem with setroubleshoot-1.8.15-1.fc7.  Get the same AVCs as
above.

Putting system in permissive mode and running 'service setroubleshoot start'
produces:

type=AVC msg=audit(1170341931.733:44): avc:  denied  { read } for  pid=7412
comm="setroubleshootd" name=".rpmmacros" dev=dm-0 ino=131558
scontext=user_u:system_r:setroubleshootd_t:s0
tcontext=user_u:object_r:user_home_t:s0 tclass=file
type=SYSCALL msg=audit(1170341931.733:44): arch=40000003 syscall=5 success=yes
exit=12 a0=8c86f20 a1=8000 a2=0 a3=8000 items=0 ppid=1 pid=7412 auid=500 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
comm="setroubleshootd" exe="/usr/bin/python"
subj=user_u:system_r:setroubleshootd_t:s0 key=(null)
type=AVC msg=audit(1170341932.005:45): avc:  denied  { execute } for  pid=7415
comm="sh" name="ldconfig" dev=dm-0 ino=11337797
scontext=user_u:system_r:setroubleshootd_t:s0
tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
type=AVC msg=audit(1170341932.005:45): avc:  denied  { execute_no_trans } for 
pid=7415 comm="sh" name="ldconfig" dev=dm-0 ino=11337797
scontext=user_u:system_r:setroubleshootd_t:s0
tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
type=AVC msg=audit(1170341932.005:45): avc:  denied  { read } for  pid=7415
comm="sh" name="ldconfig" dev=dm-0 ino=11337797
scontext=user_u:system_r:setroubleshootd_t:s0
tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1170341932.005:45): arch=40000003 syscall=11 success=yes
exit=0 a0=9a5d8b8 a1=9a5d938 a2=9a5cf18 a3=0 items=0 ppid=7414 pid=7415 auid=500
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
comm="ldconfig" exe="/sbin/ldconfig" subj=user_u:system_r:setroubleshootd_t:s0
key=(null)
type=AVC_PATH msg=audit(1170341932.005:45):  path="/sbin/ldconfig"
type=AVC_PATH msg=audit(1170341932.005:45):  path="/sbin/ldconfig"

.rpmmacros in above AVC is from my home directory .... (!?)

Have I screwed up something locally?
Comment 5 Tom London 2007-02-08 10:46:29 EST
Created attachment 147658 [details]
Enforcing mode audit log

After installing setroubleshoot-1.8.17-1.fc7, booted in both enforcing and
permissive mode. Audit logs attached.
Comment 6 Tom London 2007-02-08 10:47:18 EST
Created attachment 147659 [details]
Permissive mode audit log
Comment 7 Tom London 2007-02-14 10:20:28 EST
Created attachment 148053 [details]
/var/log/audit/audit.log with setroubleshoot AVCs

setroubleshoot-1.8.18-1.fc7 has similar AVCs.... attached.
Comment 8 Darwin H. Webb 2007-02-16 03:11:41 EST
Created attachment 148176 [details]
Feb FC7T1 install and updates - final avc status.
Comment 9 Darwin H. Webb 2007-02-16 03:16:38 EST
The comments are inside the text attachment above.

Baically, I am get the same messages after a puzzling round on a freah install.
I think it was that makewhatis needed to run before I could use the tools and
get a relabel.
SELinux is now running and the AVC remaining have not triggered sealert.

Darwin
Comment 10 Darwin H. Webb 2007-02-16 10:41:58 EST
Now that SELinux is running, the other AVC messages are showing up.
Looks like anacron for logwatch is messed up and prelink.

Messages from root e-mail:

2007-02-16 05:52:22 Cannot open main log file "/var/log/exim/main.log":
Permission denied: euid=0 egid=93
2007-02-16 05:52:22 unable to set gid=93 or uid=93 (euid=0): privilege not needed
2007-02-16 05:52:22 Cannot open main log file "/var/log/exim/main.log":
Permission denied: euid=0 egid=93
exim: could not open panic log - aborting: see message(s) above

New AVC's from audit.log in attachment.

Comment 11 Darwin H. Webb 2007-02-16 10:44:10 EST
Created attachment 148200 [details]
new avc messages from logwatch, anacron, prelink.

New AVC's from audit.log in attachment.

Darwin
Comment 12 Tom London 2007-02-21 12:27:22 EST
setroubleshoot AVCs fixed in setroubleshoot-1.9.1-1.fc7!

Thanks.

Close?
Comment 13 Darwin H. Webb 2007-02-23 19:07:47 EST
Created attachment 148734 [details]
avc messages remining

The alert, setroubleshoot, policy, and tools need to all work together so no,
it is not closed, just needs to be sent to some others.

This attachment is after updates of Feb 23rd - current.
setroubleshoot is not firing.
logwatch is not working correctly.
policycoreutils has a bad script.

Darwin
Comment 14 Tom London 2007-02-25 12:11:22 EST
Is 'setroubleshoot not firing' related to
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=229849 ?
Comment 15 John Dennis 2007-02-26 10:30:23 EST
RE comment #14, yes, bug 229849 would I expect cause the "not firing" problem
because the excpetion is generated during the construction of an alert.
Comment 16 Tom London 2007-03-28 10:43:32 EDT
Believe this is 'fixed in Rawhide'

Note You need to log in before you can comment on or make changes to this bug.