Bug 236774 - avc denial of useradd writing to /var/log/faillog
avc denial of useradd writing to /var/log/faillog
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
: Reopened
: 238474 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-04-17 12:26 EDT by Zack Cerza
Modified: 2007-11-30 17:12 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-05-02 17:18:53 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
anaconda.log (19.34 KB, text/plain)
2007-04-30 15:12 EDT, Zack Cerza
no flags Details
/root/install.log from Fedora 7 Test 4 installation (30.78 KB, application/octet-stream)
2007-04-30 15:32 EDT, Gilles Detillieux
no flags Details
/var/log/anaconda.log from Fedora 7 Test 4 installation (29.62 KB, application/octet-stream)
2007-04-30 15:35 EDT, Gilles Detillieux
no flags Details

  None (edit)
Description Zack Cerza 2007-04-17 12:26:50 EDT
Description of problem:
The following occured when I was installing openoffice.org-writer (and 18
dependencies):

avc: denied { read, write } for comm="useradd" dev=sda3 egid=0 euid=0
exe="/usr/sbin/useradd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="faillog"
pid=9251 scontext=user_u:system_r:useradd_t:s0 sgid=0
subj=user_u:system_r:useradd_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:var_log_t:s0 tty=pts1 uid=0 

Version-Release number of selected component (if applicable):
shadow-utils-4.0.18.1-13.fc7.i386
selinux-policy-targeted-2.5.12-2.fc7.noarch
Comment 1 Daniel Walsh 2007-04-17 13:49:41 EDT
This is a labeling problem that should be fixed on initial install of FC7. 
restorecon -R -v /var/log 
will fix it.
Comment 2 Gilles Detillieux 2007-04-27 16:41:14 EDT
I just installed Fedora 7 Test 4 (6.93), and I got a similar avc error to the
one above.  For me, it happened when I did a "yum install caching-nameserver". 
Yum installed "bind" as a dependency, and bind's preinstall script did a useradd
to create the "named" user ID.  That triggered the error when trying to access
faillog.  The restorecon command above reset the context for /var/log/faillog,
/var/log/tallylog and /var/log/yum.log.  They were all var_log_t, and were
changed to faillog_t for the first two, and rpm_log_t for yum.log.

Whatever should be fixed in FC7 isn't fixed yet in Test 4.
Comment 3 Zack Cerza 2007-04-27 17:08:45 EDT
Looks like this isn't fixed. Dan, should new bugs be filed for the other two
files mentioned in comment #2?
Comment 4 Daniel Walsh 2007-04-28 09:13:42 EDT
Anaconda was supposed to fix up the /var/log directory when it finished the
install.  Pete did that code get removed?
Comment 5 Jeremy Katz 2007-04-30 15:07:07 EDT
(In reply to comment #4)
> Anaconda was supposed to fix up the /var/log directory when it finished the
> install.  Pete did that code get removed?

We've never labeled all of /var/log; /var/log/faillog should get the right label
when it's installed as part of the pam package.  I'd really like to see the
/root/install.log and /var/log/anaconda.log of the system instead of just
papering over more of this stuff
Comment 6 Zack Cerza 2007-04-30 15:12:09 EDT
Created attachment 153812 [details]
anaconda.log

Oddly enough, there is no /root/install.log.

This system was installed via Live USB of Test 3.
Comment 7 Gilles Detillieux 2007-04-30 15:32:48 EDT
Created attachment 153813 [details]
/root/install.log from Fedora 7 Test 4 installation
Comment 8 Gilles Detillieux 2007-04-30 15:35:04 EDT
Created attachment 153814 [details]
/var/log/anaconda.log from Fedora 7 Test 4 installation

I can also provide the corresponding syslogs if you need them too.
Comment 9 Jeremy Katz 2007-04-30 17:41:59 EDT
Zack -- for the live CD case, things look right with test4 and beyond (there was
something a little hurky there with test3)

(In reply to comment #2)
> I just installed Fedora 7 Test 4 (6.93), and I got a similar avc error to the
> one above.  For me, it happened when I did a "yum install caching-nameserver". 
> Yum installed "bind" as a dependency, and bind's preinstall script did a useradd
> to create the "named" user ID.  That triggered the error when trying to access
> faillog.  The restorecon command above reset the context for /var/log/faillog,
> /var/log/tallylog 

These two are both part of the pam package and created with install in the %post
script.  Dan -- I thought that install was supposed to dtrt with setting SELinux
contexts?  If not, then the pam %post needs to be setting the context also.

> and /var/log/yum.log.  They were all var_log_t, and were
> changed to faillog_t for the first two, and rpm_log_t for yum.log.

/var/log/yum.log isn't included in a package and just gets created at runtime. 
It sounds like a potentially missing transition rule from var_log_t to rpm_log_t
for things running in rpm_exec_t?
Comment 10 Jeremy Katz 2007-05-01 08:14:47 EDT
*** Bug 238474 has been marked as a duplicate of this bug. ***
Comment 11 Daniel Walsh 2007-05-01 08:18:17 EDT
No the problem is that the selinux-policy-targeted is not installed before pam.
 So when pam does the install command the file_context file does not exist so
the faillog and tallylog files get created with the default context var_log_t. 
So our options are to make pam rely on a particular version of selinux-policy or
have anaconda fix the labeling in its post.  
Comment 12 Gilles Detillieux 2007-05-01 11:06:46 EDT
I'm guessing that making pam rely on a particular version of selinux-policy
could potentially lead to other problems.  I'm also wondering why this isn't a
problem with other packages.  In my install.log, selinux-policy-targeted is on
line 551 of 750 lines, so almost 3/4 of the packages are installed before the
policy is in place.  Is there no way of telling anaconda to install the selinux
packages, if they're selected, before other packages, without making the other
packages dependent on selinux if you choose to do without it?  Fixing things up
at the end would work too, but should this be limited to /var/log, or are there
potentially a whole lot of other files that will need fixing too?  Should I run
"restorecon -R -v /" and attach the output?
Comment 13 Jeremy Katz 2007-05-02 17:18:53 EDT
After talking with dwalsh yesterday, adding /var/log for now, but that's only a
temporary fix and for F8, we really need to get back to putting policy with the
packages instead of the monolithic blob we have today.

Note You need to log in before you can comment on or make changes to this bug.