Bug 460970 - "semanage translation -a" causes denials; setrans.conf mode changed
Summary: "semanage translation -a" causes denials; setrans.conf mode changed
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: policycoreutils
Version: 5.3
Hardware: All
OS: Linux
low
low
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: BaseOS QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-09-03 02:26 UTC by Murray McAllister
Modified: 2021-01-27 08:44 UTC (History)
7 users (show)

Fixed In Version: policycoreutils-1.33.12-14.8.el5
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-03-30 08:13:08 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
AVC denials (91.70 KB, text/plain)
2008-09-03 02:28 UTC, Murray McAllister 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2010:0208 0 normal SHIPPED_LIVE policycoreutils bug fix update 2010-03-29 12:28:37 UTC

Description Murray McAllister 2008-09-03 02:26:08 UTC 
Description of problem:

Running "semanage translation -a -T Secret s0:c2" causes denials and setrans.conf mode changes.

Version-Release number of selected component (if applicable):

* Red Hat Enterprise Linux Server release 5.2 (Tikanga)

* policycoreutils-1.33.12-14.el5

* setroubleshoot-2.0.5-3.el5
* setroubleshoot-server-2.0.5-3.el5
* setroubleshoot-plugins-2.0.4-2.el5

* selinux-policy-targeted-2.4.6-137.1.el5_2
* selinux-policy-2.4.6-137.1.el5_2
* libselinux-devel-1.33.4-5.el5
* libselinux-python-1.33.4-5.el5
* libselinux-devel-1.33.4-5.el5
* libselinux-1.33.4-5.el5
* libselinux-1.33.4-5.el5

SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          permissive
Policy version:                 21
Policy from config file:        targeted


How reproducible:
Always

Steps to Reproduce:
1. ls -l /etc/selinux/targeted/setrans.conf 
-rw-r--r-- 1 root root 598 Jul  2 01:13 /etc/selinux/targeted/setrans.conf

2. semanage translation -a -T Secret s0:c2

3. ls -l /etc/selinux/targeted/setrans.conf 
-rw------- 1 root root 611 Sep  3 12:10 /etc/selinux/targeted/setrans.conf
  
Actual results:
No errors; translation added; lots of AVC denials; setrans.conf mode changed from 644 to 600.

Expected results:
No AVC denials and setrans.conf mode stays as 644.

Additional info:

See attached denials from /var/log/messages and /var/log/audit/audit.log
Comment 1 Murray McAllister 2008-09-03 02:28:12 UTC 
Created attachment 315612 [details]
AVC denials
Comment 2 Daniel Walsh 2008-09-09 17:26:57 UTC 
Fixed in selinux-policy-3.5.7-1.fc10
Comment 3 Daniel Walsh 2009-01-16 12:57:34 UTC 
Woops wrong bug.  Some of this is fixed in 5.3 policy but needs to be completed in 5.4.
Comment 7 Daniel Walsh 2009-04-09 17:55:23 UTC 
Fixed in policycoreutils-1.33.12-14.4.el5
Comment 13 Daniel Walsh 2009-06-12 12:58:43 UTC 
Fixed in selinux-policy-2.4.6-246.el5
Comment 16 Milos Malik 2009-07-21 15:29:26 UTC 
Following 2 commands are part of /CoreOS/policycoreutils/Regression/bz460970-semanage-translation-a-causes-denials test.

# semanage translation -a -T secret s0:c2
env: /etc/init.d/mcstrans: Permission denied
# echo $?
0
# semanage translation -d -T secret s0:c2
env: /etc/init.d/mcstrans: Permission denied
# echo $?
0

Each of them generated 1 AVC:

----
time->Tue Jul 21 11:26:45 2009
type=SYSCALL msg=audit(1248190005.385:52): arch=c0000032 syscall=1033 success=no exit=-13 a0=60000fffffaefb28 a1=60000fffffaef8b0 a2=6000000000009030 a3=710 items=0 ppid=10227 pid=10232 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="env" exe="/bin/env" subj=root:system_r:semanage_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1248190005.385:52): avc:  denied  { transition } for  pid=10232 comm="env" path="/etc/rc.d/init.d/mcstrans" dev=sda2 ino=2491075 scontext=root:system_r:semanage_t:s0-s0:c0.c1023 tcontext=root:system_r:semanage_t:s0 tclass=process
----
time->Tue Jul 21 11:26:46 2009
type=SYSCALL msg=audit(1248190006.218:53): arch=c0000032 syscall=1033 success=no exit=-13 a0=60000fffffeabb28 a1=60000fffffeab8b0 a2=6000000000009030 a3=710 items=0 ppid=10253 pid=10258 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="env" exe="/bin/env" subj=root:system_r:semanage_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1248190006.218:53): avc:  denied  { transition } for  pid=10258 comm="env" path="/etc/rc.d/init.d/mcstrans" dev=sda2 ino=2491075 scontext=root:system_r:semanage_t:s0-s0:c0.c1023 tcontext=root:system_r:semanage_t:s0 tclass=process
----

Reproduced on RHEL5.4-Server-20090720.nightly machine with following packages installed:

# rpm -qf /etc/rc.d/init.d/mcstrans
mcstrans-0.2.11-3.el5
# rpm -qa 'selinux-policy*'
selinux-policy-targeted-2.4.6-253.el5
selinux-policy-2.4.6-253.el5
# rpm -qa 'libselinux*'
libselinux-devel-1.33.4-5.5.el5
libselinux-utils-1.33.4-5.5.el5
libselinux-python-1.33.4-5.5.el5
libselinux-1.33.4-5.5.el5
# rpm -qa 'libsemanage*'
libsemanage-1.9.1-4.3.el5
# rpm -qa 'policycoreutils*'
policycoreutils-1.33.12-14.5.el5
# rpm -qa 'libsepol*'
libsepol-1.15.2-2.el5
libsepol-devel-1.15.2-2.el5
Comment 20 Miroslav Grepl 2009-11-25 16:28:42 UTC 
Fixed in policycoreutils-1.33.12-14.7.el5
Comment 23 Miroslav Grepl 2010-01-07 15:00:23 UTC 
Fixed in policycoreutils-1.33.12-14.8.el5
Comment 27 errata-xmlrpc 2010-03-30 08:13:08 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2010-0208.html
Note You need to log in before you can comment on or make changes to this bug.