Red Hat Bugzilla – Bug 460970
"semanage translation -a" causes denials; setrans.conf mode changed
Last modified: 2015-01-04 17:35:34 EST
Description of problem: Running "semanage translation -a -T Secret s0:c2" causes denials and setrans.conf mode changes. Version-Release number of selected component (if applicable): * Red Hat Enterprise Linux Server release 5.2 (Tikanga) * policycoreutils-1.33.12-14.el5 * setroubleshoot-2.0.5-3.el5 * setroubleshoot-server-2.0.5-3.el5 * setroubleshoot-plugins-2.0.4-2.el5 * selinux-policy-targeted-2.4.6-137.1.el5_2 * selinux-policy-2.4.6-137.1.el5_2 * libselinux-devel-1.33.4-5.el5 * libselinux-python-1.33.4-5.el5 * libselinux-devel-1.33.4-5.el5 * libselinux-1.33.4-5.el5 * libselinux-1.33.4-5.el5 SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: permissive Policy version: 21 Policy from config file: targeted How reproducible: Always Steps to Reproduce: 1. ls -l /etc/selinux/targeted/setrans.conf -rw-r--r-- 1 root root 598 Jul 2 01:13 /etc/selinux/targeted/setrans.conf 2. semanage translation -a -T Secret s0:c2 3. ls -l /etc/selinux/targeted/setrans.conf -rw------- 1 root root 611 Sep 3 12:10 /etc/selinux/targeted/setrans.conf Actual results: No errors; translation added; lots of AVC denials; setrans.conf mode changed from 644 to 600. Expected results: No AVC denials and setrans.conf mode stays as 644. Additional info: See attached denials from /var/log/messages and /var/log/audit/audit.log
Created attachment 315612 [details] AVC denials
Fixed in selinux-policy-3.5.7-1.fc10
Woops wrong bug. Some of this is fixed in 5.3 policy but needs to be completed in 5.4.
Fixed in policycoreutils-1.33.12-14.4.el5
Fixed in selinux-policy-2.4.6-246.el5
Following 2 commands are part of /CoreOS/policycoreutils/Regression/bz460970-semanage-translation-a-causes-denials test. # semanage translation -a -T secret s0:c2 env: /etc/init.d/mcstrans: Permission denied # echo $? 0 # semanage translation -d -T secret s0:c2 env: /etc/init.d/mcstrans: Permission denied # echo $? 0 Each of them generated 1 AVC: ---- time->Tue Jul 21 11:26:45 2009 type=SYSCALL msg=audit(1248190005.385:52): arch=c0000032 syscall=1033 success=no exit=-13 a0=60000fffffaefb28 a1=60000fffffaef8b0 a2=6000000000009030 a3=710 items=0 ppid=10227 pid=10232 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="env" exe="/bin/env" subj=root:system_r:semanage_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1248190005.385:52): avc: denied { transition } for pid=10232 comm="env" path="/etc/rc.d/init.d/mcstrans" dev=sda2 ino=2491075 scontext=root:system_r:semanage_t:s0-s0:c0.c1023 tcontext=root:system_r:semanage_t:s0 tclass=process ---- time->Tue Jul 21 11:26:46 2009 type=SYSCALL msg=audit(1248190006.218:53): arch=c0000032 syscall=1033 success=no exit=-13 a0=60000fffffeabb28 a1=60000fffffeab8b0 a2=6000000000009030 a3=710 items=0 ppid=10253 pid=10258 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="env" exe="/bin/env" subj=root:system_r:semanage_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1248190006.218:53): avc: denied { transition } for pid=10258 comm="env" path="/etc/rc.d/init.d/mcstrans" dev=sda2 ino=2491075 scontext=root:system_r:semanage_t:s0-s0:c0.c1023 tcontext=root:system_r:semanage_t:s0 tclass=process ---- Reproduced on RHEL5.4-Server-20090720.nightly machine with following packages installed: # rpm -qf /etc/rc.d/init.d/mcstrans mcstrans-0.2.11-3.el5 # rpm -qa 'selinux-policy*' selinux-policy-targeted-2.4.6-253.el5 selinux-policy-2.4.6-253.el5 # rpm -qa 'libselinux*' libselinux-devel-1.33.4-5.5.el5 libselinux-utils-1.33.4-5.5.el5 libselinux-python-1.33.4-5.5.el5 libselinux-1.33.4-5.5.el5 # rpm -qa 'libsemanage*' libsemanage-1.9.1-4.3.el5 # rpm -qa 'policycoreutils*' policycoreutils-1.33.12-14.5.el5 # rpm -qa 'libsepol*' libsepol-1.15.2-2.el5 libsepol-devel-1.15.2-2.el5
Fixed in policycoreutils-1.33.12-14.7.el5
Fixed in policycoreutils-1.33.12-14.8.el5
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2010-0208.html