Bug 472286 - SELinux is preventing sh (unconfined_execmem_t) "transition" rpm_script_t.
SELinux is preventing sh (unconfined_execmem_t) "transition" rpm_script_t.
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
All Linux
medium Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2008-11-19 14:56 EST by John Freed
Modified: 2008-12-01 14:52 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-12-01 14:52:19 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description John Freed 2008-11-19 14:56:00 EST
Description of problem:
attempted to install Adobe Media Player via Firefox. Installer asked for and received root password. SELinux generated an AVC.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Go to http://www.adobe.com/products/flash/about/
2. Click on link to install Adobe Media Player
Actual results:
Install failed.

Expected results:
Install succeeded.

Additional info:

Detailed Description:

SELinux denied access requested by sh. It is not expected that this access is
required by sh and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Additional Information:

Source Context                unconfined_u:system_r:unconfined_execmem_t
Target Context                unconfined_u:system_r:rpm_script_t:SystemLow-
Target Objects                /bin/bash [ process ]
Source                        sh
Source Path                   /bin/bash
Port                          <Unknown>
Host                          localhost
Source RPM Packages           bash-3.2-22.fc9
Target RPM Packages           bash-3.2-22.fc9
Policy RPM                    selinux-policy-3.3.1-107.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     localhost
Platform                      Linux localhost #1 SMP Wed
                              Nov 12 18:56:28 EST 2008 i686 i686
Alert Count                   1
First Seen                    Wed 19 Nov 2008 08:43:25 PM CET
Last Seen                     Wed 19 Nov 2008 08:45:48 PM CET
Local ID                      285f8518-016d-49b0-9475-8df84d8a41de
Line Numbers                  

Raw Audit Messages            

node=localhost type=AVC msg=audit(1227123948.320:1352): avc:  denied  { transition } for  pid=15005 comm="rpm" path="/bin/bash" dev=dm-0 ino=688416 scontext=unconfined_u:system_r:unconfined_execmem_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=process

node=localhost type=SYSCALL msg=audit(1227123948.320:1352): arch=40000003 syscall=11 success=yes exit=0 a0=916ed8a a1=bfd97ca0 a2=9164718 a3=0 items=2 ppid=14981 pid=15005 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="sh" exe="/bin/bash" subj=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 key=(null)

node=localhost type=CWD msg=audit(1227123948.320:1352): cwd="/"

node=localhost type=PATH msg=audit(1227123948.320:1352): item=0 name="/bin/sh" inode=688416 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shell_exec_t:s0

node=localhost type=PATH msg=audit(1227123948.320:1352): item=1 name=(null) inode=1409033 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0
Comment 1 Daniel Walsh 2008-12-01 14:52:19 EST
This looks like you changed the context on   firefox to unconfined_execmem_exec_t which is the wrong thing to do.

Please remove this mapping and allow firefox to run under unconfined_t. Everything should work.

Note You need to log in before you can comment on or make changes to this bug.