Bug 472839 - (staff_u) SELinux is preventing running of both /usr/bin/thunderbird (thunderbird_exec_t) and /usr/bin/evolution (evolution_exec_t)
(staff_u) SELinux is preventing running of both /usr/bin/thunderbird (thunder...
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
10
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
: Reopened, SELinux
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-11-24 18:41 EST by Matěj Cepl
Modified: 2018-04-11 09:19 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-11-26 18:22:28 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
stdout of semodule -l (2.13 KB, text/plain)
2008-11-25 10:46 EST, Matěj Cepl
no flags Details

  None (edit)
Description Matěj Cepl 2008-11-24 18:41:24 EST
Souhrn:

SELinux is preventing launchmail (staff_t) "getattr" to /usr/bin/thunderbird
(thunderbird_exec_t).

Podrobný popis:

SELinux denied access requested by launchmail. It is not expected that this
access is required by launchmail and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Povolení přístupu:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /usr/bin/thunderbird,

restorecon -v '/usr/bin/thunderbird'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                staff_u:staff_r:staff_t:SystemLow-SystemHigh
Kontext cíle                 system_u:object_r:thunderbird_exec_t
Objekty cíle                 /usr/bin/thunderbird [ file ]
Zdroj                         which
Cesta zdroje                  /usr/bin/which
Port                          <Neznámé>
Počítač                    viklef
RPM balíčky zdroje          bash-3.2-29.fc10
RPM balíčky cíle           thunderbird-2.0.0.18-1.fc10
RPM politiky                  selinux-policy-3.5.13-20.fc10
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     catchall_file
Název počítače            viklef
Platforma                     Linux viklef 2.6.27.5-120.fc10.i686 #1 SMP Tue Nov
                              18 20:12:41 EST 2008 i686 i686
Počet upozornění           2
Poprvé viděno               Po 24. listopad 2008, 23:23:38 CET
Naposledy viděno             Po 24. listopad 2008, 23:23:38 CET
Místní ID                   bcd7179a-97c6-47b6-9ae1-ca5539805a41
Čísla řádků              

Původní zprávy auditu      

node=viklef type=AVC msg=audit(1227565418.149:202): avc:  denied  { getattr } for  pid=5541 comm="launchmail" path="/usr/bin/thunderbird" dev=dm-0 ino=5005228 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:thunderbird_exec_t:s0 tclass=file

node=viklef type=SYSCALL msg=audit(1227565418.149:202): arch=40000003 syscall=195 success=no exit=-13 a0=84666b0 a1=bfb7b920 a2=b20ff4 a3=84666b0 items=0 ppid=1 pid=5541 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="launchmail" exe="/bin/bash" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
Comment 1 Matěj Cepl 2008-11-24 19:07:59 EST
Probably bigger problem than that -- when running thunderbird from the gnome-terminal I get the following error and no thunderbird:


Souhrn:

SELinux is preventing sh (staff_t) "read" to ./thunderbird (thunderbird_exec_t).

Podrobný popis:

SELinux denied access requested by sh. It is not expected that this access is
required by sh and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Povolení přístupu:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./thunderbird,

restorecon -v './thunderbird'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                staff_u:staff_r:staff_t:SystemLow-SystemHigh
Kontext cíle                 system_u:object_r:thunderbird_exec_t
Objekty cíle                 ./thunderbird [ file ]
Zdroj                         sh
Cesta zdroje                  /bin/bash
Port                          <Neznámé>
Počítač                    viklef
RPM balíčky zdroje          bash-3.2-29.fc10
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.5.13-20.fc10
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     catchall_file
Název počítače            viklef
Platforma                     Linux viklef 2.6.27.5-120.fc10.i686 #1 SMP Tue Nov
                              18 20:12:41 EST 2008 i686 i686
Počet upozornění           1
Poprvé viděno               Út 25. listopad 2008, 01:05:42 CET
Naposledy viděno             Út 25. listopad 2008, 01:05:42 CET
Místní ID                   eeac3f37-8e99-448f-b909-644ed624aeaa
Čísla řádků              

Původní zprávy auditu      

node=viklef type=AVC msg=audit(1227571542.802:269): avc:  denied  { read } for  pid=6158 comm="sh" name="thunderbird" dev=dm-0 ino=5005228 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:thunderbird_exec_t:s0 tclass=file

node=viklef type=SYSCALL msg=audit(1227571542.802:269): arch=40000003 syscall=5 success=no exit=-13 a0=9d04028 a1=8000 a2=0 a3=8000 items=0 ppid=5436 pid=6158 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=1 comm="sh" exe="/bin/bash" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
Comment 2 Matěj Cepl 2008-11-24 19:12:56 EST
And the same goes for evolution:


Souhrn:

SELinux is preventing ls (staff_t) "getattr" to /usr/bin/evolution
(evolution_exec_t).

Podrobný popis:

SELinux denied access requested by ls. It is not expected that this access is
required by ls and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Povolení přístupu:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /usr/bin/evolution,

restorecon -v '/usr/bin/evolution'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                staff_u:staff_r:staff_t:SystemLow-SystemHigh
Kontext cíle                 system_u:object_r:evolution_exec_t
Objekty cíle                 /usr/bin/evolution [ file ]
Zdroj                         bash
Cesta zdroje                  /bin/bash
Port                          <Neznámé>
Počítač                    viklef
RPM balíčky zdroje          coreutils-6.12-18.fc10
RPM balíčky cíle           evolution-2.25.1-2.fc11
RPM politiky                  selinux-policy-3.5.13-20.fc10
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     catchall_file
Název počítače            viklef
Platforma                     Linux viklef 2.6.27.5-120.fc10.i686 #1 SMP Tue Nov
                              18 20:12:41 EST 2008 i686 i686
Počet upozornění           5
Poprvé viděno               Út 25. listopad 2008, 01:11:04 CET
Naposledy viděno             Út 25. listopad 2008, 01:11:20 CET
Místní ID                   cbcdf6e0-5ce6-441c-a954-2f4f122874ba
Čísla řádků              

Původní zprávy auditu      

node=viklef type=AVC msg=audit(1227571880.69:308): avc:  denied  { getattr } for  pid=6280 comm="ls" path="/usr/bin/evolution" dev=dm-0 ino=1960657 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:evolution_exec_t:s0 tclass=file

node=viklef type=SYSCALL msg=audit(1227571880.69:308): arch=40000003 syscall=195 success=no exit=-13 a0=bfebc464 a1=992a888 a2=b20ff4 a3=0 items=0 ppid=6243 pid=6280 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 ses=1 comm="ls" exe="/bin/ls" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
Comment 3 Matěj Cepl 2008-11-24 19:20:35 EST
Switching to Permissive mode and getting another AVC denials (but also THunderbird, finally):


Souhrn:

SELinux is preventing thunderbird (staff_t) "ioctl" to /usr/bin/thunderbird
(thunderbird_exec_t).

Podrobný popis:

[SELinux je v uvolněném režimu, operace by byla odmítnuta, ale byla povolena
kvůli uvolněnému režimu.]

SELinux denied access requested by thunderbird. It is not expected that this
access is required by thunderbird and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Povolení přístupu:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /usr/bin/thunderbird,

restorecon -v '/usr/bin/thunderbird'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                staff_u:staff_r:staff_t:SystemLow-SystemHigh
Kontext cíle                 system_u:object_r:thunderbird_exec_t
Objekty cíle                 /usr/bin/thunderbird [ file ]
Zdroj                         thunderbird
Cesta zdroje                  /bin/bash
Port                          <Neznámé>
Počítač                    viklef
RPM balíčky zdroje          bash-3.2-29.fc10
RPM balíčky cíle           thunderbird-2.0.0.18-1.fc10
RPM politiky                  selinux-policy-3.5.13-20.fc10
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Permissive
Název zásuvného modulu     catchall_file
Název počítače            viklef
Platforma                     Linux viklef 2.6.27.5-120.fc10.i686 #1 SMP Tue Nov
                              18 20:12:41 EST 2008 i686 i686
Počet upozornění           1
Poprvé viděno               Út 25. listopad 2008, 01:18:41 CET
Naposledy viděno             Út 25. listopad 2008, 01:18:41 CET
Místní ID                   5893f536-0770-4d14-8016-a3811d874c14
Čísla řádků              

Původní zprávy auditu      

node=viklef type=AVC msg=audit(1227572321.639:325): avc:  denied  { ioctl } for  pid=6382 comm="thunderbird" path="/usr/bin/thunderbird" dev=dm-0 ino=5005228 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:thunderbird_exec_t:s0 tclass=file

node=viklef type=SYSCALL msg=audit(1227572321.639:325): arch=40000003 syscall=54 success=no exit=-25 a0=3 a1=5401 a2=bfee8f08 a3=bfee8f48 items=0 ppid=6243 pid=6382 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 ses=1 comm="thunderbird" exe="/bin/bash" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)

=====================================================================


Souhrn:

SELinux is preventing bash (staff_t) "read" to ./evolution (evolution_exec_t).

Podrobný popis:

SELinux denied access requested by bash. It is not expected that this access is
required by bash and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Povolení přístupu:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./evolution,

restorecon -v './evolution'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                staff_u:staff_r:staff_t:SystemLow-SystemHigh
Kontext cíle                 system_u:object_r:evolution_exec_t
Objekty cíle                 ./evolution [ file ]
Zdroj                         bash
Cesta zdroje                  /bin/bash
Port                          <Neznámé>
Počítač                    viklef
RPM balíčky zdroje          bash-3.2-29.fc10
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.5.13-20.fc10
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     catchall_file
Název počítače            viklef
Platforma                     Linux viklef 2.6.27.5-120.fc10.i686 #1 SMP Tue Nov
                              18 20:12:41 EST 2008 i686 i686
Počet upozornění           1
Poprvé viděno               Út 25. listopad 2008, 01:18:17 CET
Naposledy viděno             Út 25. listopad 2008, 01:18:17 CET
Místní ID                   78594d5a-e0c2-44a8-bbe1-01d186335d1b
Čísla řádků              

Původní zprávy auditu      

node=viklef type=AVC msg=audit(1227572297.25:316): avc:  denied  { read } for  pid=6374 comm="bash" name="evolution" dev=dm-0 ino=1960657 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:evolution_exec_t:s0 tclass=file

node=viklef type=SYSCALL msg=audit(1227572297.25:316): arch=40000003 syscall=33 success=no exit=-13 a0=a0a3f88 a1=4 a2=0 a3=a0a3f88 items=0 ppid=6243 pid=6374 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 ses=1 comm="bash" exe="/bin/bash" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
Comment 4 Matěj Cepl 2008-11-25 04:44:14 EST
Trying this module

module staffuLaunchmail 1.2;

require {
	type staff_t;
	type evolution_exec_t;
	type thunderbird_exec_t;
	class file { getattr ioctl};
}

#============= staff_t ==============
allow staff_t thunderbird_exec_t:file getattr;
allow staff_t thunderbird_exec_t:file ioctl;
allow staff_t evolution_exec_t:file getattr;
allow staff_t evolution_exec_t:file ioctl;

and let's see what happens.
Comment 5 Matěj Cepl 2008-11-25 04:50:33 EST
Hmm, even with this module loaded, when I switch to Enforcing mode, I get "Access denied" when trying to run /usr/bin/thunderbird.
Comment 6 Daniel Walsh 2008-11-25 08:59:05 EST
Where are you getting this policy from?  thunderbird and evolution policy is not built into targeted policy.
Comment 7 Matěj Cepl 2008-11-25 09:40:30 EST
[root@viklef policy]# ls -lZ /usr/bin/{thunderbird,evolution}*
-rwxr-xr-x  root root system_u:object_r:evolution_exec_t /usr/bin/evolution
-rwxr-xr-x  root root system_u:object_r:thunderbird_exec_t /usr/bin/thunderbird
[root@viklef policy]# restorecon -v /usr/bin/{thunderbird,evolution}*
[root@viklef policy]# rpm -qf /etc/selinux/targeted/policy/policy.23 
selinux-policy-targeted-3.5.13-20.fc10.noarch
[root@viklef policy]#
Comment 8 Matěj Cepl 2008-11-25 09:41:39 EST
and maybe

[root@viklef policy]# id
uid=0(root) gid=0(root) skupiny=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=staff_u:unconfined_r:unconfined_t:SystemLow-SystemHigh
[root@viklef policy]# id matej
uid=500(matej) gid=500(matej) skupiny=500(matej),4(adm),10(wheel),12(mail),14(uucp),100(users),51(smmsp),501(src),104(mock),105(pulse),106(pulse-rt),107(pulse-access),505(virt)
[root@viklef policy]#
Comment 9 Matěj Cepl 2008-11-25 09:42:16 EST
sorry, the latter should read
[matej@viklef targeted]$ id 
uid=500(matej) gid=500(matej) skupiny=4(adm),10(wheel),12(mail),14(uucp),51(smmsp),100(users),104(mock),105(pulse),106(pulse-rt),107(pulse-access),500(matej),501(src),505(virt) context=staff_u:staff_r:staff_t:SystemLow-SystemHigh
[matej@viklef targeted]$
Comment 10 Daniel Walsh 2008-11-25 09:50:56 EST
semodule -r thunderbird evolution

You have policy packages installed that are not part of the final release.
Comment 11 Daniel Walsh 2008-11-25 10:01:23 EST
Not sure where you got those pp files but they should not be installed, they were not installed in F10 or F9.  They were in strict policy.
Comment 12 Matěj Cepl 2008-11-25 10:27:04 EST
OK, this notebook has a long and checkered history, so maybe I caught them somewhere on the way.
Comment 13 Matěj Cepl 2008-11-25 10:46:10 EST
Created attachment 324623 [details]
stdout of semodule -l

Could I ask you for diff of your output of semodule -l against this one? It's weird because I get labeled thunderbird even on the other computer which is pretty pure Rawhide (x86_64)? If I should help you with being a guinea pig (do you need one yet?) for staff_u I need to be sure, that I don't have some trash on my computers.

[root@hubmaier ~]# ls -lZ /usr/bin/thunderbird 
-rwxr-xr-x  root root system_u:object_r:thunderbird_exec_t /usr/bin/thunderbird
[matej@hubmaier ~]$ ls -lZ /usr/bin/evolution 
-rwxr-xr-x  root root system_u:object_r:evolution_exec_t /usr/bin/evolution
[matej@hubmaier ~]$
Comment 14 Bug Zapper 2008-11-26 00:53:45 EST
This bug appears to have been reported against 'rawhide' during the Fedora 10 development cycle.
Changing version to '10'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 15 Matěj Cepl 2008-11-26 18:22:28 EST
So, yes this bug can be closed as WHATINTHEWORLDISGOINGON?

Note You need to log in before you can comment on or make changes to this bug.