Bug 490108 - SELinux error on upgrade
SELinux error on upgrade
Status: CLOSED WONTFIX
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: condor (Show other bugs)
1.1
All Linux
low Severity low
: 1.1.1
: ---
Assigned To: grid-maint-list
Jeff Needle
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-03-13 06:16 EDT by Jeff Needle
Modified: 2010-12-08 13:31 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-03-18 10:06:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jeff Needle 2009-03-13 06:16:21 EDT
On condor upgrade, an AVC is thrown

Mar 12 19:51:17 amd-warthog-03 setroubleshoot: SELinux is preventing setfiles (setfiles_t) "write" to pipe (rpm_script_t). For complete SELinux messages. run sealert -l ef251d04-c7b8-4e5f-a2c9-9d633d9609ec


# sealert -l ef251d04-c7b8-4e5f-a2c9-9d633d9609ec

Summary:

SELinux is preventing setfiles (setfiles_t) "write" to pipe (rpm_script_t).

Detailed Description:

SELinux denied access requested by setfiles. It is not expected that this accessis required by setfiles and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                root:system_r:setfiles_t:SystemLow-SystemHigh
Target Context                root:system_r:rpm_script_t:SystemLow-SystemHigh
Target Objects                pipe [ fifo_file ]
Source                        setfiles
Source Path                   /sbin/setfiles
Port                          <Unknown>
Host                          amd-warthog-03.lab.bos.redhat.com
Source RPM Packages           policycoreutils-1.33.12-14.2.el5
Target RPM Packages
Policy RPM                    selinux-policy-2.4.6-203.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     amd-warthog-03.lab.bos.redhat.com
Platform                      Linux amd-warthog-03.lab.bos.redhat.com
                              2.6.18-128.el5 #1 SMP Wed Dec 17 11:41:38 EST 2008                              x86_64 x86_64
Alert Count                   2
First Seen                    Thu Feb 26 23:45:18 2009
Last Seen                     Thu Mar 12 19:51:17 2009
Local ID                      ef251d04-c7b8-4e5f-a2c9-9d633d9609ec
Line Numbers

Raw Audit Messages

host=amd-warthog-03.lab.bos.redhat.com type=AVC msg=audit(1236901877.106:688): avc:  denied  { write } for  pid=6110 comm="setfiles" path="pipe:[236241]" dev=pipefs ino=236241 scontext=root:system_r:setfiles_t:s0-s0:c0.c1023 tcontext=root:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=fifo_file

host=amd-warthog-03.lab.bos.redhat.com type=AVC msg=audit(1236901877.106:688): avc:  denied  { write } for  pid=6110 comm="setfiles" path="pipe:[236241]" dev=pipefs ino=236241 scontext=root:system_r:setfiles_t:s0-s0:c0.c1023 tcontext=root:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=fifo_file

host=amd-warthog-03.lab.bos.redhat.com type=SYSCALL msg=audit(1236901877.106:688): arch=c000003e syscall=59 success=yes exit=0 a0=1bf398b0 a1=1bfe9b00 a2=0 a3=2b50f29a3ff0 items=0 ppid=6107 pid=6110 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=102 comm="setfiles" exe="/sbin/setfiles" subj=root:system_r:setfiles_t:s0-s0:c0.c1023 key=(null)
Comment 1 Matthew Farrellee 2009-03-17 09:57:53 EDT
Any idea why this is happening, or if it prevents upgrade or installation?
Comment 2 Jeff Needle 2009-03-17 16:24:43 EDT
It's not fatal and doesn't appear to have any ill effects.  Is there a fifo pipe in one of the directories that is getting moved around for this update that may be triggering an AVC upon being moved?  I didn't see it on a clean install, just an upgrade.
Comment 3 Matthew Farrellee 2009-03-17 16:41:30 EDT
if [ -e /var/lib/condor/condor_master.pid ]; then
   mv /var/lib/condor/condor_master.pid /var/run/condor/condor_master.pid
fi

So a fifo in /var/run/condor that isn't being touched causes the issue? No pipe should be moved as part of the install or upgrade.
Comment 4 Jeff Needle 2009-03-17 19:42:52 EDT
move was just a guess on my part.  Turns out it happens on a fresh install too.

Are any fifos created as part of the install or upgrade procedure in any different way than previous releases?
Comment 5 Matthew Farrellee 2009-03-17 21:43:33 EDT
There should be no fifos created at all.

I'd hope it couldn't be this pipe, which was added since 1.1...

if [ $? = 0 ]; then
   semanage fcontext -a -t unconfined_execmem_exec_t %_sbindir/condor_startd 2>&
1| grep -v "already defined"
   restorecon  %_sbindir/condor_startd
fi
Comment 6 Jeff Needle 2009-03-18 10:06:19 EDT
Yes, that's exactly what it is, and in talking to Dan, it's an SELinux policy deficiency that will be addressed in 5.4.  So for now, we can simply ignore the AVC message as it's completely innocuous.
Comment 7 Jan Sarenik 2010-12-08 10:28:48 EST
Seems it was not addressed in 5.4, see bug 660653.

Note You need to log in before you can comment on or make changes to this bug.