Description of problem: Version-Release number of selected component (if applicable): fedora-ds-dsgw-1.1.1-1.fc9.x86_64 fedora-ds-admin-console-1.1.2-1.fc9.noarch fedora-ds-base-devel-1.1.3-2.fc9.x86_64 fedora-ds-admin-1.1.6-1.fc9.x86_64 fedora-ds-base-1.1.3-2.fc9.x86_64 fedora-ds-console-1.1.2-2.fc9.noarch How reproducible: service dirsrv-admin start Steps to Reproduce: 1. 2. 3. Actual results: node=pawellap type=AVC msg=audit(1237837361.126:2098): avc: denied { transition } for pid=7371 comm="runcon" path="/usr/sbin/httpd.worker" dev=sda3 ino=50483363 scontext=unconfined_u:system_r:initrc_t:s0 tcontext=unconfined_u:system_r:unconfined_t:s0 tclass=process node=pawellap type=SYSCALL msg=audit(1237837361.126:2098): arch=c000003e syscall=59 success=no exit=-13 a0=7fff5e0f2e96 a1=7fff5e0f0db8 a2=7fff5e0f0de8 a3=7fff5e0f09d0 items=0 ppid=7361 pid=7371 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="runcon" exe="/usr/bin/runcon" subj=unconfined_u:system_r:initrc_t:s0 key=(null) Expected results: Additional info:
selinux-policy-targeted-3.3.1-126.fc9.noarch
This is custom policy and would need to be written by you. Not sure what you atr trying to do, but you could set a script as httpd_unconfined_script_exec_t or just add the rules you require using audit2allow.
hello there, it is - service dirsrv-admin start - that fails raising these errors have checked fcontext for initscript - ok, as policy aplies it policy's rules that prevent transition I speak of in bug title it all works(starting dirsrv-admin using the same syntax) if only not invoked by "service ..." but from console line when run from initscript, selinux source domain is: initrc_t:s0 $SELINUX_CMD $HTTPD $OMIT_DEFLATE -k start -f /etc/dirsrv/admin-serv/httpd.conf "$@" Source Context: unconfined_u:system_r:initrc_t:s0Target Context: unconfined_u:system_r:unconfined_t:s0Target Objects: /usr/sbin/httpd.worker [ process ] Source: runconSource Path: /usr/bin/runcon when run from console, selinux sdomain is unconfined, right? and below works runcon -t unconfined_t -- /usr/sbin/httpd.worker -DOmitDeflate -k start -f /etc/dirsrv/admin-serv/httpd.conf so there is nothing custom about it, hope I'm being less vague this time, apologies cheers
So you are saying this is in the init script?
This is wrong, the init script should not be executing runcon and unconfined_t should never be run as a service, this is a user type.
yes - for me it's the init script, nothing custom - nothing in scripts, nothing in policy that is why I think of it as a bug - I believe policy is having broken rules Source Context unconfined_u:system_r:initrc_t:s0 Target Context unconfined_u:system_r:unconfined_t:s0 Target Objects /usr/sbin/httpd.worker [ process ] Source runcon Source Path /usr/bin/runcon Port <Unknown> Host pawellap Source RPM Packages coreutils-6.10-35.fc9 Target RPM Packages httpd-2.2.9-1.fc9 Policy RPM selinux-policy-3.3.1-127.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name pawellap Platform Linux pawellap 2.6.27.19-78.2.30.fc9.x86_64 #1 SMP Tue Feb 24 19:44:45 EST 2009 x86_64 x86_64 Alert Count 11 First Seen Tue Mar 17 09:26:40 2009 Last Seen Sat Mar 28 13:50:22 2009 Local ID 11b80595-eae8-4204-8e6b-cf58388f21ba Line Numbers Raw Audit Messages node=pawellap type=AVC msg=audit(1238248222.119:3413): avc: denied { transition } for pid=10321 comm="runcon" path="/usr/sbin/httpd.worker" dev=sda3 ino=50483363 scontext=unconfined_u:system_r:initrc_t:s0 tcontext=unconfined_u:system_r:unconfined_t:s0 tclass=process node=pawellap type=SYSCALL msg=audit(1238248222.119:3413): arch=c000003e syscall=59 success=no exit=-13 a0=7fffc4f89e96 a1=7fffc4f88c48 a2=7fffc4f88c78 a3=7fffc4f88860 items=0 ppid=10311 pid=10321 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="runcon" exe="/usr/bin/runcon" subj=unconfined_u:system_r:initrc_t:s0 key=(null) /etc/rc.d/init.d/dirsrv-admin calls /usr/sbin/start-ds-admin - it's rpm's rpms are up to today availably ones cheers
Is this issue related to https://bugzilla.redhat.com/show_bug.cgi?id=442228 ?
Yes, do not run runcon in an init script. runcon is a testing tool or perhaps can be used by mls people, but we can setup proper rules and transtions to make initrc work correctly. But we need to get back to the original problem you were trying to fix.
problem is that when I(or at boot time) invoke: service dirsrv-admin start - I get denials as in my last comment(and there is nothing changed by me in scripts nor in policy, all as rpms installed it) I initially submitted this bug in Fedora DS - not much of a reply I got - therefore put it here what more I found, these scripts: /usr/sbin/start-ds-admin /etc/init.d/dirsrv-admin are exact same files on both f9 and f10 (both with latest rpms) what else I see is that f10 has this: allow initrc_t unconfined_t : process { transition sigchld } and f9 has it not I can remember that I was! working on f9, my guess - there's been change in policy, I cannot remember when I applied these updates
apologies, in last comment - I was! working=it was working and I refer to f10 for this obvious reason - it is working in f10 while, as I mentioned, scripts are the same
Yes two things will break here initrc_t is no longer allowed to transiton to unconfined_t, and RBAC can and will start to break this. Finally by using runcon within a script you will break on any non targeted system or any system that plans on running without unconfined.pp being installed. IE Fedora Directory Server will not be allowed to run in secure environments.
We are working on adding the patches from https://bugzilla.redhat.com/show_bug.cgi?id=442228 to Fedora Directory Server. I believe if we implement the selinux policy specified in 442228, that will solve this problem, since we won't be using runcon -t unconfined_t anymore. Agreed? If so, I'm going to close this bug as a duplicate of 442228.
yes, fine with me it's just a bit peculiar that f10 which natural successor to f9 does not receive these changes in policy around the same time.
*** This bug has been marked as a duplicate of bug 442228 ***