Bug 491749 - init srcipt starting part fails due to selinux policy disallowing for transition initrc_t -> unconfined_t
init srcipt starting part fails due to selinux policy disallowing for transit...
Status: CLOSED DUPLICATE of bug 442228
Product: 389
Classification: Community
Component: Admin (Show other bugs)
x86_64 Linux
low Severity medium
: ---
: ---
Assigned To: Rich Megginson
Chandrasekar Kannan
: Reopened
Depends On:
Blocks: 249650
  Show dependency treegraph
Reported: 2009-03-23 16:17 EDT by lejeczek
Modified: 2015-01-04 18:37 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-03-30 14:06:41 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description lejeczek 2009-03-23 16:17:48 EDT
Description of problem:

Version-Release number of selected component (if applicable):

How reproducible:
service dirsrv-admin start

Steps to Reproduce:
Actual results:
node=pawellap type=AVC msg=audit(1237837361.126:2098): avc:  denied  { transition } for  pid=7371 comm="runcon" path="/usr/sbin/httpd.worker" dev=sda3 ino=50483363 scontext=unconfined_u:system_r:initrc_t:s0 tcontext=unconfined_u:system_r:unconfined_t:s0 tclass=process

node=pawellap type=SYSCALL msg=audit(1237837361.126:2098): arch=c000003e syscall=59 success=no exit=-13 a0=7fff5e0f2e96 a1=7fff5e0f0db8 a2=7fff5e0f0de8 a3=7fff5e0f09d0 items=0 ppid=7361 pid=7371 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="runcon" exe="/usr/bin/runcon" subj=unconfined_u:system_r:initrc_t:s0 key=(null)

Expected results:

Additional info:
Comment 1 lejeczek 2009-03-23 16:29:50 EDT
Comment 2 Daniel Walsh 2009-03-26 20:25:10 EDT
This is custom policy and would need to be written by you.  Not sure what you atr trying to do, but you could set a script as httpd_unconfined_script_exec_t or just add the rules you require using audit2allow.
Comment 3 lejeczek 2009-03-27 05:26:13 EDT
hello there,

it is - service dirsrv-admin start - that fails raising these errors
have checked fcontext for initscript - ok, as policy aplies
it policy's rules that prevent transition I speak of in bug title
it all works(starting dirsrv-admin using the same syntax) if only not invoked by "service ..." but from console line

when run from initscript, selinux source domain is: initrc_t:s0
$SELINUX_CMD $HTTPD $OMIT_DEFLATE -k start -f /etc/dirsrv/admin-serv/httpd.conf "$@"

Source Context:  unconfined_u:system_r:initrc_t:s0Target Context:  unconfined_u:system_r:unconfined_t:s0Target Objects:  /usr/sbin/httpd.worker [ process ]
Source:  runconSource Path:  /usr/bin/runcon

when run from console, selinux sdomain is unconfined, right? and below works
runcon -t unconfined_t -- /usr/sbin/httpd.worker -DOmitDeflate -k start -f /etc/dirsrv/admin-serv/httpd.conf

so there is nothing custom about it,
hope I'm being less vague this time, apologies
Comment 4 Daniel Walsh 2009-03-27 15:03:14 EDT
So you are saying this is in the init script?
Comment 5 Daniel Walsh 2009-03-27 15:04:25 EDT
This is wrong, the init script should not be executing runcon

and unconfined_t should never be run as a service, this is a user type.
Comment 6 lejeczek 2009-03-28 09:57:38 EDT
yes - for me it's the init script, nothing custom - nothing in scripts, nothing in policy
that is why I think of it as a bug - I believe policy is having broken rules

Source Context                unconfined_u:system_r:initrc_t:s0
Target Context                unconfined_u:system_r:unconfined_t:s0
Target Objects                /usr/sbin/httpd.worker [ process ]
Source                        runcon
Source Path                   /usr/bin/runcon
Port                          <Unknown>
Host                          pawellap
Source RPM Packages           coreutils-6.10-35.fc9
Target RPM Packages           httpd-2.2.9-1.fc9
Policy RPM                    selinux-policy-3.3.1-127.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     pawellap
Platform                      Linux pawellap #1 SMP
                              Tue Feb 24 19:44:45 EST 2009 x86_64 x86_64
Alert Count                   11
First Seen                    Tue Mar 17 09:26:40 2009
Last Seen                     Sat Mar 28 13:50:22 2009
Local ID                      11b80595-eae8-4204-8e6b-cf58388f21ba
Line Numbers                  

Raw Audit Messages            

node=pawellap type=AVC msg=audit(1238248222.119:3413): avc:  denied  { transition } for  pid=10321 comm="runcon" path="/usr/sbin/httpd.worker" dev=sda3 ino=50483363 scontext=unconfined_u:system_r:initrc_t:s0 tcontext=unconfined_u:system_r:unconfined_t:s0 tclass=process

node=pawellap type=SYSCALL msg=audit(1238248222.119:3413): arch=c000003e syscall=59 success=no exit=-13 a0=7fffc4f89e96 a1=7fffc4f88c48 a2=7fffc4f88c78 a3=7fffc4f88860 items=0 ppid=10311 pid=10321 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="runcon" exe="/usr/bin/runcon" subj=unconfined_u:system_r:initrc_t:s0 key=(null)

/etc/rc.d/init.d/dirsrv-admin calls /usr/sbin/start-ds-admin - it's rpm's
rpms are up to today availably ones
Comment 7 Rich Megginson 2009-03-30 10:18:47 EDT
Is this issue related to https://bugzilla.redhat.com/show_bug.cgi?id=442228 ?
Comment 8 Daniel Walsh 2009-03-30 11:03:28 EDT
Yes, do not run runcon in an init script.

runcon is a testing tool or perhaps can be used by mls people, but we can setup proper rules and transtions to make initrc work correctly.

But we need to get back to the original problem you were trying to fix.
Comment 9 lejeczek 2009-03-30 12:57:25 EDT
problem is that when I(or at boot time) invoke: service dirsrv-admin start - I get denials as in my last  comment(and there is nothing changed by me in scripts nor in policy, all as rpms installed it)

I initially submitted this bug in Fedora DS - not much of a reply I got - therefore put it here

what more I found, these scripts:
are exact same files on both f9 and f10 (both with latest rpms)

what else I see is that f10 has this:
allow initrc_t unconfined_t : process { transition sigchld }
and f9 has it not

I can remember that I was! working on f9, my guess - there's been change in policy, I cannot remember when I applied these updates
Comment 10 lejeczek 2009-03-30 13:04:13 EDT
apologies, in last comment - I was! working=it was working
and I refer to f10 for this obvious reason - it is working in f10 while, as I mentioned, scripts are the same
Comment 11 Daniel Walsh 2009-03-30 13:18:53 EDT
Yes two things will break here initrc_t is no longer allowed to transiton to unconfined_t, and RBAC can and will start to break this.  Finally by using runcon within a script you will break on any non targeted system or any system that plans on running without unconfined.pp being installed.  IE Fedora Directory Server will not be allowed to run in secure environments.
Comment 12 Rich Megginson 2009-03-30 13:22:52 EDT
We are working on adding the patches from https://bugzilla.redhat.com/show_bug.cgi?id=442228 to Fedora Directory Server.  I believe if we implement the selinux policy specified in 442228, that will solve this problem, since we won't be using runcon -t unconfined_t anymore.  Agreed?  If so, I'm going to close this bug as a duplicate of 442228.
Comment 13 lejeczek 2009-03-30 13:48:39 EDT
yes, fine with me
it's just a bit peculiar that f10 which natural successor to f9 does not receive these changes in policy around the same time.
Comment 14 Rich Megginson 2009-03-30 14:06:41 EDT

*** This bug has been marked as a duplicate of bug 442228 ***

Note You need to log in before you can comment on or make changes to this bug.