Bug 492554 - SELinux is preventing sh (awstats_t)
SELinux is preventing sh (awstats_t)
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
11
All Linux
low Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-03-27 08:30 EDT by Eddie Lania
Modified: 2009-10-09 14:50 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-10-09 14:50:04 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Eddie Lania 2009-03-27 08:30:08 EDT
Description of problem:
SELinux is preventing sh (awstats_t) "read" to ./maillog (var_log_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by sh. It is not expected that this access is
required by sh and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./maillog,

restorecon -v './maillog'

If this does not work, there is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:awstats_t:s0-s0:c0.c1023
Target Context                system_u:object_r:var_log_t:s0
Target Objects                ./maillog [ file ]
Source                        sh
Source Path                   /bin/bash
Port                          <Unknown>
Host                          ls2ka.elton-intra.net
Source RPM Packages           bash-3.2-30.fc10
Target RPM Packages
Policy RPM                    selinux-policy-3.5.13-49.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall_file
Host Name                     ls2ka.elton-intra.net
Platform                      Linux ls2ka.elton-intra.net
                              2.6.27.19-170.2.35.fc10.i686 #1 SMP Mon Feb 23
                              13:21:22 EST 2009 i686 i686
Alert Count                   1
First Seen                    Fri Mar 27 09:01:03 2009
Last Seen                     Fri Mar 27 09:01:03 2009
Local ID                      667413ff-f1a5-47d6-89df-625f3da591a9
Line Numbers

Raw Audit Messages

node=ls2ka.elton-intra.net type=AVC msg=audit(1238140863.516:107): avc:  denied
 { read } for  pid=3595 comm="sh" name="maillog" dev=sda2 ino=1267499
scontext=system_u:system_r:awstats_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_log_t:s0 tclass=file

node=ls2ka.elton-intra.net type=SYSCALL msg=audit(1238140863.516:107):
arch=40000003 syscall=5 success=yes exit=3 a0=8d0a758 a1=8000 a2=0 a3=8000
items=0 ppid=3594 pid=3595 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=4 comm="sh" exe="/bin/bash"
subj=system_u:system_r:awstats_t:s0-s0:c0.c1023 key=(null)  

Version-Release number of selected component (if applicable):

rpm -qa |grep selinux
selinux-policy-3.5.13-53.fc10.noarch
libselinux-2.0.78-1.fc10.i386
libselinux-utils-2.0.78-1.fc10.i386
libselinux-python-2.0.78-1.fc10.i386
selinux-policy-targeted-3.5.13-53.fc10.noarch
[root@ls2ka mail]# grep "SELinux is preventing maillogconvert" /var/log/messages
Mar 27 09:01:03 ls2ka setroubleshoot: SELinux is preventing maillogconvert. (awstats_t) "execute_no_trans" to /usr/share/awstats/tools/maillogconvert.pl (awstats_exec_t). For complete SELinux messages. run sealert -l 53c9d3fe-fe21-4f83-a5bf-2739f0428621
Mar 27 09:01:04 ls2ka setroubleshoot: SELinux is preventing maillogconvert. (awstats_t) "ioctl" to /var/log/maillog (var_log_t). For complete SELinux messages. run sealert -l 2510fca0-1601-4866-88a4-87d022648af9
Mar 27 10:01:03 ls2ka setroubleshoot: SELinux is preventing maillogconvert. (awstats_t) "execute_no_trans" to /usr/share/awstats/tools/maillogconvert.pl (awstats_exec_t). For complete SELinux messages. run sealert -l 53c9d3fe-fe21-4f83-a5bf-2739f0428621
Mar 27 10:01:03 ls2ka setroubleshoot: SELinux is preventing maillogconvert. (awstats_t) "ioctl" to /var/log/maillog (var_log_t). For complete SELinux messages. run sealert -l 2510fca0-1601-4866-88a4-87d022648af9
Mar 27 11:01:02 ls2ka setroubleshoot: SELinux is preventing maillogconvert. (awstats_t) "execute_no_trans" to /usr/share/awstats/tools/maillogconvert.pl (awstats_exec_t). For complete SELinux messages. run sealert -l 53c9d3fe-fe21-4f83-a5bf-2739f0428621
Mar 27 11:01:03 ls2ka setroubleshoot: SELinux is preventing maillogconvert. (awstats_t) "ioctl" to /var/log/maillog (var_log_t). For complete SELinux messages. run sealert -l 2510fca0-1601-4866-88a4-87d022648af9
Mar 27 12:01:02 ls2ka setroubleshoot: SELinux is preventing maillogconvert. (awstats_t) "execute_no_trans" to /usr/share/awstats/tools/maillogconvert.pl (awstats_exec_t). For complete SELinux messages. run sealert -l 53c9d3fe-fe21-4f83-a5bf-2739f0428621
Mar 27 12:01:03 ls2ka setroubleshoot: SELinux is preventing maillogconvert. (awstats_t) "ioctl" to /var/log/maillog (var_log_t). For complete SELinux messages. run sealert -l 2510fca0-1601-4866-88a4-87d022648af9
Mar 27 13:01:03 ls2ka setroubleshoot: SELinux is preventing maillogconvert. (awstats_t) "execute_no_trans" to /usr/share/awstats/tools/maillogconvert.pl (awstats_exec_t). For complete SELinux messages. run sealert -l 53c9d3fe-fe21-4f83-a5bf-2739f0428621
Mar 27 13:01:03 ls2ka setroubleshoot: SELinux is preventing maillogconvert. (awstats_t) "ioctl" to /var/log/maillog (var_log_t). For complete SELinux messages. run sealert -l 2510fca0-1601-4866-88a4-87d022648af9
[root@ls2ka mail]# sealert -l 2510fca0-1601-4866-88a4-87d022648af9

Summary:

SELinux is preventing maillogconvert. (awstats_t) "ioctl" to /var/log/maillog
(var_log_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by maillogconvert.. It is not expected that this
access is required by maillogconvert. and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /var/log/maillog,

restorecon -v '/var/log/maillog'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:awstats_t:s0-s0:c0.c1023
Target Context                system_u:object_r:var_log_t:s0
Target Objects                /var/log/maillog [ file ]
Source                        maillogconvert.
Source Path                   /usr/bin/perl
Port                          <Unknown>
Host                          ls2ka.elton-intra.net
Source RPM Packages           perl-5.10.0-56.fc10
Target RPM Packages
Policy RPM                    selinux-policy-3.5.13-49.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall_file
Host Name                     ls2ka.elton-intra.net
Platform                      Linux ls2ka.elton-intra.net
                              2.6.27.19-170.2.35.fc10.i686 #1 SMP Mon Feb 23
                              13:21:22 EST 2009 i686 i686
Alert Count                   5
First Seen                    Fri Mar 27 09:01:03 2009
Last Seen                     Fri Mar 27 13:01:03 2009
Local ID                      2510fca0-1601-4866-88a4-87d022648af9
Line Numbers

Raw Audit Messages

node=ls2ka.elton-intra.net type=AVC msg=audit(1238155263.91:296): avc:  denied  { ioctl } for  pid=6356 comm="maillogconvert." path="/var/log/maillog" dev=sda2 ino=1267499 scontext=system_u:system_r:awstats_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file

node=ls2ka.elton-intra.net type=SYSCALL msg=audit(1238155263.91:296): arch=40000003 syscall=54 success=no exit=-25 a0=0 a1=5401 a2=bf8cf138 a3=bf8cf178 items=0 ppid=6355 pid=6356 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=9 comm="maillogconvert." exe="/usr/bin/perl" subj=system_u:system_r:awstats_t:s0-s0:c0.c1023 key=(null)



How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:
awstats wil not gather stats for e-mail traffic.

Expected results:
awstats run without problems.

Additional info:
Comment 1 Daniel Walsh 2009-03-27 09:12:05 EDT
Miroslav add

logging_read_generic_logs(awstats_t)


Eddie 

You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Comment 2 Eddie Lania 2009-03-29 16:40:32 EDT
Daniel,

The "mypol.pp" has now been added:

module mypol 1.0;

require {
        type mqueue_spool_t;
        type port_t;
        type var_log_t;
        type logrotate_t;
        type spamd_t;
        type ndc_t;
        type awstats_exec_t;
        type clamd_tmp_t;
        type fail2ban_var_run_t;
        type spamass_milter_data_t;
        type dcc_client_t;
        type fail2ban_t;
        type spamass_milter_state_t;
        type sendmail_t;
        type inotifyfs_t;
        type var_lib_t;
        type spamc_t;
        type admin_home_t;
        type awstats_t;
        type clamd_t;
        type system_mail_t;
        type dcc_var_t;
        class unix_stream_socket { read write connectto };
        class capability sys_tty_config;
        class tcp_socket name_bind;
        class file { rename read lock create ioctl execute_no_trans write getattr unlink append };
        class sock_file write;
        class lnk_file { read getattr };
        class dir { write search getattr read remove_name create add_name };
}

#============= awstats_t ==============
allow awstats_t awstats_exec_t:file execute_no_trans;
allow awstats_t var_log_t:file { read ioctl };

#============= dcc_client_t ==============
allow dcc_client_t dcc_var_t:file write;
allow dcc_client_t var_lib_t:dir write;
allow dcc_client_t var_lib_t:file { read write getattr lock };

#============= fail2ban_t ==============
allow fail2ban_t self:capability sys_tty_config;

#============= logrotate_t ==============
allow logrotate_t fail2ban_t:unix_stream_socket connectto;
allow logrotate_t fail2ban_var_run_t:sock_file write;

#============= ndc_t ==============
allow ndc_t inotifyfs_t:dir read;

#============= sendmail_t ==============
allow sendmail_t mqueue_spool_t:dir create;
allow sendmail_t port_t:tcp_socket name_bind;

#============= spamc_t ==============
allow spamc_t admin_home_t:file { read getattr };
allow spamc_t spamass_milter_state_t:file { read getattr };
allow spamc_t var_lib_t:file { read getattr };

#============= spamd_t ==============
allow spamd_t admin_home_t:dir { read write add_name remove_name };
allow spamd_t admin_home_t:file { write getattr read create unlink ioctl append };
allow spamd_t spamass_milter_data_t:dir { search getattr };
allow spamd_t var_lib_t:file { write rename unlink append };
allow spamd_t var_lib_t:lnk_file { read getattr };

#============= system_mail_t ==============
allow system_mail_t clamd_t:unix_stream_socket { read write };
allow system_mail_t clamd_tmp_t:file write;
allow system_mail_t fail2ban_t:unix_stream_socket { read write };


How do I remove it again when I ever should want to?

Regards,

Eddie.
Comment 3 Miroslav Grepl 2009-03-30 04:59:14 EDT
You can remove your local policy using

# semodule -r mypol
Comment 4 Miroslav Grepl 2009-03-30 12:26:01 EDT
Fixed in selinux-policy-3.5.13-54.fc10
Comment 5 Eddie Lania 2009-04-08 04:21:48 EDT
The fix seems to work. I removed my own policy and applied the latest selinux-policy rpm. No more selinux messages in the system log accept those from fail2ban.

Thank you.

Eddie.
Comment 6 Eddie Lania 2009-08-18 16:29:17 EDT
I migrated the server from Fedora 10 to 11 and now the messages are back:

Aug 18 16:01:03 ls2ka setroubleshoot: SELinux is preventing maillogconvert. (awstats_t) "execute_no_trans" awstats_exec_t. For complete SELinux messages. run sealert -l e5e6e5ea-4342-491b-a5bd-0ae397600ba2
Aug 18 16:01:05 ls2ka setroubleshoot: SELinux is preventing maillogconvert. (awstats_t) "execute_no_trans" awstats_exec_t. For complete SELinux messages. run sealert -l e5e6e5ea-4342-491b-a5bd-0ae397600ba2
Aug 18 17:01:04 ls2ka setroubleshoot: SELinux is preventing maillogconvert. (awstats_t) "execute_no_trans" awstats_exec_t. For complete SELinux messages. run sealert -l e5e6e5ea-4342-491b-a5bd-0ae397600ba2
Aug 18 17:01:05 ls2ka setroubleshoot: SELinux is preventing maillogconvert. (awstats_t) "execute_no_trans" awstats_exec_t. For complete SELinux messages. run sealert -l e5e6e5ea-4342-491b-a5bd-0ae397600ba2
Aug 18 18:01:04 ls2ka setroubleshoot: SELinux is preventing maillogconvert. (awstats_t) "execute_no_trans" awstats_exec_t. For complete SELinux messages. run sealert -l e5e6e5ea-4342-491b-a5bd-0ae397600ba2
Aug 18 19:01:04 ls2ka setroubleshoot: SELinux is preventing maillogconvert. (awstats_t) "execute_no_trans" awstats_exec_t. For complete SELinux messages. run sealert -l e5e6e5ea-4342-491b-a5bd-0ae397600ba2
Aug 18 19:01:05 ls2ka setroubleshoot: SELinux is preventing maillogconvert. (awstats_t) "execute_no_trans" awstats_exec_t. For complete SELinux messages. run sealert -l e5e6e5ea-4342-491b-a5bd-0ae397600ba2
Aug 18 20:01:03 ls2ka setroubleshoot: SELinux is preventing maillogconvert. (awstats_t) "execute_no_trans" awstats_exec_t. For complete SELinux messages. run sealert -l e5e6e5ea-4342-491b-a5bd-0ae397600ba2
Aug 18 21:01:03 ls2ka setroubleshoot: SELinux is preventing maillogconvert. (awstats_t) "execute_no_trans" awstats_exec_t. For complete SELinux messages. run sealert -l e5e6e5ea-4342-491b-a5bd-0ae397600ba2
Aug 18 22:01:04 ls2ka setroubleshoot: SELinux is preventing maillogconvert. (awstats_t) "execute_no_trans" awstats_exec_t. For complete SELinux messages. run sealert -l e5e6e5ea-4342-491b-a5bd-0ae397600ba2
[root@ls2ka ~]# sealert -l e5e6e5ea-4342-491b-a5bd-0ae397600ba2

Summary:

SELinux is preventing maillogconvert. (awstats_t) "execute_no_trans"
awstats_exec_t.

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by maillogconvert.. It is not expected that this
access is required by maillogconvert. and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:awstats_t:s0-s0:c0.c1023
Target Context                system_u:object_r:awstats_exec_t:s0
Target Objects                /usr/share/awstats/tools/maillogconvert.pl [ file
                              ]
Source                        maillogconvert.
Source Path                   /usr/bin/perl
Port                          <Unknown>
Host                          ls2ka.elton-intra.net
Source RPM Packages           perl-5.10.0-73.fc11
Target RPM Packages           awstats-6.9-2.fc11
Policy RPM                    selinux-policy-3.6.12-72.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     ls2ka.elton-intra.net
Platform                      Linux ls2ka.elton-intra.net
                              2.6.29.6-217.2.7.fc11.i686.PAE #1 SMP Fri Aug 14
                              20:52:46 EDT 2009 i686 i686
Alert Count                   32
First Seen                    Mon Aug 17 15:01:02 2009
Last Seen                     Tue Aug 18 22:01:02 2009
Local ID                      e5e6e5ea-4342-491b-a5bd-0ae397600ba2
Line Numbers                  

Raw Audit Messages            

node=ls2ka.elton-intra.net type=AVC msg=audit(1250625662.907:45012): avc:  denied  { execute_no_trans } for  pid=17527 comm="sh" path="/usr/share/awstats/tools/maillogconvert.pl" dev=sda2 ino=1676588 scontext=system_u:system_r:awstats_t:s0-s0:c0.c1023 tcontext=system_u:object_r:awstats_exec_t:s0 tclass=file

node=ls2ka.elton-intra.net type=SYSCALL msg=audit(1250625662.907:45012): arch=40000003 syscall=11 success=yes exit=0 a0=86b39d0 a1=86b3b70 a2=86b2ec0 a3=86b3b70 items=0 ppid=17526 pid=17527 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=439 comm="maillogconvert." exe="/usr/bin/perl" subj=system_u:system_r:awstats_t:s0-s0:c0.c1023 key=(null)

Perhaps the fix was not included in FC11?
Comment 7 Daniel Walsh 2009-08-18 18:38:52 EDT
Yes it was also missing from rawhide.
Comment 8 Eddie Lania 2009-08-19 06:45:08 EDT
Can you correct it?
Comment 9 Miroslav Grepl 2009-08-19 12:09:09 EDT
Of course, I will fix it in selinux-policy-3.6.12-79.fc11
Comment 10 Miroslav Grepl 2009-08-20 11:12:06 EDT
Fixed in selinux-policy-3.6.12-79.fc11
Comment 11 Eddie Lania 2009-10-09 14:03:44 EDT
Seems ok to me now.

Note You need to log in before you can comment on or make changes to this bug.