Bug 503286 - SELinux prevents chsh from changing file
SELinux prevents chsh from changing file
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
11
All Linux
low Severity low
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-05-30 15:42 EDT by Michael Krauss
Modified: 2010-04-27 10:42 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-04-27 10:42:11 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Michael Krauss 2009-05-30 15:42:05 EDT
Description of problem:

After installing the fish shell, I tried to switch the login shell of my user to fish by using chsh. SELinux prevented chsh from execution.


Version-Release number of selected component (if applicable):

util-linux-ng-2.14.2-8.fc11
selinux-policy-3.6.12-39.fc11
fish-1.23.0-7.fc11.i586

How reproducible:
Always reproducible.


Steps to Reproduce:
1. Install fish
2. login as user
3. switch login shell with chsh


Actual results:
[mickraus@localhost ~]$ chsh
Changing shell for mickraus.
Password: 
New shell [/bin/bash]: /usr/bin/fish
chsh: "/usr/bin/fish" is not executable.


Additional info:
Here is the SELinux report:

Summary:

SELinux is preventing chsh (chfn_t) "execute" bin_t.

Detailed Description:

SELinux denied access requested by chsh. It is not expected that this access is
required by chsh and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:unconfined_r:chfn_t:s0-s0:c0.c1023
Target Context                system_u:object_r:bin_t:s0
Target Objects                fish [ file ]
Source                        chsh
Source Path                   /usr/bin/chsh
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           util-linux-ng-2.14.2-8.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-39.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.29.4-162.fc11.i586
                              #1 SMP Mon May 25 16:39:12 EDT 2009 i686 i686
Alert Count                   2
First Seen                    Sat 30 May 2009 08:12:17 PM CEST
Last Seen                     Sat 30 May 2009 08:26:15 PM CEST
Local ID                      dd9dccd6-5497-4670-b1fa-5ec75ae65d74
Line Numbers                  

Raw Audit Messages            

node=localhost.localdomain type=AVC msg=audit(1243707975.598:22): avc:  denied  { execute } for  pid=2307 comm="chsh" name="fish" dev=sda2 ino=109621 scontext=unconfined_u:unconfined_r:chfn_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file

node=localhost.localdomain type=SYSCALL msg=audit(1243707975.598:22): arch=40000003 syscall=33 success=no exit=-13 a0=bfe22660 a1=1 a2=ebf2e0 a3=bfe22660 items=0 ppid=2188 pid=2307 auid=501 uid=501 gid=501 euid=0 suid=0 fsuid=0 egid=501 sgid=501 fsgid=501 tty=pts1 ses=1 comm="chsh" exe="/usr/bin/chsh" subj=unconfined_u:unconfined_r:chfn_t:s0-s0:c0.c1023 key=(null)
Comment 1 Karel Zak 2009-06-01 04:07:19 EDT
I guess the problem is:

   if (access (shell, X_OK) < 0) {
        printf (_("%s: \"%s\" is not executable.\n"), whoami, shell);
        return (-1);
    }

The SELinux message 

  SELinux is preventing chsh (chfn_t) "execute" bin_t.

is strange, chsh(1) is not executing any shell. Note also that the file is labeled "chfn_f", but we are talking about "chsh".
Comment 2 Daniel Walsh 2009-06-01 07:09:07 EDT
If you change the context of the fish shell to shell_exec_t it should work.

chcon -t shell_exec_t /usr/bin/fish


If you want this label permanent execute

semanage fcontext -a -t shell_exec_t /usr/bin/fish

I will add fish as a shell.

Currently access checks the exact same SELinux access checks as actually executing the shell.

So access(shell, X_OK) == exec(shell) from an SELinux point of view.  Hopefully this will be changing soon.

Fixed in selinux-policy-3.6.12-44.fc11
Comment 3 Bug Zapper 2009-06-09 12:51:39 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 4 Daryll 2009-08-10 18:36:29 EDT
This also happens with /sbin/nologin. So I expect that label on nologin has to be added to the system default.
Comment 5 Daniel Walsh 2009-08-11 14:59:31 EDT
Miroslav can you add this label to /bin/nologin
Comment 6 Miroslav Grepl 2009-08-13 11:56:18 EDT
Fixed in selinux-policy-3.6.12-76.fc11
Comment 8 Bug Zapper 2010-04-27 10:35:41 EDT
This message is a reminder that Fedora 11 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 11.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '11'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 11's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 11 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Note You need to log in before you can comment on or make changes to this bug.