Bug 503544 – SELinux is preventing the shorewall (shorewall_t) from executing compiler.pl.

Bug 503544 - SELinux is preventing the shorewall (shorewall_t) from executing compiler.pl.

Summary:	SELinux is preventing the shorewall (shorewall_t) from executing compiler.pl.

Status:	CLOSED CURRENTRELEASE

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	selinux-policy (Show other bugs)
Sub Component:
Version:	11
Hardware:	All Linux

Priority	low Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Daniel Walsh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2009-06-01 12:35 EDT by Jonathan Underwood
Modified:	2009-11-18 08:09 EST (History)
CC List:	3 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2009-11-18 08:09:49 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Jonathan Underwood 2009-06-01 12:35:48 EDT

Description of problem:

Summary:

SELinux is preventing the shorewall (shorewall_t) from executing compiler.pl.

Detailed Description:

SELinux has denied the shorewall from executing compiler.pl. If shorewall is
supposed to be able to execute compiler.pl, this could be a labeling problem.
Most confined domains are allowed to execute files labeled bin_t. So you could
change the labeling on this file to bin_t and retry the application. If this
shorewall is not supposed to execute compiler.pl, this could signal a intrusion
attempt.

Allowing Access:

If you want to allow shorewall to execute compiler.pl: chcon -t bin_t
'compiler.pl' If this fix works, please update the file context on disk, with
the following command: semanage fcontext -a -t bin_t 'compiler.pl' Please
specify the full path to the executable, Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this selinux-policy
to make sure this becomes the default labeling.

Additional Information:

Source Context                unconfined_u:system_r:shorewall_t:s0
Target Context                system_u:object_r:usr_t:s0
Target Objects                compiler.pl [ file ]
Source                        shorewall
Source Path                   /bin/bash
Port                          <Unknown>
Host                          clfelspc001.dc.clf.rl.ac.uk
Source RPM Packages           bash-4.0-6.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-39.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   execute
Host Name                     clfelspc001.dc.clf.rl.ac.uk
Platform                      Linux clfelspc001.dc.clf.rl.ac.uk
                              2.6.29.4-167.fc11.x86_64 #1 SMP Wed May 27
                              17:27:08 EDT 2009 x86_64 x86_64
Alert Count                   1
First Seen                    Mon 01 Jun 2009 05:29:42 PM BST
Last Seen                     Mon 01 Jun 2009 05:29:42 PM BST
Local ID                      5b3bba6e-c961-4f6c-8836-ae981cb950ad
Line Numbers                  

Raw Audit Messages            

node=clfelspc001.dc.clf.rl.ac.uk type=AVC msg=audit(1243873782.932:76): avc:  denied  { execute } for  pid=11082 comm="shorewall" name="compiler.pl" dev=sda2 ino=133713 scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file

node=clfelspc001.dc.clf.rl.ac.uk type=SYSCALL msg=audit(1243873782.932:76): arch=c000003e syscall=21 success=yes exit=0 a0=f38b70 a1=1 a2=0 a3=8 items=0 ppid=11068 pid=11082 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=2 comm="shorewall" exe="/bin/bash" subj=unconfined_u:system_r:shorewall_t:s0 key=(null)




Version-Release number of selected component (if applicable):
libselinux-utils-2.0.80-1.fc11.x86_64
libselinux-python-2.0.80-1.fc11.x86_64
selinux-policy-targeted-3.6.12-39.fc11.noarch
libselinux-2.0.80-1.fc11.x86_64
selinux-policy-3.6.12-39.fc11.noarch
shorewall-common-4.2.9-2.fc11.noarch
shorewall-4.2.9-2.fc11.noarch
shorewall-perl-4.2.9-2.fc11.noarch

Comment 1 Daniel Walsh 2009-06-01 13:06:30 EDT

Where is compiler.pl located?  It needs a label of bin_t 

chcon -t bin_t compiler.pl

If I know the location, I can fix the default labeling.

Comment 2 Jonathan Underwood 2009-06-01 13:16:20 EDT

It's at:

/usr/share/shorewall-perl/compiler.pl

I can confirm that doing at the sealert program recommends fixes the problem, so fixing the default labeling should do the trick, thanks.

As an aside, do you have any plans to move selinux policy into their respective packages, or is that unworkable?

Comment 3 Daniel Walsh 2009-06-02 08:27:47 EDT

Sure as soon as any package maintainer wants to take over support for his own policy and writes good secure polciy rather then just allow the app to do anything,   Several packages do ship with there own policy, but the vast majority of policy is still in the centralized site.  One problem of individual packages shipping there own policy is that it limits flexibility of the policy writers. For example.  Fedora ships with three different policies now, targeted, MLS, and minimum.  If my goal is minimum policy and a third party ships with policy, it gives me confinement when I really did not want it.


Fixed in selinux-policy-3.6.12-45.fc11.noarch

Comment 4 Bug Zapper 2009-06-09 12:56:00 EDT

This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Note You need to log in before you can comment on or make changes to this bug.