Description of problem: Summary: SELinux is preventing the shorewall (shorewall_t) from executing compiler.pl. Detailed Description: SELinux has denied the shorewall from executing compiler.pl. If shorewall is supposed to be able to execute compiler.pl, this could be a labeling problem. Most confined domains are allowed to execute files labeled bin_t. So you could change the labeling on this file to bin_t and retry the application. If this shorewall is not supposed to execute compiler.pl, this could signal a intrusion attempt. Allowing Access: If you want to allow shorewall to execute compiler.pl: chcon -t bin_t 'compiler.pl' If this fix works, please update the file context on disk, with the following command: semanage fcontext -a -t bin_t 'compiler.pl' Please specify the full path to the executable, Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this selinux-policy to make sure this becomes the default labeling. Additional Information: Source Context unconfined_u:system_r:shorewall_t:s0 Target Context system_u:object_r:usr_t:s0 Target Objects compiler.pl [ file ] Source shorewall Source Path /bin/bash Port <Unknown> Host clfelspc001.dc.clf.rl.ac.uk Source RPM Packages bash-4.0-6.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.12-39.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name execute Host Name clfelspc001.dc.clf.rl.ac.uk Platform Linux clfelspc001.dc.clf.rl.ac.uk 2.6.29.4-167.fc11.x86_64 #1 SMP Wed May 27 17:27:08 EDT 2009 x86_64 x86_64 Alert Count 1 First Seen Mon 01 Jun 2009 05:29:42 PM BST Last Seen Mon 01 Jun 2009 05:29:42 PM BST Local ID 5b3bba6e-c961-4f6c-8836-ae981cb950ad Line Numbers Raw Audit Messages node=clfelspc001.dc.clf.rl.ac.uk type=AVC msg=audit(1243873782.932:76): avc: denied { execute } for pid=11082 comm="shorewall" name="compiler.pl" dev=sda2 ino=133713 scontext=unconfined_u:system_r:shorewall_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file node=clfelspc001.dc.clf.rl.ac.uk type=SYSCALL msg=audit(1243873782.932:76): arch=c000003e syscall=21 success=yes exit=0 a0=f38b70 a1=1 a2=0 a3=8 items=0 ppid=11068 pid=11082 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=2 comm="shorewall" exe="/bin/bash" subj=unconfined_u:system_r:shorewall_t:s0 key=(null) Version-Release number of selected component (if applicable): libselinux-utils-2.0.80-1.fc11.x86_64 libselinux-python-2.0.80-1.fc11.x86_64 selinux-policy-targeted-3.6.12-39.fc11.noarch libselinux-2.0.80-1.fc11.x86_64 selinux-policy-3.6.12-39.fc11.noarch shorewall-common-4.2.9-2.fc11.noarch shorewall-4.2.9-2.fc11.noarch shorewall-perl-4.2.9-2.fc11.noarch
Where is compiler.pl located? It needs a label of bin_t chcon -t bin_t compiler.pl If I know the location, I can fix the default labeling.
It's at: /usr/share/shorewall-perl/compiler.pl I can confirm that doing at the sealert program recommends fixes the problem, so fixing the default labeling should do the trick, thanks. As an aside, do you have any plans to move selinux policy into their respective packages, or is that unworkable?
Sure as soon as any package maintainer wants to take over support for his own policy and writes good secure polciy rather then just allow the app to do anything, Several packages do ship with there own policy, but the vast majority of policy is still in the centralized site. One problem of individual packages shipping there own policy is that it limits flexibility of the policy writers. For example. Fedora ships with three different policies now, targeted, MLS, and minimum. If my goal is minimum policy and a third party ships with policy, it gives me confinement when I really did not want it. Fixed in selinux-policy-3.6.12-45.fc11.noarch
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle. Changing version to '11'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping