Bug 517576 - SELinux policy
SELinux policy
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.3
All Linux
medium Severity medium
: rc
: 5.3
Assigned To: Daniel Walsh
BaseOS QE
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-08-14 14:57 EDT by Florencia Fotorello
Modified: 2009-10-15 14:31 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-10-15 14:31:26 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Florencia Fotorello 2009-08-14 14:57:00 EDT
Description of problem:


Version-Release number of selected component (if applicable):
There is a script located in /etc/scripts that executes remote commands using /usr/kerberos/bin/rsh.
When trying to execute trhougth SNMP (using exec), we received the following messages:


/var/log/messages:
Aug 12 12:24:50 serverName setroubleshoot: SELinux is preventing rsh (snmpd_t) "name_connect" to <Unknown> (inetd_child_port_t). For complete SELinux messages. run sealert -l 3cdb7c44-e54b-4c4d-8e63-0bc78552cbfe
Aug 12 12:24:51 serverName setroubleshoot: SELinux is preventing rsh (snmpd_t) "name_connect" to <Unknown> (inetd_child_port_t). For complete SELinux messages. run sealert -l 3cdb7c44-e54b-4c4d-8e63-0bc78552cbfe
Aug 12 12:24:51 serverName setroubleshoot: SELinux is preventing rsh (snmpd_t) "name_bind" to <Unknown> (hi_reserved_port_t). For complete SELinux messages. run sealert -l d7251da5-0080-4e4a-b311-7aac198c13ed 





sealert -l 3cdb7c44-e54b-4c4d-8e63-0bc78552cbfe:
Summary:



SELinux is preventing rsh (snmpd_t) "name_connect" to <Unknown>

(inetd_child_port_t).



Detailed Description:



SELinux denied access requested by rsh. It is not expected that this access is

required by rsh and this access may signal an intrusion attempt. It is also

possible that the specific version or configuration of the application is

causing it to require additional access.



Allowing Access:



You can generate a local policy module to allow this access - see FAQ

(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable

SELinux protection altogether. Disabling SELinux protection is not recommended.

Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)

against this package.



Additional Information:



Source Context                user_u:system_r:snmpd_t

Target Context                system_u:object_r:inetd_child_port_t

Target Objects                None [ tcp_socket ]

Source                        rsh

Source Path                   /usr/kerberos/bin/rsh

Port                          544

Host                          serverName

Source RPM Packages           krb5-workstation-1.6.1-31.el5_3.3

Target RPM Packages           

Policy RPM                    selinux-policy-2.4.6-203.el5

Selinux Enabled               True

Policy Type                   targeted

MLS Enabled                   True

Enforcing Mode                Permissive

Plugin Name                   catchall

Host Name                     serverName

Platform                      Linux serverName 2.6.18-128.1.10.el5 #1 SMP Wed

                              Apr 29 13:55:17 EDT 2009 i686 i686

Alert Count                   110

First Seen                    Wed Aug 12 12:15:33 2009

Last Seen                     Thu Aug 13 04:06:40 2009

Local ID                      3cdb7c44-e54b-4c4d-8e63-0bc78552cbfe

Line Numbers                  



Raw Audit Messages            



host=serverName type=AVC msg=audit(1250147200.114:14168): avc:  denied  { name_connect } for  pid=17960 comm="rsh" dest=544 scontext=user_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:inetd_child_port_t:s0 tclass=tcp_socket



host=serverName type=SYSCALL msg=audit(1250147200.114:14168): arch=40000003 syscall=102 success=no exit=-111 a0=3 a1=bf9d0b90 a2=fa2ce8 a3=3 items=0 ppid=17959 pid=17960 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2199 comm="rsh" exe="/usr/kerberos/bin/rsh" subj=user_u:system_r:snmpd_t:s0 key=(null)






sealert -l d7251da5-0080-4e4a-b311-7aac198c13ed:
Summary:

SELinux is preventing rsh (snmpd_t) "name_connect" to <Unknown>
(inetd_child_port_t).

Detailed Description:

SELinux denied access requested by rsh. It is not expected that this access is
required by rsh and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                user_u:system_r:snmpd_t
Target Context                system_u:object_r:inetd_child_port_t
Target Objects                None [ tcp_socket ]
Source                        rsh
Source Path                   /usr/kerberos/bin/rsh
Port                          544
Host                          serverName
Source RPM Packages           krb5-workstation-1.6.1-31.el5_3.3
Target RPM Packages
Policy RPM                    selinux-policy-2.4.6-203.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     serverName
Platform                      Linux serverName 2.6.18-128.1.10.el5 #1 SMP Wed
                             Apr 29 13:55:17 EDT 2009 i686 i686
Alert Count                   54
First Seen                    Wed Aug 12 12:15:33 2009
Last Seen                     Wed Aug 12 12:18:13 2009
Local ID                      3cdb7c44-e54b-4c4d-8e63-0bc78552cbfe
Line Numbers

Raw Audit Messages

host=serverName type=AVC msg=audit(1250090293.241:13757): avc:  denied  { name_connect } for  pid=30157 comm="rsh" dest=544 scontex        t=user_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:inetd_child_port_t:s0 tclass=tcp_socket

host=serverName type=SYSCALL msg=audit(1250090293.241:13757): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfaf8d10 a2=f3a        ce8 a3=3 items=0 ppid=30156 pid=30157 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2183 comm="rsh"         exe="/usr/kerberos/bin/rsh" subj=user_u:system_r:snmpd_t:s0 key=(null) 


How reproducible:
Always

Steps to Reproduce:
1.Create a script containing /usr/kerberos/bin/rsh command  
2.Add it to SNMP using exec.
  
Actual results:
SELinux denies the execution of remote commands.

Expected results:
Allow the execution of remote commands.

Additional info:
Comment 1 Daniel Walsh 2009-08-14 16:06:44 EDT
It is probably best for you to add this using audit2allow rules

# grep rsh /var/log/audit/audit.log | audit2allow -m myrsh
# semodule -i myrsh.pp

Note You need to log in before you can comment on or make changes to this bug.