Bug 587669 - SELinux is preventing /bin/bash "read" access on /home/mark.
SELinux is preventing /bin/bash "read" access on /home/mark.
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.0
x86_64 Linux
medium Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Aleš Mareček
setroubleshoot_trace_hash:eaebbbe5d47...
:
Depends On:
Blocks: 644333
  Show dependency treegraph
 
Reported: 2010-04-30 10:08 EDT by Mark Wielaard
Modified: 2017-01-03 05:23 EST (History)
8 users (show)

See Also:
Fixed In Version: openswan-2_6_24-4_el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 644333 (view as bug list)
Environment:
Last Closed: 2010-11-11 09:57:23 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mark Wielaard 2010-04-30 10:08:35 EDT
Summary:

SELinux is preventing /bin/bash "read" access on /home/mark.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by _realsetup. It is not expected that this
access is required by _realsetup and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:system_r:ipsec_mgmt_t:s0
Target Context                unconfined_u:object_r:user_home_dir_t:s0
Target Objects                /home/mark [ dir ]
Source                        _realsetup
Source Path                   /bin/bash
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           bash-4.1.2-2.el6
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-9.el6
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed) 2.6.32-23.el6.x86_64
                              #1 SMP Tue Apr 27 21:17:28 EDT 2010 x86_64 x86_64
Alert Count                   1
First Seen                    Fri 30 Apr 2010 04:06:42 PM CEST
Last Seen                     Fri 30 Apr 2010 04:06:42 PM CEST
Local ID                      0f5191ed-4a8d-4a52-ba5e-6feef49e37a8
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1272636402.891:206): avc:  denied  { read } for  pid=9856 comm="_realsetup" name="mark" dev=dm-1 ino=12 scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir

node=(removed) type=SYSCALL msg=audit(1272636402.891:206): arch=c000003e syscall=2 success=yes exit=3 a0=4a43ab a1=90800 a2=0 a3=7fffc41dc200 items=0 ppid=9854 pid=9856 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="_realsetup" exe="/bin/bash" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null)



Hash String generated from  catchall,_realsetup,ipsec_mgmt_t,user_home_dir_t,dir,read
audit2allow suggests:

#============= ipsec_mgmt_t ==============
allow ipsec_mgmt_t user_home_dir_t:dir read;
Comment 1 Mark Wielaard 2010-04-30 10:20:08 EDT
Something odd is going on, since _realsetup also seems to poke at a couple of other random files in my homedir: .pulse-cookie, .xinputrc, .gitconfig, .ICEauthority and .Xauthority.

Summary:

SELinux is preventing /bin/bash "getattr" access on /home/mark/.pulse-cookie.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by _realsetup. It is not expected that this
access is required by _realsetup and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:system_r:ipsec_mgmt_t:s0
Target Context                unconfined_u:object_r:pulseaudio_home_t:s0
Target Objects                /home/mark/.pulse-cookie [ file ]
Source                        _realsetup
Source Path                   /bin/bash
Port                          <Unknown>
Host                          springer.wildebeest.org
Source RPM Packages           bash-4.1.2-2.el6
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-9.el6
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     springer.wildebeest.org
Platform                      Linux springer.wildebeest.org 2.6.32-23.el6.x86_64
                              #1 SMP Tue Apr 27 21:17:28 EDT 2010 x86_64 x86_64
Alert Count                   1
First Seen                    Fri 30 Apr 2010 04:06:42 PM CEST
Last Seen                     Fri 30 Apr 2010 04:06:42 PM CEST
Local ID                      ed697985-0052-4926-b291-7d053bb68154
Line Numbers                  

Raw Audit Messages            

node=springer.wildebeest.org type=AVC msg=audit(1272636402.891:207): avc:  denied  { getattr } for  pid=9856 comm="_realsetup" path="/home/mark/.pulse-cookie" dev=dm-1 ino=46 scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=unconfined_u:object_r:pulseaudio_home_t:s0 tclass=file

node=springer.wildebeest.org type=SYSCALL msg=audit(1272636402.891:207): arch=c000003e syscall=4 success=yes exit=0 a0=1e35910 a1=7fffc41dc460 a2=7fffc41dc460 a3=51 items=0 ppid=9854 pid=9856 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="_realsetup" exe="/bin/bash" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null)



Summary:

SELinux is preventing /bin/bash "read" access on /home/mark/.xinputrc.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by _realsetup. It is not expected that this
access is required by _realsetup and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:system_r:ipsec_mgmt_t:s0
Target Context                unconfined_u:object_r:user_home_t:s0
Target Objects                /home/mark/.xinputrc [ lnk_file ]
Source                        _realsetup
Source Path                   /bin/bash
Port                          <Unknown>
Host                          springer.wildebeest.org
Source RPM Packages           bash-4.1.2-2.el6
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-9.el6
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     springer.wildebeest.org
Platform                      Linux springer.wildebeest.org 2.6.32-23.el6.x86_64
                              #1 SMP Tue Apr 27 21:17:28 EDT 2010 x86_64 x86_64
Alert Count                   1
First Seen                    Fri 30 Apr 2010 04:06:42 PM CEST
Last Seen                     Fri 30 Apr 2010 04:06:42 PM CEST
Local ID                      9864e37e-5d00-46fd-a714-7b6b2ecf47b7
Line Numbers                  

Raw Audit Messages            

node=springer.wildebeest.org type=AVC msg=audit(1272636402.891:208): avc:  denied  { read } for  pid=9856 comm="_realsetup" name=".xinputrc" dev=dm-1 ino=96099 scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=lnk_file

node=springer.wildebeest.org type=SYSCALL msg=audit(1272636402.891:208): arch=c000003e syscall=4 success=yes exit=0 a0=1e34730 a1=7fffc41dc460 a2=7fffc41dc460 a3=0 items=0 ppid=9854 pid=9856 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="_realsetup" exe="/bin/bash" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null)



Summary:

SELinux is preventing /bin/bash "getattr" access on /home/mark/.gitconfig.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by _realsetup. It is not expected that this
access is required by _realsetup and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:system_r:ipsec_mgmt_t:s0
Target Context                unconfined_u:object_r:git_session_content_t:s0
Target Objects                /home/mark/.gitconfig [ file ]
Source                        _realsetup
Source Path                   /bin/bash
Port                          <Unknown>
Host                          springer.wildebeest.org
Source RPM Packages           bash-4.1.2-2.el6
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-9.el6
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     springer.wildebeest.org
Platform                      Linux springer.wildebeest.org 2.6.32-23.el6.x86_64
                              #1 SMP Tue Apr 27 21:17:28 EDT 2010 x86_64 x86_64
Alert Count                   1
First Seen                    Fri 30 Apr 2010 04:06:42 PM CEST
Last Seen                     Fri 30 Apr 2010 04:06:42 PM CEST
Local ID                      be531eb6-2622-4e5f-8023-b1a28904cb40
Line Numbers                  

Raw Audit Messages            

node=springer.wildebeest.org type=AVC msg=audit(1272636402.891:209): avc:  denied  { getattr } for  pid=9856 comm="_realsetup" path="/home/mark/.gitconfig" dev=dm-1 ino=92310 scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=unconfined_u:object_r:git_session_content_t:s0 tclass=file

node=springer.wildebeest.org type=SYSCALL msg=audit(1272636402.891:209): arch=c000003e syscall=4 success=yes exit=0 a0=1e346f0 a1=7fffc41dc460 a2=7fffc41dc460 a3=0 items=0 ppid=9854 pid=9856 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="_realsetup" exe="/bin/bash" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null)



Summary:

SELinux is preventing /bin/bash "getattr" access on /home/mark/.ICEauthority.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by _realsetup. It is not expected that this
access is required by _realsetup and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:system_r:ipsec_mgmt_t:s0
Target Context                unconfined_u:object_r:iceauth_home_t:s0
Target Objects                /home/mark/.ICEauthority [ file ]
Source                        _realsetup
Source Path                   /bin/bash
Port                          <Unknown>
Host                          springer.wildebeest.org
Source RPM Packages           bash-4.1.2-2.el6
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-9.el6
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     springer.wildebeest.org
Platform                      Linux springer.wildebeest.org 2.6.32-23.el6.x86_64
                              #1 SMP Tue Apr 27 21:17:28 EDT 2010 x86_64 x86_64
Alert Count                   1
First Seen                    Fri 30 Apr 2010 04:06:42 PM CEST
Last Seen                     Fri 30 Apr 2010 04:06:42 PM CEST
Local ID                      c9bd66fe-d6a3-439a-a090-883f79c8a59f
Line Numbers                  

Raw Audit Messages            

node=springer.wildebeest.org type=AVC msg=audit(1272636402.891:210): avc:  denied  { getattr } for  pid=9856 comm="_realsetup" path="/home/mark/.ICEauthority" dev=dm-1 ino=89964 scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=unconfined_u:object_r:iceauth_home_t:s0 tclass=file

node=springer.wildebeest.org type=SYSCALL msg=audit(1272636402.891:210): arch=c000003e syscall=4 success=yes exit=0 a0=1e33d20 a1=7fffc41dc460 a2=7fffc41dc460 a3=c items=0 ppid=9854 pid=9856 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="_realsetup" exe="/bin/bash" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null)



Summary:

SELinux is preventing /bin/bash "getattr" access on /home/mark/.Xauthority.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by _realsetup. It is not expected that this
access is required by _realsetup and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:system_r:ipsec_mgmt_t:s0
Target Context                unconfined_u:object_r:xauth_home_t:s0
Target Objects                /home/mark/.Xauthority [ file ]
Source                        _realsetup
Source Path                   /bin/bash
Port                          <Unknown>
Host                          springer.wildebeest.org
Source RPM Packages           bash-4.1.2-2.el6
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-9.el6
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     springer.wildebeest.org
Platform                      Linux springer.wildebeest.org 2.6.32-23.el6.x86_64
                              #1 SMP Tue Apr 27 21:17:28 EDT 2010 x86_64 x86_64
Alert Count                   1
First Seen                    Fri 30 Apr 2010 04:06:42 PM CEST
Last Seen                     Fri 30 Apr 2010 04:06:42 PM CEST
Local ID                      09eb2eb9-d656-42a3-9328-7e80995a54cb
Line Numbers                  

Raw Audit Messages            

node=springer.wildebeest.org type=AVC msg=audit(1272636402.893:211): avc:  denied  { getattr } for  pid=9856 comm="_realsetup" path="/home/mark/.Xauthority" dev=dm-1 ino=86687 scontext=unconfined_u:system_r:ipsec_mgmt_t:s0 tcontext=unconfined_u:object_r:xauth_home_t:s0 tclass=file

node=springer.wildebeest.org type=SYSCALL msg=audit(1272636402.893:211): arch=c000003e syscall=4 success=yes exit=0 a0=1e1b800 a1=7fffc41dc460 a2=7fffc41dc460 a3=c items=0 ppid=9854 pid=9856 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="_realsetup" exe="/bin/bash" subj=unconfined_u:system_r:ipsec_mgmt_t:s0 key=(null)
Comment 3 RHEL Product and Program Management 2010-04-30 11:47:34 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.
Comment 4 Daniel Walsh 2010-04-30 16:41:52 EDT
Were you sitting in your homedir when you executed this script?

I have no idea why _realsetup is looking at files in your homedir.  Maybe it looks at all subdirs of the current directory?
Comment 5 Avesh Agarwal 2010-04-30 16:46:23 EDT
Openswan's _realsetup does not have any thing to do with these files .pulse-cookie, .xinputrc, .gitconfig, .ICEauthority and .Xauthority.
Comment 6 Mark Wielaard 2010-05-03 05:27:12 EDT
Yes, this is when sitting in my homedir. But it doesn't look like it is looking at all files in my homedir, there are lots more.

It isn't happening anymore. Or at least, I am not able to trigger it easily. Will update the bug report if I see it again. Looking through the _realsetup shell script I don't see anything obvious that could trigger this.

I am still seeing the selinux denials from bug #586760 (in Permissive mode)

$ rpm -q  selinux-policy openswan
selinux-policy-3.7.19-10.el6.noarch
openswan-2.6.24-3.el6.x86_64
Comment 7 Daniel Walsh 2010-05-03 10:16:52 EDT
It is probably the bash script that is triggering these.  If we add a cd / to the script it probably would not generate these avcs.
Comment 8 Mark Wielaard 2010-05-04 08:12:34 EDT
Found an easy reproducer. Stop the ipsec service when it is already stopped (or just stop it twice in a row) when in your current home directory:

$ sudo ipsec setup stop
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: stop ordered, but IPsec appears to be already stopped!
ipsec_setup: doing cleanup anyway...

That will give you (in my case 6) selinux denials on various status/reads of the home directory and some of the dot files.
Comment 9 Avesh Agarwal 2010-05-04 18:23:36 EDT
Could you please try the latest selinux-policy-3.7.19-11.el6, and see if it still happens?
Comment 10 Mark Wielaard 2010-05-05 07:38:37 EDT
(In reply to comment #9)
> Could you please try the latest selinux-policy-3.7.19-11.el6, and see if it
> still happens?    

Yes it still happens with selinux-policy-3.7.19-11.el6.noarch
That version does fix bug #586760 but not this one.

If you try the reproducer in comment #8 you should also see this issue with the latest selinux-policy package. But I don't think this is an selinux-policy issue. It seems that ipsec should just not try to stat/read files in the user home directory.
Comment 11 Daniel Walsh 2010-05-05 11:27:04 EDT
Is ipsec a shell script?  If it cd / before executing this will fix the problem.  This is what the /sbin/service script does.
Comment 12 Avesh Agarwal 2010-05-05 11:33:36 EDT
ipsec can also be started/stopped as follow:

service ipsec start/stop

I believe that that would solve the problem. Mark, can you please check that?  

Then, we do not need to fix it, right?
Comment 13 Mark Wielaard 2010-05-05 12:17:39 EDT
(In reply to comment #12)
> ipsec can also be started/stopped as follow:
> 
> service ipsec start/stop
> 
> I believe that that would solve the problem. Mark, can you please check that?  

If I run "service ipsec stop" twice in a row it doesn't seem to trigger any accesses to the home directory or any dot files.

> Then, we do not need to fix it, right?    

I don't know what the "correct" way is to use this.
I didn't know there was also a service, the documentation I saw (RHEL6InternalBeta) said to execute things by hand to access the vpn.
Comment 14 Avesh Agarwal 2010-05-05 12:40:45 EDT
Hello Mark,

Thanks for checking this. Although both are correct ways but "service ipsec start/stop" is selinux-friendly and "ipsec setup start/stop" is not. And the reason for this is that, as Dan Walsh stated in his comment 11, /sbin/service has "cd /" . Thats why I asked you to check for "service ipsec start/stop" because now it follows selinux-friendly way.

Thanks
Avesh
Comment 15 Daniel Walsh 2010-05-05 13:09:37 EDT
Is ipsec a command in /usr/bin or /usr/sbin?  Or is it the init script in /etc/init.d/ipsec
Comment 16 Avesh Agarwal 2010-05-05 13:16:10 EDT
Both, ipsec is in /usr/sbin/ipsec , and also in /etc/init.d/ipsec .
Comment 17 Daniel Walsh 2010-05-05 13:44:21 EDT
Can you add a cd / to /usr/sbin/ipsec?
Comment 18 Avesh Agarwal 2010-05-05 13:54:29 EDT
I can do that. But would help me explain it to Openswan upstream, if you can explain me why does this solve the problem, and makes /use/sbin/ipsec more selinux-friendly?
Comment 19 Daniel Walsh 2010-05-05 14:23:59 EDT
The script _realsetup is for some reason looking at files/directories in the current working directory.  

I have no idea why, but it might be searching a path.  Any files/directories with labels that ipsec is not allowed to touch will generate a getattr AVC message, as we see.  Changing working directory also prevents users homedir from potentially influencing the script to do something evil/unexpected.

Bill do you have any other history on why service script does the "cd /"
Comment 20 Bill Nottingham 2010-05-05 16:48:34 EDT
It also ensures that someone who happens to start a random service while sitting in a NFS-mounted directory won't have busy references to that NFS filesystem when they try to shut down, for example.

'/' is chosen as it's a directory that will always be available.
Comment 31 Daniel Walsh 2010-08-05 14:54:33 EDT
Miroslav the only thing we can do is add

files_dontaudit_search_home(ipsec_t)
Comment 32 Miroslav Grepl 2010-08-06 09:25:33 EDT
Fixed in selinux-policy-3.7.19-36.el6.noarch.
Comment 41 Daniel Walsh 2010-08-11 08:21:36 EDT
Miroslav you probably need

	optional_policy(`
		ipsec_mgmt_dbus_chat(sysadm_t)
	')
Comment 42 Miroslav Grepl 2010-08-11 11:02:48 EDT
Fixed in selinux-policy-3.7.19-38.el6.noarch
Comment 46 Daniel Walsh 2010-08-13 13:05:02 EDT
Some how /etc/hosts got mislabeled.

Did you hand edit it?
Comment 47 Aleš Mareček 2010-08-16 04:24:59 EDT
Yes, I did but it was long time ago. So I wonder why I saw this AVC after long time of using and then some testing of this, and only once.

Anyway this is not the issue of this bug, nor blocking it. That's why I moved it to VERIFIED.
Comment 48 releng-rhel@redhat.com 2010-11-11 09:57:23 EST
Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.

Note You need to log in before you can comment on or make changes to this bug.