Bug 593676 - SELinux powstrzymuje /usr/bin/perl "read" dostęp on /etc/shadow
SELinux powstrzymuje /usr/bin/perl "read" dostęp on /etc/shadow
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: smokeping (Show other bugs)
13
i386 Linux
low Severity medium
: ---
: ---
Assigned To: Terje Røsten
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:ce0910aa8be...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-05-19 09:33 EDT by Leszek Matok
Modified: 2011-06-27 12:29 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-06-27 12:29:06 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Leszek Matok 2010-05-19 09:33:22 EDT
Podsumowanie:

SELinux powstrzymuje /usr/bin/perl "read" dostęp on /etc/shadow

Szczegółowy opis:

SELinux odmówił smokeping żądania dostępu. Ten dostęp nie jest konieczny
dla smokeping i może wskazywać na próbę włamania. Jest także możliwe, że
określona wersja lub konfiguracja aplikacji powoduje, że wymaga ona teg

Zezwalanie na dostęp:

Można utworzyć moduł polityki lokalnej, aby umożliwić ten dostęp - proszę
zobaczyć FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Proszę
zgłosić raport

Dodatkowe informacje:

Kontekst źródłowy          system_u:system_r:smokeping_t:SystemLow
Kontekst docelowy             system_u:object_r:shadow_t:SystemLow
Obiekty docelowe              /etc/shadow [ file ]
Źródło                     smokeping
Ścieżka źródłowa         /usr/bin/perl
Port                          <Nieznane>
Komputer                      (usunięto)
Źródłowe pakiety RPM       perl-5.10.1-112.fc13
Docelowe pakiety RPM          setup-2.8.17-1.fc13
Pakiet RPM polityki           selinux-policy-3.7.19-15.fc13
SELinux jest włączony       True
Typ polityki                  targeted
Tryb wymuszania               Enforcing
Nazwa wtyczki                 catchall
Nazwa komputera               (usunięto)
Platforma                     Linux (usunięto) 2.6.33.3-85.fc13.i686.PAE #1
                              SMP Thu May 6 18:27:11 UTC 2010 i686 i686
Liczba alarmów               1
Po raz pierwszy               śro, 19 maj 2010, 15:30:35
Po raz ostatni                śro, 19 maj 2010, 15:30:35
Lokalny identyfikator         d0fad8b7-279b-4f70-90d2-a6a0eb442bbb
Liczba wierszy                

Surowe komunikaty audytu      

node=(usunięto) type=AVC msg=audit(1274275835.503:5): avc:  denied  { read } for  pid=1636 comm="smokeping" name="shadow" dev=md127 ino=202108 scontext=system_u:system_r:smokeping_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file

node=(usunięto) type=SYSCALL msg=audit(1274275835.503:5): arch=40000003 syscall=5 success=no exit=-13 a0=bf8a29 a1=80000 a2=1b6 a3=bf89c5 items=0 ppid=1635 pid=1636 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smokeping" exe="/usr/bin/perl" subj=system_u:system_r:smokeping_t:s0 key=(null)



Hash String generated from  catchall,smokeping,smokeping_t,shadow_t,file,read
audit2allow suggests:

#============= smokeping_t ==============
allow smokeping_t shadow_t:file read;
Comment 1 Daniel Walsh 2010-05-19 13:41:50 EDT
Why is smokeping trying to read the /etc/shadow file?
Comment 2 Terje Røsten 2010-05-19 14:53:26 EDT
No idea, a simple grep did not help much.

Seems strange, there should not be any need for that for pinging hosts and creating some pretty images?
Comment 3 Daniel Walsh 2010-05-19 15:01:02 EDT
Leszek, How did you get this to happen?
Comment 4 Leszek Matok 2010-05-19 15:51:50 EDT
This happens every single time I do service smokeping start (the report was from first boot of F13 after upgrade).

If I strace -f service smokeping start OR /usr/sbin/smokeping, I can see it opening /etc/shadow. The difference is that if I just run it as root, it succeeds. If I use the start script, it fails with EACCESS and setroubleshoot pops up instead.

It reads /etc/nsswitch.conf and /lib/libnss_files.so.2 right before /etc/passwd and /etc/shadow, so I guess it's a library call from glibc. Can I somehow trap Perl script to show me a backtrace at that point?
Comment 5 Daniel Walsh 2010-05-21 09:01:41 EDT
If you run it from an init script it transitions properly,  If you run it directly it stays as an unconfined process and reads the /etc/shadow.

Does smokeping report an error?  Or does it just succeed?

Any chance smokeping uses pam?

I do not know how to debug perl.
Comment 6 Daniel Walsh 2010-05-21 09:13:23 EDT
It tries to read it on my machine also.  Does it seem to work even with this denial.  I can add a dontaudit for this access, As I don't believe it really needs it.  I have scanned the code and took a brief look at the strace and can't tell what it is doing.
Comment 7 Daniel Walsh 2010-05-21 09:24:48 EDT
Fixed in selinux-policy-3.7.19-20.fc13.noarch
Comment 8 Leszek Matok 2010-05-22 03:22:38 EDT
I confirm it doesn't really need /etc/shadow access, or at least doesn't complain and seems working. However, actually using it results in setroubleshoot murdering my HDD (I can't believe how much this program sucks ;)). I guess raw messages are what you actually understand, as the rest is Polish anyhow, so here they go:


node=pensja.lam.pl type=AVC msg=audit(1274512544.281:2685): avc: denied { setattr } for pid=27241 comm="smokeping.cgi" name="fontconfig" dev=md127 ino=1674481 scontext=unconfined_u:system_r:httpd_smokeping_cgi_script_t:s0 tcontext=system_u:object_r:fonts_cache_t:s0 tclass=dir 

node=pensja.lam.pl type=SYSCALL msg=audit(1274512544.281:2685): arch=40000003 syscall=15 success=no exit=-13 a0=976be98 a1=1ed a2=d4d1a8 a3=976be98 items=0 ppid=25646 pid=27241 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="smokeping.cgi" exe="/usr/bin/perl" subj=unconfined_u:system_r:httpd_smokeping_cgi_script_t:s0 key=(null) 


and


node=pensja.lam.pl type=AVC msg=audit(1274512544.689:2689): avc: denied { read } for pid=25648 comm="httpd" name="Netia1_last_34560000.png" dev=md127 ino=1388795 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:smokeping_var_lib_t:s0 tclass=file 

node=pensja.lam.pl type=SYSCALL msg=audit(1274512544.689:2689): arch=40000003 syscall=5 success=no exit=-13 a0=216d778 a1=88000 a2=0 a3=1021 items=0 ppid=25636 pid=25648 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) 


After running without enforcing (when it actually worked), one more came up:

node=pensja.lam.pl type=AVC msg=audit(1274512528.403:2666): avc: denied { read } for pid=25641 comm="httpd" name="Ping.AtorPl_last_3600.png" dev=md127 ino=1745119 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:smokeping_var_lib_t:s0 tclass=file 

node=pensja.lam.pl type=SYSCALL msg=audit(1274512528.403:2666): arch=40000003 syscall=5 success=no exit=-13 a0=216d738 a1=88000 a2=0 a3=1021 items=0 ppid=25636 pid=25641 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) 


I'm a SELinux noob ;) so of course I might be doing something wrong, please excuse me in that case.
Comment 9 Terje Røsten 2011-01-17 12:09:05 EST
Hi guys,
to sum it up:
 o smokeping for unknown reason reads /etc/passwd (via some library call?)
 o selinux-policy adds donaudit to "fix" the issue
 o setroubleshoot is still complaining and trashing the hard drive?
Comment 10 Daniel Walsh 2011-01-17 12:45:55 EST
Could you attach the output from 

# ausearch -m avc -ts recent
Comment 11 Bug Zapper 2011-06-02 09:50:04 EDT
This message is a reminder that Fedora 13 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 13.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '13'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 13's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 13 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 12 Bug Zapper 2011-06-27 12:29:06 EDT
Fedora 13 changed to end-of-life (EOL) status on 2011-06-25. Fedora 13 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.