Bug 606622 – SELinux is preventing /usr/sbin/iceccd "execute" access on gcc.

Bug 606622 - SELinux is preventing /usr/sbin/iceccd "execute" access on gcc.

Summary:	SELinux is preventing /usr/sbin/iceccd "execute" access on gcc.

Status:	CLOSED NOTABUG

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	icecream (Show other bugs)
Sub Component:
Version:	12
Hardware:	x86_64 Linux

Priority	low Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Michal Schmidt
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:

URL:
Whiteboard:	setroubleshoot_trace_hash:b9791a33ca4...
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2010-06-22 01:43 EDT by Dennis Czeremin
Modified:	2010-06-30 04:45 EDT (History)
CC List:	3 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2010-06-30 04:45:27 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Dennis Czeremin 2010-06-22 01:43:03 EDT

Summary:

SELinux is preventing /usr/sbin/iceccd "execute" access on gcc.

Detailed Description:

[iceccd has a permissive type (iceccd_t). This access was not denied.]

SELinux denied access requested by iceccd. It is not expected that this access
is required by iceccd and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:system_r:iceccd_t:s0
Target Context                unconfined_u:object_r:iceccd_tmp_t:s0
Target Objects                gcc [ file ]
Source                        iceccd
Source Path                   /usr/sbin/iceccd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           icecream-0.9.5-5.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-116.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.32.14-127.fc12.x86_64 #1 SMP Fri May 28
                              04:30:39 UTC 2010 x86_64 x86_64
Alert Count                   4
First Seen                    Mon 21 Jun 2010 10:41:55 AM CEST
Last Seen                     Tue 22 Jun 2010 07:23:17 AM CEST
Local ID                      00b09842-bee8-4cb8-8e10-c9ce973f7737
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1277184197.464:35): avc:  denied  { execute } for  pid=25478 comm="iceccd" name="gcc" dev=tmpfs ino=95799 scontext=unconfined_u:system_r:iceccd_t:s0 tcontext=unconfined_u:object_r:iceccd_tmp_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1277184197.464:35): arch=c000003e syscall=21 success=yes exit=128 a0=d2c578 a1=1 a2=0 a3=2d6363672f34365f items=0 ppid=3420 pid=25478 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="iceccd" exe="/usr/sbin/iceccd" subj=unconfined_u:system_r:iceccd_t:s0 key=(null)



Hash String generated from  catchall,iceccd,iceccd_t,iceccd_tmp_t,file,execute
audit2allow suggests:

#============= iceccd_t ==============
allow iceccd_t iceccd_tmp_t:file execute;

Comment 1 Dennis Czeremin 2010-06-22 01:51:53 EDT

After this, the iceccd deamon is dead.
A "service icecream restart" will help for a while.

Comment 2 Daniel Walsh 2010-06-22 08:35:25 EDT

Seems like a strange priv?  iceccd is executing gcc that it downloaded to /tmp?

Comment 3 Michal Schmidt 2010-06-25 11:55:42 EDT

Could you attach your /etc/sysconfig/icecream ? I'm curious if you changed ICECREAM_BASEDIR. By default the config file specifies /var/cache/icecream which is labeled with the type iceccd_cache_t. If you are using a different directory, it would have to be labeled with the same context (for example using "semange fcontext -a -e /var/cache/icecream /your/alternative/dir")

Comment 4 Dennis Czeremin 2010-06-30 04:45:27 EDT

You are right. My ICECREAM_BASEDIR points to /tmp/icecream

After 

 # semanage fcontext -a -e /var/cache/icecream /tmp/icecream
 # restorecon /tmp/icecream
 # ls -Zd /tmp/icecream
drwxr-xr-x. root root system_u:object_r:iceccd_cache_t:s0 /tmp/icecream

iceccd is working now. 

Many Thanks

Note You need to log in before you can comment on or make changes to this bug.