Bug 618572 - SELinux is preventing /usr/bin/perl "write" access on /root.
Summary: SELinux is preventing /usr/bin/perl "write" access on /root.
Keywords:
Status: CLOSED CANTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 13
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:e89f9fda9db...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-07-27 10:00 UTC by Donald Edward Winslow
Modified: 2010-07-30 13:46 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-07-29 17:18:35 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
/etc/profile (1.42 KB, application/octet-stream)
2010-07-28 22:37 UTC, Donald Edward Winslow 		no flags Details
View All

Description Donald Edward Winslow 2010-07-27 10:00:03 UTC 
Summary:

SELinux is preventing /usr/bin/perl "write" access on /root.

Detailed Description:

SELinux denied access requested by perl. It is not expected that this access is
required by perl and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:admin_home_t:s0
Target Objects                /root [ dir ]
Source                        perl
Source Path                   /usr/bin/perl
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           perl-5.10.1-114.fc13
Target RPM Packages           filesystem-2.4.31-1.fc13
Policy RPM                    selinux-policy-3.7.19-39.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.33.6-147.fc13.x86_64 #1 SMP Tue Jul 6 22:32:17
                              UTC 2010 x86_64 x86_64
Alert Count                   2
First Seen                    Tue 27 Jul 2010 04:13:54 AM CDT
Last Seen                     Tue 27 Jul 2010 04:13:54 AM CDT
Local ID                      da29fd34-b6f0-4ae5-952e-ab4e35c507b6
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1280222034.254:18): avc:  denied  { write } for  pid=1769 comm="perl" name="root" dev=sda2 ino=260618 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir

node=(removed) type=SYSCALL msg=audit(1280222034.254:18): arch=c000003e syscall=83 success=no exit=-13 a0=26b4b10 a1=1ff a2=b a3=2520978 items=0 ppid=1768 pid=1769 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="perl" exe="/usr/bin/perl" subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  catchall,perl,xdm_t,admin_home_t,dir,write
audit2allow suggests:

#============= xdm_t ==============
#!!!! The source type 'xdm_t' can write to a 'dir' of the following type:
# gconf_home_t
#!!!! The source type 'xdm_t' can write to a 'dir' of the following types:
# gconf_home_t, pcscd_var_run_t
#!!!! The source type 'xdm_t' can write to a 'dir' of the following types:
# gconf_home_t, pcscd_var_run_t, xkb_var_lib_t
#!!!! The source type 'xdm_t' can write to a 'dir' of the following types:
# gconf_home_t, pcscd_var_run_t, xkb_var_lib_t, xdm_rw_etc_t
#!!!! The source type 'xdm_t' can write to a 'dir' of the following types:
# gconf_home_t, pcscd_var_run_t, xkb_var_lib_t, xdm_rw_etc_t, xdm_home_t
#!!!! The source type 'xdm_t' can write to a 'dir' of the following types:
# gconf_home_t, pcscd_var_run_t, xkb_var_lib_t, xdm_rw_etc_t, xdm_home_t, pam_var_console_t
#!!!! The source type 'xdm_t' can write to a 'dir' of the following types:
# gconf_home_t, pcscd_var_run_t, xkb_var_lib_t, xdm_rw_etc_t, xdm_home_t, pam_var_console_t, var_lock_t
#!!!! The source type 'xdm_t' can write to a 'dir' of the following types:
# gconf_home_t, pcscd_var_run_t, xkb_var_lib_t, xdm_rw_etc_t, xdm_home_t, pam_var_console_t, var_lock_t, root_t
#!!!! The source type 'xdm_t' can write to a 'dir' of the following types:
# gconf_home_t, pcscd_var_run_t, xkb_var_lib_t, xdm_rw_etc_t, xdm_home_t, pam_var_console_t, var_lock_t, root_t, tmp_t
#!!!! The source type 'xdm_t' can write to a 'dir' of the following types:
# gconf_home_t, pcscd_var_run_t, xkb_var_lib_t, xdm_rw_etc_t, xdm_home_t, pam_var_console_t, var_lock_t, root_t, tmp_t, var_t
#!!!! The source type 'xdm_t' can write to a 'dir' of the following types:
# gconf_home_t, pcscd_var_run_t, xkb_var_lib_t, xdm_rw_etc_t, xdm_home_t, pam_var_console_t, var_lock_t, root_t, tmp_t, var_t, user_home_dir_t
#!!!! The source type 'xdm_t' can write to a 'dir' of the following types:
# gconf_home_t, pcscd_var_run_t, xkb_var_lib_t, xdm_rw_etc_t, xdm_home_t, pam_var_console_t, var_lock_t, root_t, tmp_t, var_t, user_home_dir_t, user_fonts_t
#!!!! The source type 'xdm_t' can write to a 'dir' of the following types:
# gconf_home_t, pcscd_var_run_t, xkb_var_lib_t, xdm_rw_etc_t, xdm_home_t, pam_var_console_t, var_lock_t, root_t, tmp_t, var_t, user_home_dir_t, user_fonts_t, user_tmpfs_t
#!!!! The source type 'xdm_t' can write to a 'dir' of the following types:
# gconf_home_t, pcscd_var_run_t, xkb_var_lib_t, xdm_rw_etc_t, xdm_home_t, pam_var_console_t, var_lock_t, root_t, tmp_t, var_t, user_home_dir_t, user_fonts_t, user_tmpfs_t, locale_t
#!!!! The source type 'xdm_t' can write to a 'dir' of the following types:
# gconf_home_t, pcscd_var_run_t, xkb_var_lib_t, xdm_rw_etc_t, xdm_home_t, pam_var_console_t, var_lock_t, root_t, tmp_t, var_t, user_home_dir_t, user_fonts_t, user_tmpfs_t, locale_t, var_auth_t
#!!!! The source type 'xdm_t' can write to a 'dir' of the following types:
# gconf_home_t, pcscd_var_run_t, xkb_var_lib_t, xdm_rw_etc_t, xdm_home_t, pam_var_console_t, var_lock_t, root_t, tmp_t, var_t, user_home_dir_t, user_fonts_t, user_tmpfs_t, locale_t, var_auth_t, xdm_spool_t
#!!!! The source type 'xdm_t' can write to a 'dir' of the following types:
# gconf_home_t, pcscd_var_run_t, xkb_var_lib_t, xdm_rw_etc_t, xdm_home_t, pam_var_console_t, var_lock_t, root_t, tmp_t, var_t, user_home_dir_t, user_fonts_t, user_tmpfs_t, locale_t, var_auth_t, xdm_spool_t, fonts_cache_t
#!!!! The source type 'xdm_t' can write to a 'dir' of the following types:
# gconf_home_t, pcscd_var_run_t, xkb_var_lib_t, xdm_rw_etc_t, xdm_home_t, pam_var_console_t, var_lock_t, root_t, tmp_t, var_t, user_home_dir_t, user_fonts_t, user_tmpfs_t, locale_t, var_auth_t, xdm_spool_t, fonts_cache_t, tmpfs_t
#!!!! The source type 'xdm_t' can write to a 'dir' of the following types:
# gconf_home_t, pcscd_var_run_t, xkb_var_lib_t, xdm_rw_etc_t, xdm_home_t, pam_var_console_t, var_lock_t, root_t, tmp_t, var_t, user_home_dir_t, user_fonts_t, user_tmpfs_t, locale_t, var_auth_t, xdm_spool_t, fonts_cache_t, tmpfs_t, user_tmp_t
#!!!! The source type 'xdm_t' can write to a 'dir' of the following types:
# gconf_home_t, pcscd_var_run_t, xkb_var_lib_t, xdm_rw_etc_t, xdm_home_t, pam_var_console_t, var_lock_t, root_t, tmp_t, var_t, user_home_dir_t, user_fonts_t, user_tmpfs_t, locale_t, var_auth_t, xdm_spool_t, fonts_cache_t, tmpfs_t, user_tmp_t, auth_cache_t
#!!!! The source type 'xdm_t' can write to a 'dir' of the following types:
# gconf_home_t, pcscd_var_run_t, xkb_var_lib_t, xdm_rw_etc_t, xdm_home_t, pam_var_console_t, var_lock_t, root_t, tmp_t, var_t, user_home_dir_t, user_fonts_t, user_tmpfs_t, locale_t, var_auth_t, xdm_spool_t, fonts_cache_t, tmpfs_t, user_tmp_t, auth_cache_t, xdm_tmpfs_t
#!!!! The source type 'xdm_t' can write to a 'dir' of the following types:
# gconf_home_t, pcscd_var_run_t, xkb_var_lib_t, xdm_rw_etc_t, xdm_home_t, pam_var_console_t, var_lock_t, root_t, tmp_t, var_t, user_home_dir_t, user_fonts_t, user_tmpfs_t, locale_t, var_auth_t, xdm_spool_t, fonts_cache_t, tmpfs_t, user_tmp_t, auth_cache_t, xdm_tmpfs_t, var_spool_t
#!!!! The source type 'xdm_t' can write to a 'dir' of the following types:
# gconf_home_t, pcscd_var_run_t, xkb_var_lib_t, xdm_rw_etc_t, xdm_home_t, pam_var_console_t, var_lock_t, root_t, tmp_t, var_t, user_home_dir_t, user_fonts_t, user_tmpfs_t, locale_t, var_auth_t, xdm_spool_t, fonts_cache_t, tmpfs_t, user_tmp_t, auth_cache_t, xdm_tmpfs_t, var_spool_t, var_lib_t
#!!!! The source type 'xdm_t' can write to a 'dir' of the following types:
# gconf_home_t, pcscd_var_run_t, xkb_var_lib_t, xdm_rw_etc_t, xdm_home_t, pam_var_console_t, var_lock_t, root_t, tmp_t, var_t, user_home_dir_t, user_fonts_t, user_tmpfs_t, locale_t, var_auth_t, xdm_spool_t, fonts_cache_t, tmpfs_t, user_tmp_t, auth_cache_t, xdm_tmpfs_t, var_spool_t, var_lib_t, var_run_t
#!!!! The source type 'xdm_t' can write to a 'dir' of the following types:
# gconf_home_t, pcscd_var_run_t, xkb_var_lib_t, xdm_rw_etc_t, xdm_home_t, pam_var_console_t, var_lock_t, root_t, tmp_t, var_t, user_home_dir_t, user_fonts_t, user_tmpfs_t, locale_t, var_auth_t, xdm_spool_t, fonts_cache_t, tmpfs_t, user_tmp_t, auth_cache_t, xdm_tmpfs_t, var_spool_t, var_lib_t, var_run_t, xdm_tmp_t
#!!!! The source type 'xdm_t' can write to a 'dir' of the following types:
# gconf_home_t, pcscd_var_run_t, xkb_var_lib_t, xdm_rw_etc_t, xdm_home_t, pam_var_console_t, var_lock_t, root_t, tmp_t, var_t, user_home_dir_t, user_fonts_t, user_tmpfs_t, locale_t, var_auth_t, xdm_spool_t, fonts_cache_t, tmpfs_t, user_tmp_t, auth_cache_t, xdm_tmpfs_t, var_spool_t, var_lib_t, var_run_t, xdm_tmp_t, xserver_log_t
#!!!! The source type 'xdm_t' can write to a 'dir' of the following types:
# gconf_home_t, pcscd_var_run_t, xkb_var_lib_t, xdm_rw_etc_t, xdm_home_t, pam_var_console_t, var_lock_t, root_t, tmp_t, var_t, user_home_dir_t, user_fonts_t, user_tmpfs_t, locale_t, var_auth_t, xdm_spool_t, fonts_cache_t, tmpfs_t, user_tmp_t, auth_cache_t, xdm_tmpfs_t, var_spool_t, var_lib_t, var_run_t, xdm_tmp_t, xserver_log_t, var_log_t
#!!!! The source type 'xdm_t' can write to a 'dir' of the following types:
# gconf_home_t, pcscd_var_run_t, xkb_var_lib_t, xdm_rw_etc_t, xdm_home_t, pam_var_console_t, var_lock_t, root_t, tmp_t, var_t, user_home_dir_t, user_fonts_t, user_tmpfs_t, locale_t, var_auth_t, xdm_spool_t, fonts_cache_t, tmpfs_t, user_tmp_t, auth_cache_t, xdm_tmpfs_t, var_spool_t, var_lib_t, var_run_t, xdm_tmp_t, xserver_log_t, var_log_t, xdm_log_t
#!!!! The source type 'xdm_t' can write to a 'dir' of the following types:
# gconf_home_t, pcscd_var_run_t, xkb_var_lib_t, xdm_rw_etc_t, xdm_home_t, pam_var_console_t, var_lock_t, root_t, tmp_t, var_t, user_home_dir_t, user_fonts_t, user_tmpfs_t, locale_t, var_auth_t, xdm_spool_t, fonts_cache_t, tmpfs_t, user_tmp_t, auth_cache_t, xdm_tmpfs_t, var_spool_t, var_lib_t, var_run_t, xdm_tmp_t, xserver_log_t, var_log_t, xdm_log_t, gnome_home_type
#!!!! The source type 'xdm_t' can write to a 'dir' of the following types:
# gconf_home_t, pcscd_var_run_t, xkb_var_lib_t, xdm_rw_etc_t, xdm_home_t, pam_var_console_t, var_lock_t, root_t, tmp_t, var_t, user_home_dir_t, user_fonts_t, user_tmpfs_t, locale_t, var_auth_t, xdm_spool_t, fonts_cache_t, tmpfs_t, user_tmp_t, auth_cache_t, xdm_tmpfs_t, var_spool_t, var_lib_t, var_run_t, xdm_tmp_t, xserver_log_t, var_log_t, xdm_log_t, gnome_home_type, pam_var_run_t
#!!!! The source type 'xdm_t' can write to a 'dir' of the following types:
# gconf_home_t, pcscd_var_run_t, xkb_var_lib_t, xdm_rw_etc_t, xdm_home_t, pam_var_console_t, var_lock_t, root_t, tmp_t, var_t, user_home_dir_t, user_fonts_t, user_tmpfs_t, locale_t, var_auth_t, xdm_spool_t, fonts_cache_t, tmpfs_t, user_tmp_t, auth_cache_t, xdm_tmpfs_t, var_spool_t, var_lib_t, var_run_t, xdm_tmp_t, xserver_log_t, var_log_t, xdm_log_t, gnome_home_type, pam_var_run_t, xdm_var_lib_t
#!!!! The source type 'xdm_t' can write to a 'dir' of the following types:
# gconf_home_t, pcscd_var_run_t, xkb_var_lib_t, xdm_rw_etc_t, xdm_home_t, pam_var_console_t, var_lock_t, root_t, tmp_t, var_t, user_home_dir_t, user_fonts_t, user_tmpfs_t, locale_t, var_auth_t, xdm_spool_t, fonts_cache_t, tmpfs_t, user_tmp_t, auth_cache_t, xdm_tmpfs_t, var_spool_t, var_lib_t, var_run_t, xdm_tmp_t, xserver_log_t, var_log_t, xdm_log_t, gnome_home_type, pam_var_run_t, xdm_var_lib_t, xdm_var_run_t

allow xdm_t admin_home_t:dir write;
Comment 1 Donald Edward Winslow 2010-07-27 10:10:52 UTC 
Last night I installed some new packages (notably Pinot). This morning I booted, scrolled through email with checkgmail, started Yum Extender, and applied updates. I'm not sure when the AVC denial actually occurred; I noticed the applet while updates were being applied.
Comment 2 Daniel Walsh 2010-07-27 13:43:34 UTC 
Could you check what is running as xdm_t.

ps -eZ | grep xdm_t

I am pretty sure this is harmless, but it could be a mislabeled process running as xdm_t.
Comment 3 Donald Edward Winslow 2010-07-28 00:20:49 UTC 
[Donald@Zonotrichia ~]$ su -c 'ps -eZ | grep xdm_t'
Password: 
system_u:system_r:xdm_t:s0-s0:c0.c1023 1707 ?  00:00:00 gdm-binary
system_u:system_r:xdm_t:s0-s0:c0.c1023 1765 ?  00:00:00 gdm-simple-slav
system_u:system_r:xdm_t:s0-s0:c0.c1023 1853 ?  00:00:00 dbus-launch
system_u:system_r:xdm_t:s0-s0:c0.c1023 1911 ?  00:00:00 polkit-gnome-au
system_u:system_r:xdm_t:s0-s0:c0.c1023 1936 ?  00:00:00 gdm-session-wor
[Donald@Zonotrichia ~]$ 

The AVC denial (or the applet anyway) didn't show up when I booted this evening. The updates I applied this morning included the new selinux-policy and the new setroubleshoot. 

One thing I notice, btw, when I update selinux, then checkgmail doesn't work. If I reinstall checkgmail, it works.

Donald
Comment 4 Daniel Walsh 2010-07-28 18:02:03 UTC 
Do you have some entry in /etc/profiles that is running a perl script?
Comment 5 Donald Edward Winslow 2010-07-28 22:37:13 UTC 
Created attachment 435139 [details]
/etc/profile

I'm attaching /etc/profile.
Comment 6 Daniel Walsh 2010-07-29 14:44:04 UTC 
The files would be in /etc/profile.d/*.sh
Comment 7 Donald Edward Winslow 2010-07-29 15:12:20 UTC 
There is this one (see below). However, before looking I just uninstalled pilot-link-perl. I had installed pilot-link-perl the night before this AVC denial first appeared on boot-up. When I rebooted just now, the AVC denial did not occur. By the way, the applet is not showing up on the panel at all now, so in order to see if there's an AVC denial I have to open up the browser from a shortcut I put on my desktop.

perl-homedir is supposed to create a user directory where one might install perl programs without being root. I have not actually done so, however.

[Donald@Zonotrichia ~]$ cat /etc/profile.d/perl-homedir.sh
# invoke local::lib

# default -- invoke local::lib for all users
PERL_HOMEDIR=1

# load our configs, aka opportunities to set PERL_HOMEDIR=0
[ -f /etc/sysconfig/perl-homedir ] && . /etc/sysconfig/perl-homedir
[ -f $HOME/.perl-homedir         ] && . $HOME/.perl-homedir

alias perlll="eval `perl -Mlocal::lib`"

# if system default
if [ "x$PERL_HOMEDIR" = "x1" ] ; then

    eval `perl -Mlocal::lib`
fi
[Donald@Zonotrichia ~]$
Comment 8 Daniel Walsh 2010-07-29 17:18:35 UTC 
I think if you login as root and execute that shell the AVC will go away.
Note You need to log in before you can comment on or make changes to this bug.