Bug 622598 - SELinux is preventing /bin/bash "execute_no_trans" access on /lib/upstart/shutdown.
SELinux is preventing /bin/bash "execute_no_trans" access on /lib/upstar...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
x86_64 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:9a64233e852...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-08-09 17:17 EDT by Horst H. von Brand
Modified: 2010-08-16 08:14 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-08-16 08:14:37 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Horst H. von Brand 2010-08-09 17:17:53 EDT
Summary:

SELinux is preventing /bin/bash "execute_no_trans" access on
/lib/upstart/shutdown.

Detailed Description:

SELinux denied access requested by ck-system-stop. It is not expected that this
access is required by ck-system-stop and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:consolekit_t:s0-s0:c0.c1023
Target Context                system_u:object_r:lib_t:s0
Target Objects                /lib/upstart/shutdown [ file ]
Source                        ck-system-stop
Source Path                   /bin/bash
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           bash-4.1.7-3.fc14
Target RPM Packages           upstart-0.6.5-7.fc14
Policy RPM                    selinux-policy-3.8.8-3.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.35-0.56.rc6.git1.fc14.x86_64 #1 SMP Sat Jul 24
                              00:49:49 UTC 2010 x86_64 x86_64
Alert Count                   5
First Seen                    Mon 26 Jul 2010 09:56:28 PM CLT
Last Seen                     Tue 27 Jul 2010 10:49:29 AM CLT
Local ID                      715c72eb-2eb1-47e4-ace8-82fe4220bb2a
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1280242169.668:631): avc:  denied  { execute_no_trans } for  pid=3811 comm="ck-system-stop" path="/lib/upstart/shutdown" dev=dm-0 ino=1024005 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1280242169.668:631): arch=c000003e syscall=59 success=no exit=-13 a0=14dcb50 a1=14dafd0 a2=14dab60 a3=20 items=0 ppid=3810 pid=3811 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ck-system-stop" exe="/bin/bash" subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  catchall,ck-system-stop,consolekit_t,lib_t,file,execute_no_trans
audit2allow suggests:

#============= consolekit_t ==============
allow consolekit_t lib_t:file execute_no_trans;
Comment 1 Daniel Walsh 2010-08-10 08:33:49 EDT
yum update selinux-policy 
restorecon /lib/upstart/shutdown
/lib/upstart/shutdown	system_u:object_r:shu
Comment 2 Horst H. von Brand 2010-08-11 20:08:50 EDT
# ls -lZ /lib/upstart/shutdown 
-rwxr-xr-x. root root system_u:object_r:shutdown_exec_t:s0 /lib/upstart/shutdown

selinux-policy-3.8.8-10.fc14.noarch
selinux-policy-targeted-3.8.8-10.fc14.noarch

No mention of upstart in /var/log/audit/audit.log
Comment 3 Daniel Walsh 2010-08-13 12:18:22 EDT
Sot it should work fine now.  The bug happened in July
Comment 4 Horst H. von Brand 2010-08-15 23:27:45 EDT
Should I close it? I'm on systemd right now...

Note You need to log in before you can comment on or make changes to this bug.