Summary: SELinux is preventing /bin/bash access to a leaked /bin/sh file descriptor. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by the sh command. It looks like this is either a leaked descriptor or sh output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the /bin/sh. You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Additional Information: Source Context system_u:system_r:rpcbind_t:s0 Target Context system_u:object_r:bin_t:s0 Target Objects /bin/sh [ lnk_file ] Source sh Source Path /bin/bash Port <Unknown> Host (removed) Source RPM Packages bash-4.1.7-3.fc14 Target RPM Packages bash-4.1.7-3.fc14 Policy RPM selinux-policy-3.8.8-20.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name leaks Host Name (removed) Platform Linux (removed) 2.6.35.4-12.fc14.x86_64 #1 SMP Fri Aug 27 07:45:05 UTC 2010 x86_64 x86_64 Alert Count 4 First Seen Sun 29 Aug 2010 04:26:47 PM CDT Last Seen Sun 29 Aug 2010 04:26:47 PM CDT Local ID 8451143f-c5e7-4fae-bea2-8c51e6ae4617 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1283117207.455:531): avc: denied { read } for pid=23304 comm="rpcbind" name="sh" dev=dm-0 ino=2621443 scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file node=(removed) type=AVC msg=audit(1283117207.455:531): avc: denied { execute } for pid=23304 comm="rpcbind" name="bash" dev=dm-0 ino=2621527 scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file node=(removed) type=AVC msg=audit(1283117207.455:531): avc: denied { read open } for pid=23304 comm="rpcbind" name="bash" dev=dm-0 ino=2621527 scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file node=(removed) type=AVC msg=audit(1283117207.455:531): avc: denied { execute_no_trans } for pid=23304 comm="rpcbind" path="/bin/bash" dev=dm-0 ino=2621527 scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1283117207.455:531): arch=c000003e syscall=59 success=yes exit=0 a0=7f62d83c4d91 a1=7fffa6a32da0 a2=7fffa6a3a638 a3=7fffa6a34ba0 items=0 ppid=1310 pid=23304 auid=4294967295 uid=32 gid=32 euid=32 suid=32 fsuid=32 egid=32 sgid=32 fsgid=32 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:rpcbind_t:s0 key=(null) Hash String generated from leaks,sh,rpcbind_t,bin_t,lnk_file,read audit2allow suggests: #============= rpcbind_t ============== allow rpcbind_t bin_t:lnk_file read; allow rpcbind_t shell_exec_t:file { read execute open execute_no_trans };
This is the second time I have seen this AVC. Looking at the code I do not know what rpcbind is trying to execute. I guess allowing it to execute bash is ok. Miroslav can you add this to F13 corecmd_exec_shell(rpcbind_t) Fixed in selinux-policy-3.9.0-2.fc14
https://bugzilla.redhat.com/show_bug.cgi?id=590426
selinux-policy-3.9.0-2.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.0-2.fc14
selinux-policy-3.9.0-2.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.0-2.fc14
I did yum update yesterday, today I reboot my F14 vm everything appeared "normal". SELinux message flashes in upper right corner for a moment, I ignore it. Shortly thereafter I go to Applications > System Tools > SELinux troubleshooter, icon spins for normal amount of time, then nothing. System > Administration > Services, icon spins for normal amount of time, then nothing. OK, I start a terminal session, & su - it: [root@bonk log]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: permissive Policy version: 24 Policy from config file: targeted [root@bonk log]# service setroubleshoot status setroubleshoot: unrecognized service [root@bonk log]# service auditd status auditd (pid 1230) is running... ntsysv shows no setroubleshoot [root@bonk log]# yum info setroubleshoot Loaded plugins: auto-update-debuginfo, langpacks, presto, refresh-packagekit Adding en_US to language list Found 12 installed debuginfo package(s) Enabling updates-testing-debuginfo: Fedora 14 - x86_64 - Test Updates Debug Enabling fedora-debuginfo: Fedora 14 - x86_64 - Debug Installed Packages Name : setroubleshoot Arch : x86_64 Version : 2.2.95 Release : 1.fc14 Size : 295 k Repo : installed From repo : updates-testing Summary : Helps troubleshoot SELinux problems URL : https://fedorahosted.org/setroubleshoot License : GPLv2+ Description : setroubleshoot gui. Application that allows you to view : setroubleshoot-server messages. : Provides tools to help diagnose SELinux problems. When AVC : messages are generated an alert can be generated that will give : information about the problem and help track its resolution. : Alerts can be configured to user preference. The same tools can be : run on existing log files. [root@bonk log]# cat messages | grep setroubleshoot Aug 31 13:17:41 bonk setroubleshoot: [dbus.ERROR] could not start dbus: org.freedesktop.DBus.Error.Spawn.ChildExited: Process /usr/bin/sealert exited with status 127 Aug 31 13:21:40 bonk setroubleshoot: [dbus.ERROR] could not start dbus: org.freedesktop.DBus.Error.Spawn.ChildExited: Process /usr/bin/sealert exited with status 127 Aug 31 13:30:28 bonk setroubleshoot: [dbus.ERROR] could not start dbus: org.freedesktop.DBus.Error.Spawn.ChildExited: Process /usr/bin/sealert exited with status 127 Aug 31 13:30:51 bonk setroubleshoot: [dbus.ERROR] could not start dbus: org.freedesktop.DBus.Error.Spawn.ChildExited: Process /usr/bin/sealert exited with status 127 Any ideas what I should do here? THANKS in advance for all your efforts, wow much appreciated! Why Microsoft lasts even one minute with a community like this amazes me.
Could you execute ausearch -m avc -ts today
Also can you ask for help on fedora-list or open a different bug.
I decided to scratch this install and re-install. Things seem to be fine now. In my opinion SELinux needs to be set to permissive for at least your first yum update. Subsequent SELinux policy is fixed I think but the one that comes on the non-updated alpha stops some things from being written properly during yum update and that causes a downstream mess... THANKS!
What you really are saying is the Alpha was screwed up with a bug that should have been caught. But it is an alpha. Hopefully we will do better in the Beta.
No not at all, you are guys doing a fantastic job. I presumed this is exactly why we are doing this; to catch this stuff for the Beta. More my fault in not attaching the significance to the original event which was blossoming into a larger difficult to reverse issue. As I became more familiar with the product I realized how fast I could put it back to order and didn't want you wasting your time as the SELinux policy is fixed now and I'm sure the Beta won't have that issue. Hopefully I was of some limited aid in that process, which is why I do it. In the whole of my experience I've seen much slower progress with various products over the years sometimes at as much $500/hour. Microsoft can take as long as a year to turn over an issue like this. I would congratulate yourselves as the best and doing a fine job. THANKS!
selinux-policy-3.9.0-2.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.