Bug 628392 - SELinux is preventing /bin/bash access to a leaked /bin/sh file descriptor.
Summary: SELinux is preventing /bin/bash access to a leaked /bin/sh file descriptor.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 14
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:a6e7b95bfeb...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-08-29 21:29 UTC by Jay Rothschild
Modified: 2010-09-08 04:32 UTC (History)
2 users (show)

Fixed In Version: selinux-policy-3.9.0-2.fc14
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-09-08 04:32:07 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Jay Rothschild 2010-08-29 21:29:50 UTC 
Summary:

SELinux is preventing /bin/bash access to a leaked /bin/sh file descriptor.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by the sh command. It looks like this is either
a leaked descriptor or sh output was redirected to a file it is not allowed to
access. Leaks usually can be ignored since SELinux is just closing the leak and
reporting the error. The application does not use the descriptor, so it will run
properly. If this is a redirection, you will not get output in the /bin/sh. You
should generate a bugzilla on selinux-policy, and it will get routed to the
appropriate package. You can safely ignore this avc.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385)

Additional Information:

Source Context                system_u:system_r:rpcbind_t:s0
Target Context                system_u:object_r:bin_t:s0
Target Objects                /bin/sh [ lnk_file ]
Source                        sh
Source Path                   /bin/bash
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           bash-4.1.7-3.fc14
Target RPM Packages           bash-4.1.7-3.fc14
Policy RPM                    selinux-policy-3.8.8-20.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   leaks
Host Name                     (removed)
Platform                      Linux (removed) 2.6.35.4-12.fc14.x86_64 #1
                              SMP Fri Aug 27 07:45:05 UTC 2010 x86_64 x86_64
Alert Count                   4
First Seen                    Sun 29 Aug 2010 04:26:47 PM CDT
Last Seen                     Sun 29 Aug 2010 04:26:47 PM CDT
Local ID                      8451143f-c5e7-4fae-bea2-8c51e6ae4617
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1283117207.455:531): avc:  denied  { read } for  pid=23304 comm="rpcbind" name="sh" dev=dm-0 ino=2621443 scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file

node=(removed) type=AVC msg=audit(1283117207.455:531): avc:  denied  { execute } for  pid=23304 comm="rpcbind" name="bash" dev=dm-0 ino=2621527 scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file

node=(removed) type=AVC msg=audit(1283117207.455:531): avc:  denied  { read open } for  pid=23304 comm="rpcbind" name="bash" dev=dm-0 ino=2621527 scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file

node=(removed) type=AVC msg=audit(1283117207.455:531): avc:  denied  { execute_no_trans } for  pid=23304 comm="rpcbind" path="/bin/bash" dev=dm-0 ino=2621527 scontext=system_u:system_r:rpcbind_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1283117207.455:531): arch=c000003e syscall=59 success=yes exit=0 a0=7f62d83c4d91 a1=7fffa6a32da0 a2=7fffa6a3a638 a3=7fffa6a34ba0 items=0 ppid=1310 pid=23304 auid=4294967295 uid=32 gid=32 euid=32 suid=32 fsuid=32 egid=32 sgid=32 fsgid=32 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:rpcbind_t:s0 key=(null)



Hash String generated from  leaks,sh,rpcbind_t,bin_t,lnk_file,read
audit2allow suggests:

#============= rpcbind_t ==============
allow rpcbind_t bin_t:lnk_file read;
allow rpcbind_t shell_exec_t:file { read execute open execute_no_trans };
Comment 1 Daniel Walsh 2010-08-30 13:09:48 UTC 
This is the second time I have seen this AVC. Looking at the code I do not know what rpcbind is trying to execute.  I guess allowing it to execute bash is ok.

Miroslav can you add this to F13

corecmd_exec_shell(rpcbind_t)
Fixed in selinux-policy-3.9.0-2.fc14
Comment 2 Daniel Walsh 2010-08-30 13:10:49 UTC 
https://bugzilla.redhat.com/show_bug.cgi?id=590426
Comment 3 Fedora Update System 2010-08-30 15:59:33 UTC 
selinux-policy-3.9.0-2.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.0-2.fc14
Comment 4 Fedora Update System 2010-08-30 19:38:13 UTC 
selinux-policy-3.9.0-2.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.0-2.fc14
Comment 5 Jay Rothschild 2010-08-31 19:13:50 UTC 
I did yum update yesterday, today I reboot my F14 vm everything appeared "normal".

SELinux message flashes in upper right corner for a moment, I ignore it. Shortly thereafter I go to Applications > System Tools > SELinux troubleshooter, icon spins for normal amount of time, then nothing.

System > Administration > Services, icon spins for normal amount of time, then nothing.

OK, I start a terminal session, & su - it:

[root@bonk log]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 24
Policy from config file: targeted

[root@bonk log]# service setroubleshoot status
setroubleshoot: unrecognized service
[root@bonk log]# service auditd status
auditd (pid 1230) is running...

ntsysv shows no setroubleshoot

[root@bonk log]# yum info setroubleshoot
Loaded plugins: auto-update-debuginfo, langpacks, presto, refresh-packagekit
Adding en_US to language list
Found 12 installed debuginfo package(s)
Enabling updates-testing-debuginfo: Fedora 14 - x86_64 - Test Updates Debug
Enabling fedora-debuginfo: Fedora 14 - x86_64 - Debug
Installed Packages
Name : setroubleshoot
Arch : x86_64
Version : 2.2.95
Release : 1.fc14
Size : 295 k
Repo : installed
From repo : updates-testing
Summary : Helps troubleshoot SELinux problems
URL : https://fedorahosted.org/setroubleshoot
License : GPLv2+
Description : setroubleshoot gui. Application that allows you to view
: setroubleshoot-server messages.
: Provides tools to help diagnose SELinux problems. When AVC
: messages are generated an alert can be generated that will give
: information about the problem and help track its resolution.
: Alerts can be configured to user preference. The same tools can be
: run on existing log files.

[root@bonk log]# cat messages | grep setroubleshoot

Aug 31 13:17:41 bonk setroubleshoot: [dbus.ERROR] could not start dbus: org.freedesktop.DBus.Error.Spawn.ChildExited: Process /usr/bin/sealert exited with status 127
Aug 31 13:21:40 bonk setroubleshoot: [dbus.ERROR] could not start dbus: org.freedesktop.DBus.Error.Spawn.ChildExited: Process /usr/bin/sealert exited with status 127
Aug 31 13:30:28 bonk setroubleshoot: [dbus.ERROR] could not start dbus: org.freedesktop.DBus.Error.Spawn.ChildExited: Process /usr/bin/sealert exited with status 127
Aug 31 13:30:51 bonk setroubleshoot: [dbus.ERROR] could not start dbus: org.freedesktop.DBus.Error.Spawn.ChildExited: Process /usr/bin/sealert exited with status 127

Any ideas what I should do here?

THANKS in advance for all your efforts, wow much appreciated! Why Microsoft lasts even one minute with a community like this amazes me.
Comment 6 Daniel Walsh 2010-09-01 13:03:02 UTC 
Could you execute

ausearch -m avc -ts today
Comment 7 Daniel Walsh 2010-09-01 13:03:30 UTC 
Also can you ask for help on fedora-list or open a different bug.
Comment 8 Jay Rothschild 2010-09-01 20:59:11 UTC 
I decided to scratch this install and re-install. Things seem to be fine now.

In my opinion SELinux needs to be set to permissive for at least your first yum update. Subsequent SELinux policy is fixed I think but the one that comes on the non-updated alpha stops some things from being written properly during yum update and that causes a downstream mess...

THANKS!
Comment 9 Daniel Walsh 2010-09-02 15:41:05 UTC 
What you really are saying is the Alpha was screwed up with a bug that should have been caught.   But it is an alpha.  Hopefully we will do better in the Beta.
Comment 10 Jay Rothschild 2010-09-02 17:34:41 UTC 
No not at all, you are guys doing a fantastic job. I presumed this is exactly why we are doing this; to catch this stuff for the Beta. More my fault in not attaching the significance to the original event which was blossoming into a larger difficult to reverse issue. As I became more familiar with the product I realized how fast I could put it back to order and didn't want you wasting your time as the SELinux policy is fixed now and I'm sure the Beta won't have that issue. Hopefully I was of some limited aid in that process, which is why I do it.

In the whole of my experience I've seen much slower progress with various products over the years sometimes at as much $500/hour. Microsoft can take as long as a year to turn over an issue like this. I would congratulate yourselves as the best and doing a fine job. THANKS!
Comment 11 Fedora Update System 2010-09-08 04:30:24 UTC 
selinux-policy-3.9.0-2.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.