Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 660653 - SELinux AVCs during RPM installation
Summary: SELinux AVCs during RPM installation
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: condor
Version: 1.3
Hardware: All
OS: Linux
high
high
Target Milestone: 1.3.2
: ---
Assignee: Matthew Farrellee
QA Contact: Jan Sarenik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-12-07 13:58 UTC by Jan Sarenik
Modified: 2011-02-15 12:12 UTC (History)
1 user (show)

Fixed In Version: condor-7.4.5-0.3
Doc Type: Bug Fix
Doc Text:
On Red Hat Enterprise Linux 5, the %post scriptlet in the RPM spec file used a pipeline to filter out certain unimportant messages. Consequent to this, various denial messages could be reported by SELinux during the installation of this package. With this update, the %post scriptlet has been adapted no to use pipelines, and such messages no longer appear.
Clone Of:
Environment:
RHEL5 (up-to-date with RHN)
Last Closed: 2011-02-15 12:12:44 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 490108 0 low CLOSED SELinux error on upgrade 2021-02-22 00:41:40 UTC
Red Hat Bugzilla 664684 0 low CLOSED init_write_script_pipes(load_policy_t) 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHBA-2011:0217 0 normal SHIPPED_LIVE Red Hat Enterprise MRG Messaging and Grid bug fix and enhancement update 2011-02-15 12:10:15 UTC

Internal Links: 490108 664684

Description Jan Sarenik 2010-12-07 13:58:01 UTC
During installation of Condor RPMs on RHEL5, there is
a in the postinstall scriptlet which reads:

semanage fcontext -a -t unconfined_execmem_exec_t /usr/sbin/condor_startd 2>&1| grep -v "already defined"

This causes AVCs like following:
------------------------------------------------------------
type=SYSCALL msg=audit(1291719121.964:58): arch=c000003e syscall=59 success=yes exit=0 a0=89102a0 a1=b647f40 a2=0 a3=2b27ac67d220 items=0 ppid=25947 pid=25965 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=4294967295 comm="setfiles" exe="/sbin/setfiles" subj=user_u:system_r:setfiles_t:s0 key=(null)
type=AVC msg=audit(1291719121.964:58): avc:  denied  { write } for  pid=25965 comm="setfiles" path="pipe:[149822]" dev=pipefs ino=149822 scontext=user_u:system_r:setfiles_t:s0 tcontext=user_u:system_r:rpm_script_t:s0 tclass=fifo_file
type=AVC msg=audit(1291719121.964:58): avc:  denied  { write } for  pid=25965 comm="setfiles" path="pipe:[149822]" dev=pipefs ino=149822 scontext=user_u:system_r:setfiles_t:s0 tcontext=user_u:system_r:rpm_script_t:s0 tclass=fifo_file
------------------------------------------------------------

Version-Release number of selected component (if applicable):
condor-7.4.4-0.16.el5 (MRG 1.3.0)
condor-7.4.4-0.17.el5 (MRG 1.3.0.1)

How reproducible: 100%

Steps to Reproduce:
1. Install condor RPM package (along with its dependencies: classads, gsoap)
  
Actual results: AVCs get emitted.

Expected results: No AVCs.

Additional info: Put above AVC lines into a file and run "sealert -a file".

Comment 1 Jan Sarenik 2010-12-07 13:58:42 UTC
Just to make it clear: there is no such postinstall line in RHEL4
version of Condor's RPM.

Comment 2 Jan Sarenik 2010-12-08 15:31:14 UTC
This bug prevents me from successful test run in case I install
condor during the test. E.g. see
https://beaker.engineering.redhat.com/jobs/37019

Comment 3 Matthew Farrellee 2010-12-08 18:36:08 UTC
Bug 490108 should have been CLOSED as WONTFIX instead of NOTABUG, which is the case now. This was evaluated, with consultation from SELinux experts, and was not viewed to be an issue worth fixing at the time.

If this becomes an issue that impacts execution of the rpm installation/upgrade or the condor_startd after installation, we can re-evaluate.

Comment 4 Jan Sarenik 2010-12-09 09:58:02 UTC
But I am sure the "|grep" pipe is not vital there.
Simple removal of it would make my Beaker tests pass.
Please consider removing the pipe from postinstall script.

Excuse me for putting this back to ASSIGNED, but I would
like to get at least a reply. Thanks.

Comment 5 Matthew Farrellee 2010-12-09 18:23:16 UTC
Bug 472084 is the source of this.

EL5's current semanage (policycoreutils-1.33.12-14.8.el5) does not complain about duplicate fcontext -a's.

# semanage fcontext -l | grep startd
/usr/sbin/condor_startd                            all files          system_u:object_r:unconfined_execmem_exec_t:s0 
# semanage fcontext -a -t unconfined_execmem_exec_t /usr/sbin/condor_startd

If the change to semanage is intentional then the |grep may be removed altogether.

Comment 6 Matthew Farrellee 2010-12-10 19:52:13 UTC
I'm going to remove the |grep from the semanage line, should be available post 7.4.5-0.2, watch the Fixed In Version field.

Comment 7 Matthew Farrellee 2010-12-10 20:08:12 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
C: On EL5, the condor package's %post install script filtered out an innocuous message when redefining an already defined fcontext with semanage. 
C: The SELinux policy for EL5 would report errors from the pipe usage. Errors are bellow. The errors were non-fatal.
F: semanage no longer produces the innocuous messages and the pipe use in %post has been removed.
R: No more SELinux messages as part of a second install/upgrade.

Comment 8 Jan Sarenik 2010-12-13 09:42:19 UTC
Verified on condor-7.4.5-0.3.el5 on current RHN updated RHEL5.5 x86_64.
Thank you for the fix!

Comment 9 Jan Sarenik 2010-12-17 16:12:58 UTC
There is still an other problem, even after removing the "|grep"
pipe. I will get back with more info when it gets clearer.

Comment 10 Matthew Farrellee 2010-12-17 16:20:21 UTC
If it is a different issue, please file another BZ.

Comment 11 Jan Sarenik 2010-12-21 13:23:13 UTC
The new one is bug 664684.

This one is verified for condor-7.4.5-0.3.el5 according to the spec file.
Also verified practically both on RHEL5 x86_64 and i386.

Comment 12 Jaromir Hradilek 2011-02-09 14:44:45 UTC
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1,4 +1 @@
-C: On EL5, the condor package's %post install script filtered out an innocuous message when redefining an already defined fcontext with semanage. 
+On Red Hat Enterprise Linux 5, the %post scriptlet in the RPM spec file used a pipeline to filter out certain unimportant messages. Consequent to this, various denial messages could be reported by SELinux during the installation of this package. With this update, the %post scriptlet has been adapted no to use pipelines, and such messages no longer appear.-C: The SELinux policy for EL5 would report errors from the pipe usage. Errors are bellow. The errors were non-fatal.
-F: semanage no longer produces the innocuous messages and the pipe use in %post has been removed.
-R: No more SELinux messages as part of a second install/upgrade.

Comment 13 errata-xmlrpc 2011-02-15 12:12:44 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0217.html


Note You need to log in before you can comment on or make changes to this bug.