684500 – SELinux is preventing /usr/bin/runcon "transition" access on /bin/bash.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 684500 - SELinux is preventing /usr/bin/runcon "transition" access on /bin/bash.

Summary: SELinux is preventing /usr/bin/runcon "transition" access on /bin/bash.

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Daniel Walsh
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:	setroubleshoot_trace_hash:21bc3e5a0f1...
Depends On:	605870
Blocks:
TreeView+	depends on / blocked

Reported:	2011-03-13 03:26 UTC by Red Hat Case Diagnostics
Modified:	2018-11-14 15:51 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-03-14 08:26:25 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Red Hat Case Diagnostics 2011-03-13 03:26:25 UTC

+++ This bug was initially created as a clone of Bug 605870 +++


Summary:

SELinux is preventing /usr/bin/runcon "transition" access on /bin/bash.

Detailed Description:

SELinux denied access requested by runcon. It is not expected that this access
is required by runcon and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                system_u:object_r:httpd_t:s0-s0:c0.c1023
Target Objects                /bin/bash [ process ]
Source                        runcon
Source Path                   /usr/bin/runcon
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           coreutils-7.6-9.fc12
Target RPM Packages           bash-4.0.35-2.fc12
Policy RPM                    selinux-policy-3.6.32-89.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.31.12-174.2.22.fc12.i686 #1 SMP Fri Feb 19
                              19:26:06 UTC 2010 i686 i686
Alert Count                   1
First Seen                    Wed 03 Mar 2010 04:45:59 PM EST
Last Seen                     Wed 03 Mar 2010 04:45:59 PM EST
Local ID                      c6dfd0e2-62c8-4acf-8c50-10d9e6ae8b8c
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1267652759.78:25075): avc:  denied  { transition } for  pid=28202 comm="runcon" path="/bin/bash" dev=dm-0 ino=15596 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:httpd_t:s0-s0:c0.c1023 tclass=process

node=(removed) type=SYSCALL msg=audit(1267652759.78:25075): arch=40000003 syscall=11 success=no exit=-13 a0=bf894567 a1=bf892430 a2=bf892438 a3=bf892430 items=0 ppid=26932 pid=28202 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=10 comm="runcon" exe="/usr/bin/runcon" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  catchall,runcon,unconfined_t,httpd_t,process,transition
audit2allow suggests:

#============= unconfined_t ==============
allow unconfined_t httpd_t:process transition;

--- Additional comment from msivanes onThu Nov 04 22:07:21 EDT 2010 ---
Case: https://api.avalon-ci.gss.redhat.com/rs/cases/00127567 also matches this bug.

--- Additional comment from msivanes onFri Nov 05 19:17:09 EDT 2010 ---
Case: https://api.avalon-ci.gss.redhat.com/rs/cases/00127567 also matches this bug.

--- Additional comment from msivanes onFri Dec 10 20:19:34 EST 2010 ---
A new attachment to case 00378257 matches the hash in the whiteboard of this bug.
Attachment URL: https://api.avalon-ci.gss.redhat.com/rs/cases/00378257/attachments/0f33303d-714a-3523-81c4-e0ab841e9276
Hash value: setroubleshoot_trace_hash:21bc3e5a0f1b07aa1221dbc63635968e3943b58b0d90361485b4df24d6bc7c57

--- Additional comment from case-diagnostics onWed Dec 22 22:25:14 EST 2010 ---
A new attachment to case 00396717 matches the hash in the whiteboard of this bug.
Attachment URL: https://api.access.redhat.com/rs/cases/00396717/attachments/496c8694-61c9-351d-985d-969489ce8961
Hash value: setroubleshoot_trace_hash:21bc3e5a0f1b07aa1221dbc63635968e3943b58b0d90361485b4df24d6bc7c57

--- Additional comment from case-diagnostics onWed Dec 22 23:35:29 EST 2010 ---
Case: https://api.access.redhat.com/rs/cases/00396730 also matches this bug.

--- Additional comment from case-diagnostics onTue Jan 11 17:58:05 EST 2011 ---
Case: https://api.access.redhat.com/rs/cases/00401292 also matches this bug.

Comment 4 Miroslav Grepl 2011-03-14 08:26:25 UTC

Are you trying to run httpd using runcon?

# runcon -u system_u -r system_r -t httpd_t -- httpd

I am not sure why you want to use a service script for starting of apache?


If you want to run apache using runcon you need to get proper transitions

initrc_t -> httpd_exec_t -> httpd_t

# runcon -u system_u -r system_r -t initrc_t -- runcon -t httpd_t -- httpd

Note You need to log in before you can comment on or make changes to this bug.