705767 – Enable third-party ABRT event scripts in SELinux policy

Bug 705767 - Enable third-party ABRT event scripts in SELinux policy

Summary: Enable third-party ABRT event scripts in SELinux policy

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	705768
TreeView+	depends on / blocked

Reported:	2011-05-18 12:03 UTC by Michal Nowak
Modified:	2013-03-08 02:12 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	705768 (view as bug list)
Environment:
Last Closed:	2011-11-21 18:02:26 UTC
Type:	---
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Michal Nowak 2011-05-18 12:03:21 UTC

Description of problem:

Script `/etc/abrt/events.d/wall' containing

  echo abrt: Crash in $(cat package) detected: $(cat reason) | wall

is blocked with:

May 11 11:04:50 x86-64-6s-m1 kernel: type=1400 audit(1305126289.903:39678):
avc:  denied  { read } for  pid=19850 comm="wall" name="utmp" dev=sdb1
ino=1810548 scontext=unconfined_u:system_r:abrt_t:s0-s0:c0.c1023
tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file

May 11 11:04:50 x86-64-6s-m1 kernel: type=1400 audit(1305126290.026:39679):
avc:  denied  { read } for  pid=19850 comm="wall" name="utmp" dev=sdb1
ino=1810548 scontext=unconfined_u:system_r:abrt_t:s0-s0:c0.c1023
tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file

Please, enable such a third-party scripts.

Comment 1 Michal Nowak 2011-05-18 12:07:14 UTC

This is relevant for Rawhide & F15 since they contain abrt v2.

Comment 2 Daniel Walsh 2011-05-23 15:55:59 UTC

Miroslav, we need a mechanism where these are running unconfined domain

abrt_unconfined_t, but also allow admins to write policy for confined abrt scripts.

If abrt ships any scripts within its packages, we should have policy to confine these.

Comment 3 Miroslav Grepl 2011-05-23 19:54:28 UTC

Well this is more complicated then I thought. 

Nikola, Karel?

Comment 4 Michal Nowak 2011-05-24 09:40:41 UTC

Adding also Jiri and Denys.

(In reply to comment #2)
> If abrt ships any scripts within its packages, we should have policy to confine
> these.

Correct. ABRT places several scripts to events.d/ and the idea is other packages will do the same in the future, thought not sure this is relevant for you guys.

Comment 5 Miroslav Grepl 2011-05-24 12:05:31 UTC

If I understand correctly, ABRT places *.conf files there which are read by ABRT (not executed). And after that these commands are executed.

Comment 6 Nikola Pajkovsky 2011-05-24 12:46:01 UTC

(In reply to comment #0)
> Description of problem:
> 
> Script `/etc/abrt/events.d/wall' containing
> 
>   echo abrt: Crash in $(cat package) detected: $(cat reason) | wall
> 

Wrongly written script.

Must be:
EVENT=post-create echo abrt: Crash in $(cat package) detected: $(cat reason) | wall

@Miroslav: yes, don't execute them directly, we include them into abrt_event.conf, parse them and after that abrt executes appropriate command

Comment 7 Miroslav Grepl 2011-05-24 13:25:31 UTC

> @Miroslav: yes, don't execute them directly, we include them into
> abrt_event.conf, parse them and after that abrt executes appropriate command

Which makes me unhappy.

Comment 8 Jiri Moskovcak 2011-05-24 14:07:56 UTC

(In reply to comment #7)
> > @Miroslav: yes, don't execute them directly, we include them into
> > abrt_event.conf, parse them and after that abrt executes appropriate command
> 
> Which makes me unhappy.

I think we've discussed this some time ago and the solution was to turn those inline scripts into a separate files and that's still up to us. Can you please create a ticket (bz or trac) against ABRT and explain a bit why is that selinux friendly... (I remember just the part, that a separate file can have it's own selinux policy..)

Comment 9 Denys Vlasenko 2011-05-24 14:20:25 UTC

(In reply to comment #6)
> (In reply to comment #0)
> > Description of problem:
> > 
> > Script `/etc/abrt/events.d/wall' containing
> > 
> >   echo abrt: Crash in $(cat package) detected: $(cat reason) | wall
> > 
> 
> Wrongly written script.
> 
> Must be:
> EVENT=post-create echo abrt: Crash in $(cat package) detected: $(cat reason) |
> wall

$(cmd) should be quoted, or else it's open to a number of very nasty attacks.
Probably best is to quote entire message:

EVENT=post-create
       echo "abrt: Crash in $(cat package) detected: $(cat reason)" | wall

Comment 10 Miroslav Grepl 2011-05-24 15:53:17 UTC

(In reply to comment #8)
> (In reply to comment #7)
> > > @Miroslav: yes, don't execute them directly, we include them into
> > > abrt_event.conf, parse them and after that abrt executes appropriate command
> > 
> > Which makes me unhappy.
> 
> I think we've discussed this some time ago and the solution was to turn those
> inline scripts into a separate files and that's still up to us. Can you please
> create a ticket (bz or trac) against ABRT and explain a bit why is that selinux
> friendly... (I remember just the part, that a separate file can have it's own
> selinux policy..)

The ideal situation is the following

ABRT executes event script which executes all commands

abrt_t @abrt_event_unconfined_script_exec_t -> abrt_unconfined_script_t @ whatever -> abrt_unconfined_script_t

Bu we have

ABRT reads event conf files and then executes all commands

abrt_t (read) abrt_conf_t -> abrt_t @whatever -> abrt_t

Comment 11 Daniel Walsh 2011-11-21 16:58:15 UTC

Miroslav what is the latest on this bug?

Comment 12 Miroslav Grepl 2011-11-21 18:02:26 UTC

Definitely fixed using the "abrt_handle_event" boolean.

Note You need to log in before you can comment on or make changes to this bug.