Bug 725689 - avc denial on flock & newaliases/postalias interaction
avc denial on flock & newaliases/postalias interaction
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
All Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
: Reopened
Depends On:
  Show dependency treegraph
Reported: 2011-07-26 06:09 EDT by Ferry Huberts
Modified: 2012-07-11 14:33 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-07-11 14:33:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
tester script (389 bytes, text/plain)
2011-07-26 06:09 EDT, Ferry Huberts
no flags Details
logs.txt (2.87 KB, text/plain)
2011-07-26 06:10 EDT, Ferry Huberts
no flags Details
newaliases trace log file (54.18 KB, text/plain)
2011-08-02 15:14 EDT, Ferry Huberts
no flags Details

  None (edit)
Description Ferry Huberts 2011-07-26 06:09:34 EDT
Created attachment 515231 [details]
tester script

Description of problem:
I'm getting an avc denial when I run newaliases (on a postfix mail server)
from within a lock (done by flock) in a script

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. run the attached tester script
Actual results:
see attached logs.txt

Expected results:
no avc denial

Additional info:
I don't know why in god's name postalias would want to touch the lockfile. That's quite illogical.
Comment 1 Ferry Huberts 2011-07-26 06:10:07 EDT
Created attachment 515232 [details]
Comment 2 Daniel Walsh 2011-07-26 09:57:55 EDT
You either redirected stdout to /tmp/tester.runlock or you leaked an open file descriptor from the program that opened /tmp/tester.runlock.

You need to close  all open file descriptors on exec

fcntl(fd, F_SETFD, FD_CLOEXEC)
Comment 3 Ferry Huberts 2011-07-26 10:26:12 EDT
Dan, how would I do that? (please look at the script)
Comment 4 Daniel Walsh 2011-07-26 10:53:26 EDT
If you change

) 200>"${lockFile}"


) 200 | cat >"${lockFile}"

I think you will eliminate the AVC.
Comment 5 Ferry Huberts 2011-07-26 13:23:58 EDT
(In reply to comment #4)
> If you change
> ) 200>"${lockFile}"
> to
> ) 200 | cat >"${lockFile}"

unfortunately this is unsupported by bash. pipes can only deal with stdout and stderr.

so I have to use >

I could do ') 200>&1 | ..' but the the output within the block does not show on the screen (obviously)
Comment 6 Daniel Walsh 2011-08-02 14:17:53 EDT

set -e
set -u

declare -i lockWaitSeconds=10
declare lockFile="/var/spool/postfix/tester.runlock"
  # Wait for lockfile (fd 200) for lockWaitSeconds seconds
  set +e
  flock -e -w "${lockWaitSeconds}" 200
  declare -i lockResult=$?
  set -e

  if [[ ${lockResult} -ne 0 ]]; then
    echo "Could not aquire lock"
    exit 1

  # run program in lock
) 200>>"${lockFile}"
Comment 7 Daniel Walsh 2011-08-02 14:18:46 EDT
The above script should work.  I moved your runlock file to /var/spool/postfix, and precreated it.

Then I just use append rather then write for the script.
Comment 8 Ferry Huberts 2011-08-02 15:14:11 EDT
Created attachment 516385 [details]
newaliases trace log file

I tested your modifications and the only thing that really has an effect is moving the lockfile into /var/spool/postfix

This is logical from the SELinux point of view but I still don't understand why the h*&l newaliases touches the filedescriptor 200 (which it doesn't own).

I did an strace of newaliases inside the lock but can't really see that it touches the lockfile. I _do_ see strange behaviour on line 229 of the attached strace log file.

I find moving the file into /var/spool/postfix rather ugly and a workaround only. It seems there is a bug somewhere inside newaliases.
Comment 9 Ferry Huberts 2011-08-23 03:20:39 EDT
this has _not_ been resolved
Comment 10 Miroslav Grepl 2011-08-23 05:13:06 EDT
If I understand correctly, the remaining issue is with newaliases.
Comment 11 Ferry Huberts 2011-08-23 05:23:54 EDT
well, maybe...

I don't have enough knowledge of selinux internals to know whether it is selinux or newaliases or flock or whatever else to determine who is touching those file descriptors.
Comment 12 Miroslav Grepl 2011-12-21 05:16:02 EST
Are you getting AVC msgs?
Comment 14 RHEL Product and Program Management 2012-04-02 07:20:53 EDT
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.

Note You need to log in before you can comment on or make changes to this bug.