736225 – Errors from freshclam cron when unconfined is off.

Bug 736225 - Errors from freshclam cron when unconfined is off.

Summary: Errors from freshclam cron when unconfined is off.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	15
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-09-07 05:37 UTC by Robin Powell
Modified:	2011-10-07 21:49 UTC (History)
CC List:	3 users (show)
Fixed In Version:	selinux-policy-3.9.16-39.fc15
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-10-06 00:03:22 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Robin Powell 2011-09-07 05:37:15 UTC

That's the updater for the clamav virus scanner, from the clamav-update package.

Similarly to https://bugzilla.redhat.com/show_bug.cgi?id=728405 , I get the output:


/etc/init.d/functions: line 58: /dev/stderr: Permission denied

When I run it in permissive, I get AVCs like this (this is from more than one run):


type=AVC msg=audit(1315372489.776:700815): avc:  denied  { open } for  pid=3530 comm="clamd.exim" dev=pipefs ino=1946620 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file
type=AVC msg=audit(1315372622.277:700921): avc:  denied  { fowner } for  pid=3597 comm="crond" capability=3  scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1315372670.052:700932): avc:  denied  { open } for  pid=3619 comm="clamd.exim" dev=pipefs ino=1947159 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file
type=AVC msg=audit(1315372861.924:701069): avc:  denied  { fowner } for  pid=3707 comm="crond" capability=3  scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1315372910.276:701080): avc:  denied  { open } for  pid=3730 comm="clamd.exim" dev=pipefs ino=1947932 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file
type=AVC msg=audit(1315373042.514:701179): avc:  denied  { fowner } for  pid=3789 comm="crond" capability=3  scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1315373089.487:701190): avc:  denied  { open } for  pid=3815 comm="clamd.exim" dev=pipefs ino=1948537 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file

-Robin

Comment 1 Miroslav Grepl 2011-09-07 06:45:55 UTC

Could you try to test it with the latest F15 policy available from koji

http://koji.fedoraproject.org/koji/buildinfo?buildID=262145

Comment 2 Robin Powell 2011-09-07 19:55:57 UTC

Given this:


Installed Packages
libselinux.x86_64                                         2.0.99-4.fc15                                          @Fedora 15 - x86_64
libselinux-python.x86_64                                  2.0.99-4.fc15                                          @fedora
libselinux-ruby.x86_64                                    2.0.99-4.fc15                                          @fedora
libselinux-utils.x86_64                                   2.0.99-4.fc15                                          @Fedora 15 - x86_64
selinux-policy.noarch                                     3.9.16-39.fc15                                         installed
selinux-policy-targeted.noarch                            3.9.16-39.fc15                                         installed

Same issue.

-Robin

Comment 3 Fedora Update System 2011-09-08 08:12:54 UTC

selinux-policy-3.9.16-39.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-39.fc15

Comment 4 Miroslav Grepl 2011-09-08 11:51:47 UTC

You mean you are getting all these same AVC msgs?

Comment 5 Robin Powell 2011-09-08 16:35:28 UTC

Yes.  I'm getting a bunch of these:


type=AVC msg=audit(1315488782.661:745159): avc:  denied  { fowner } for  pid=31656 comm="crond" capability=3  scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=capability

on this server only; I have no idea what that's about since all my servers are basically identical.  In addition, I'm still getting:


type=AVC msg=audit(1315488830.388:745170): avc:  denied  { open } for  pid=31674 comm="clamd.exim" dev=pipefs ino=2157502 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file
type=AVC msg=audit(1315488830.388:745171): avc:  denied  { open } for  pid=31674 comm="clamd.exim" dev=pipefs ino=2157502 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file


and the /dev/stderr error.

-Robin

Comment 6 Fedora Update System 2011-09-09 05:29:01 UTC

Package selinux-policy-3.9.16-39.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-39.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-39.fc15
then log in and leave karma (feedback).

Comment 7 Miroslav Grepl 2011-09-09 05:50:24 UTC

(In reply to comment #5)
> Yes.  I'm getting a bunch of these:
> 
> 
> type=AVC msg=audit(1315488782.661:745159): avc:  denied  { fowner } for 
> pid=31656 comm="crond" capability=3 
> scontext=system_u:system_r:crond_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=capability
> 
> on this server only; I have no idea what that's about since all my servers are
> basically identical.  In addition, I'm still getting:

I am fixing this one.

> type=AVC msg=audit(1315488830.388:745170): avc:  denied  { open } for 
> pid=31674 comm="clamd.exim" dev=pipefs ino=2157502
> scontext=system_u:system_r:initrc_t:s0
> tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file
> type=AVC msg=audit(1315488830.388:745171): avc:  denied  { open } for 
> pid=31674 comm="clamd.exim" dev=pipefs ino=2157502
> scontext=system_u:system_r:initrc_t:s0
> tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file
> 
Strange, we have in the policy

cron_read_pipes(initrc_t)


Could you make sure

# yum reinstall selinux-policy-targeted --enablerepo=updates-testing

does not blow up.

> 
> and the /dev/stderr error.
> 
> -Robin

Comment 8 Robin Powell 2011-09-10 04:39:35 UTC

Yeah, the same problem with auditd is still occuring, too.

That command gets me selinux-policy-targeted-3.9.16-38.fc15.noarch , which I'm not sure was what you intended?

... *Huh*.

Bizarrely, that *did* fix it.  I wonder what was broken.  Thanks!

-Robin

Comment 9 Robin Powell 2011-09-11 20:52:25 UTC

It came back this morning.  I investigated more.

I have puppet remove the "unconfined" module on every run.  As soon as that happens, this problem comes back, apparently?

Specifically, I did

sudo yum reinstall --enablerepo=updates-testing selinux-policy-targeted selinux-policy

(this particular machine is running versions 3.9.16-39.fc15 , for what it's worth).

Everything goes fine until I:

sudo semodule -r unconfined

and then it all breaks (i.e. the /dev/stderr error comes back).

Running this:

sudo semodule -d unconfined

makes the /dev/stderr error come back too.

So, not fixed yet.  Let me know if I can give any kind of more detail.

Having the same issue with rotating auditd logs per https://bugzilla.redhat.com/show_bug.cgi?id=728405

-Robin

Comment 10 Miroslav Grepl 2011-09-12 10:58:34 UTC

Could you try to test it with the latest policy available from koji

http://koji.fedoraproject.org/koji/buildinfo?buildID=263146

Comment 11 Robin Powell 2011-09-12 22:50:24 UTC

rlpowell@morji> sudo yum list '*selinux-pol*' 
Loaded plugins: langpacks, presto, refresh-packagekit
Installed Packages
selinux-policy.noarch                                                3.9.16-40.fc15                                        installed
selinux-policy-targeted.noarch                                       3.9.16-40.fc15                                        installed
Available Packages
selinux-policy-doc.noarch                                            3.9.16-38.fc15                                        updates
selinux-policy-minimum.noarch                                        3.9.16-38.fc15                                        updates
selinux-policy-mls.noarch                                            3.9.16-38.fc15                                        updates
rlpowell@morji> sudo sh -c "semanage module -l | grep -P '^unconfined\s'"  
unconfined               3.3.0     Disabled


Yep, still has the /dev/stderr error.

Comment 12 Miroslav Grepl 2011-09-13 05:14:20 UTC

What AVC are you seeing in permissive mode now?

Comment 13 Robin Powell 2011-09-13 05:42:52 UTC

Looks like just:



type=AVC msg=audit(1315892163.466:85643): avc:  denied  { open } for  pid=11230 comm="clamd.exim" dev=pipefs ino=367153 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=fifo_file

Which certainly does seem like it'd be covered by cron_read_pipes(initrc_t)

I could arrange for an account if y'all want to explore this directly.  Come find me on IRC as rlpowell if you like.

-Robin

Comment 14 Miroslav Grepl 2011-09-13 06:20:41 UTC

ok, i see

# sesearch -AC -s initrc_t -t crond_t -c fifo_file
Found 2 semantic av rules:
   allow domain crond_t : fifo_file { ioctl read write getattr lock append } ; 
   allow initrc_t crond_t : fifo_file { ioctl read write getattr lock append open } ;

What does sesearch show you?

Comment 15 Robin Powell 2011-09-13 06:26:08 UTC

rlpowell@stodi> sudo sesearch -AC -s initrc_t -t crond_t -c fifo_file                         
Found 2 semantic av rules:
   allow initrc_t crond_t : fifo_file { ioctl read write getattr lock append } ;
   allow domain crond_t : fifo_file { ioctl read write getattr lock append } ;

No "open" in either case for mine.

-Robin

Comment 16 Daniel Walsh 2011-09-13 15:09:17 UTC

We removed the open as we thought this was an inherited fifo_file.  I have no problem allowing it.

Comment 17 Miroslav Grepl 2011-09-14 12:03:52 UTC

Well the problem is we have in the policy

optional_policy(`
 cron_read_pipes(initrc_t)
 cron_manage_system_spool(initrc_t)
')

and
 
interface(`cron_read_pipes',`
    gen_require(`
        type crond_t;
    ')

    allow $1 crond_t:fifo_file read_fifo_file_perms;
')

so it should work but it doesn't.


But finally I have found a bug.

Fixed in selinux-policy-3.9.16-41.fc15

Comment 18 Robin Powell 2011-09-17 00:31:22 UTC

Let me know when that's in koji, please!

-Robin

Comment 19 Robin Powell 2011-09-27 04:57:00 UTC

Still really looking forward to trying this out.

-Robin

Comment 20 Miroslav Grepl 2011-09-27 07:11:08 UTC

http://koji.fedoraproject.org/koji/buildinfo?buildID=265538

Comment 21 Fedora Update System 2011-10-06 00:03:22 UTC

selinux-policy-3.9.16-39.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 22 Robin Powell 2011-10-07 21:49:21 UTC

This problem is fixed in 41, but not 39.

-Robin

Note You need to log in before you can comment on or make changes to this bug.