Bug 808368 - Policy doesn't allow write between passwd_t and user_tmp_t
Policy doesn't allow write between passwd_t and user_tmp_t
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
All Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
Depends On:
Blocks: 520345
  Show dependency treegraph
Reported: 2012-03-30 05:28 EDT by Fabian Deutsch
Modified: 2012-04-02 14:45 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-03-30 13:47:32 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
audit.log from the affected system (93.23 KB, text/x-log)
2012-03-30 05:28 EDT, Fabian Deutsch
no flags Details

  None (edit)
Description Fabian Deutsch 2012-03-30 05:28:52 EDT
Created attachment 573920 [details]
audit.log from the affected system

Description of problem:
AFAIU There are problems if passwd is called from a script - as in this case.

Version-Release number of selected component (if applicable):
Current in RHEL6.2

How reproducible:
$ rpm -q selinux-policy

Steps to Reproduce:
1. Get RHEV-H from http://jenkins.virt.bos.redhat.com/jenkins/job/rhev-hypervisor-6/7/artifact/rhev-hypervisor6-6.3-20120307.2.auto7.el6.iso
2. Boot and install
3. Log into TUI and press F2 to get a console, log at audit.log
Actual results:
AVC denials

Expected results:
No AVC denials

Additional info:
<mgrepl> how is created /var/log/ovirt.log?
<fabiand> mgrepl, by redirecting output
<mgrepl> fabiand: are you also redirecting output of passwd
<mgrepl> ?
<fabiand> mgrepl, yes. It's called from a python script, which grabs stdout and stderr
<fabiand> mgrepl, I think it's those lines: http://gerrit.ovirt.org/gitweb?p=ovirt-node.git;a=blob;f=scripts/ovirtfunctions.py;h=7b6993e0b7cee1691d2def54968ba739bb8d9e41;hb=HEAD#l1073
<mgrepl> yes you are right
<fabiand> mgrepl, I can also provide the whole audit.log if you need it, btw.
<mgrepl> we allow ony appen between passwd_t and usr_tmp_t
<mgrepl> how is this script executed 
<fabiand> it's part of a management interface (TUI)
Comment 2 Fabian Deutsch 2012-03-30 06:35:38 EDT
I queried the selinux policy on the wrong machine.

This is the policy used:
$ rpm -q selinux-policy
Comment 3 Miroslav Grepl 2012-03-30 08:06:12 EDT
The problem is a tool is running as unconfined_t and if executes passwd then it ends up as passwd_t.

allow unconfined_t passwd_t : process transition ;

So if you redirect an output, you write to user_tmp_t which is created by a tool and we allow

$ sesearch -A -s passwd_t -t user_tmp_t -c file 
Found 2 semantic av rules:
   allow application_domain_type user_tmp_t : file { getattr append } ; 
   allow passwd_t user_tmp_type : file { ioctl read getattr lock open } ;

So we allow only append operation for this situation.
Comment 4 Fabian Deutsch 2012-03-31 07:38:20 EDT
So what would be the solution for the tool to prevent this avc message?
Comment 5 Miroslav Grepl 2012-04-02 06:37:09 EDT
Could you append the file in the /tmp?
Comment 6 Daniel Walsh 2012-04-02 14:45:55 EDT
passwd | cat > /tmp/blah

Would work around the problem.

Note You need to log in before you can comment on or make changes to this bug.