808368 – Policy doesn't allow write between passwd_t and user_tmp_t

Bug 808368 - Policy doesn't allow write between passwd_t and user_tmp_t

Summary: Policy doesn't allow write between passwd_t and user_tmp_t

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.3
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	520345
TreeView+	depends on / blocked

Reported:	2012-03-30 09:28 UTC by Fabian Deutsch
Modified:	2012-04-02 18:45 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-03-30 17:47:32 UTC
Target Upstream Version:

Attachments	(Terms of Use)
audit.log from the affected system (93.23 KB, text/x-log) 2012-03-30 09:28 UTC, Fabian Deutsch	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Description Fabian Deutsch 2012-03-30 09:28:52 UTC

Created attachment 573920 [details]
audit.log from the affected system

Description of problem:
AFAIU There are problems if passwd is called from a script - as in this case.

Version-Release number of selected component (if applicable):
Current in RHEL6.2

How reproducible:
$ rpm -q selinux-policy
selinux-policy-3.10.0-80.fc16.noarch

Steps to Reproduce:
1. Get RHEV-H from http://jenkins.virt.bos.redhat.com/jenkins/job/rhev-hypervisor-6/7/artifact/rhev-hypervisor6-6.3-20120307.2.auto7.el6.iso
2. Boot and install
3. Log into TUI and press F2 to get a console, log at audit.log
  
Actual results:
AVC denials

Expected results:
No AVC denials

Additional info:
<mgrepl> how is created /var/log/ovirt.log?
<fabiand> mgrepl, by redirecting output
<mgrepl> fabiand: are you also redirecting output of passwd
<mgrepl> ?
<fabiand> mgrepl, yes. It's called from a python script, which grabs stdout and stderr
<fabiand> mgrepl, I think it's those lines: http://gerrit.ovirt.org/gitweb?p=ovirt-node.git;a=blob;f=scripts/ovirtfunctions.py;h=7b6993e0b7cee1691d2def54968ba739bb8d9e41;hb=HEAD#l1073
<mgrepl> yes you are right
<fabiand> mgrepl, I can also provide the whole audit.log if you need it, btw.
<mgrepl> we allow ony appen between passwd_t and usr_tmp_t
<mgrepl> how is this script executed 
<fabiand> it's part of a management interface (TUI)

Comment 2 Fabian Deutsch 2012-03-30 10:35:38 UTC

I queried the selinux policy on the wrong machine.

This is the policy used:
$ rpm -q selinux-policy
selinux-policy-3.7.19-142.el6.noarch

Comment 3 Miroslav Grepl 2012-03-30 12:06:12 UTC

The problem is a tool is running as unconfined_t and if executes passwd then it ends up as passwd_t.

allow unconfined_t passwd_t : process transition ;

So if you redirect an output, you write to user_tmp_t which is created by a tool and we allow

$ sesearch -A -s passwd_t -t user_tmp_t -c file 
Found 2 semantic av rules:
   allow application_domain_type user_tmp_t : file { getattr append } ; 
   allow passwd_t user_tmp_type : file { ioctl read getattr lock open } ;

So we allow only append operation for this situation.

Comment 4 Fabian Deutsch 2012-03-31 11:38:20 UTC

So what would be the solution for the tool to prevent this avc message?

Comment 5 Miroslav Grepl 2012-04-02 10:37:09 UTC

Could you append the file in the /tmp?

Comment 6 Daniel Walsh 2012-04-02 18:45:55 UTC

passwd | cat > /tmp/blah

Would work around the problem.

Note You need to log in before you can comment on or make changes to this bug.