Bug 814076 - SELinux is preventing /sbin/setfiles from 'write' accesses on the chr_file /dev/null.
Summary: SELinux is preventing /sbin/setfiles from 'write' accesses on the chr_file /d...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 17
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:95a62b01707b762f17d492e31fd...
: 814077 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-04-19 07:55 UTC by Sandro Mathys
Modified: 2012-06-22 13:31 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-06-22 13:31:46 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Sandro Mathys 2012-04-19 07:55:33 UTC 
libreport version: 2.0.10
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.3.0-1.fc17.x86_64
time:           Thu 19 Apr 2012 09:54:58 AM CEST

description:
:SELinux is preventing /sbin/setfiles from 'write' accesses on the chr_file /dev/null.
:
:*****  Plugin restorecon (93.9 confidence) suggests  *************************
:
:If you want to fix the label. 
:/dev/null default label should be null_device_t.
:Then you can run restorecon.
:Do
:# /sbin/restorecon -v /dev/null
:
:*****  Plugin leaks (6.10 confidence) suggests  ******************************
:
:If you want to ignore setfiles trying to write access the null chr_file, because you believe it should not need this access.
:Then you should report this as a bug.  
:You can generate a local policy module to dontaudit this access.
:Do
:# grep /sbin/setfiles /var/log/audit/audit.log | audit2allow -D -M mypol
:# semodule -i mypol.pp
:
:*****  Plugin catchall (1.43 confidence) suggests  ***************************
:
:If you believe that setfiles should be allowed write access on the null chr_file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep restorecon /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c102
:                              3
:Target Context                unconfined_u:object_r:mock_var_lib_t:s0
:Target Objects                /dev/null [ chr_file ]
:Source                        restorecon
:Source Path                   /sbin/setfiles
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           policycoreutils-2.1.10-29.fc17.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-110.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.3.0-1.fc17.x86_64
:                              #1 SMP Mon Mar 19 03:03:39 UTC 2012 x86_64 x86_64
:Alert Count                   1
:First Seen                    Thu 19 Apr 2012 09:53:17 AM CEST
:Last Seen                     Thu 19 Apr 2012 09:53:17 AM CEST
:Local ID                      c4f0084e-515d-4c3b-ab05-1fe962dc37b2
:
:Raw Audit Messages
:type=AVC msg=audit(1334821997.375:9335): avc:  denied  { write } for  pid=7787 comm="restorecon" path="/dev/null" dev="dm-0" ino=2884951 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:mock_var_lib_t:s0 tclass=chr_file
:
:
:type=SYSCALL msg=audit(1334821997.375:9335): arch=x86_64 syscall=execve success=yes exit=0 a0=22ddb50 a1=22de450 a2=22daba0 a3=7fff7a1e62c0 items=0 ppid=7785 pid=7787 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm=restorecon exe=/sbin/setfiles subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)
:
:Hash: restorecon,setfiles_t,mock_var_lib_t,chr_file,write
:
:audit2allowunable to open /sys/fs/selinux/policy:  Permission denied
:
:
:audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
:
:
Comment 1 Daniel Walsh 2012-04-19 14:18:36 UTC 
*** Bug 814077 has been marked as a duplicate of this bug. ***
Comment 2 Daniel Walsh 2012-04-19 14:18:59 UTC 
What were you doing when this happened?
Comment 3 Sandro Mathys 2012-04-19 14:28:34 UTC 
mock rebuild -r fedora-16-x86_64 <path-to-srpm>

In case it matters somehow:
- The SRPM was built on F17
- The spec file builds a selinux policy and includes some semanage and setsebool calls in %post/%postun
- The mock build seemed to run fine and I wouldn't have noticed a problem if sealert hadn't showed up
Comment 4 Daniel Walsh 2012-04-19 19:05:17 UTC 
Yes these AVC's are really not breaking anything.  I am just wondering if running mock from unconfined_t is transitioning to mock_t.

#optional_policy(`
#	mock_role(unconfined_r, unconfined_t)
#')
Since this is commented out, it is strange, or does mock run via dbus or the init system.
Comment 5 Miroslav Grepl 2012-04-20 08:50:39 UTC 
This is strange.

$ ps -eZ |grep mock
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 9737 pts/3 00:00:01 mock
Comment 6 Miroslav Grepl 2012-04-20 14:15:30 UTC 
Ok, now I see it also.

$ cd selinux-policy
$ git checkout f17
$ fedpkg mockbuild


---

allow semanage_t mock_var_lib_t:dir { rename write rmdir remove_name create add_name };
allow semanage_t mock_var_lib_t:file { write rename execute unlink create };

#============= setfiles_t ==============
allow setfiles_t mock_var_lib_t:file { read execute open };

---


The problem is there are transitions from unconfined_t to setfiles_t/semanage_t.
Comment 7 Daniel Walsh 2012-04-20 15:17:24 UTC 
What is setfiles_t executing?


We probably should allow semanage to manage mock_var_lib_t.
Comment 8 Miroslav Grepl 2012-04-20 21:39:32 UTC 
type=AVC msg=audit(1334932069.914:4141): avc:  denied  { execute } for  pid=24431 comm="setfiles" path="/usr/lib64/libselinux.so.1" dev="dm-1" ino=2133600 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:mock_var_lib_t:s0 tclass=file
Comment 9 Daniel Walsh 2012-04-22 11:46:56 UTC 
Ok, I get it.
Note You need to log in before you can comment on or make changes to this bug.