828320 – SELinux is preventing /usr/bin/bash from 'read' accesses on the file /etc/passwd.

Bug 828320 - SELinux is preventing /usr/bin/bash from 'read' accesses on the file /etc/passwd.

Summary: SELinux is preventing /usr/bin/bash from 'read' accesses on the file /etc/pas...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	17
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:ad84ae95049aa838ab9d9bfa2e0...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-06-04 14:53 UTC by Julian
Modified:	2012-06-30 21:51 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2012-06-30 21:51:03 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
sealert with -130 installed still pointing to this bug (2.25 KB, text/plain) 2012-06-19 11:40 UTC, Andre Robatino	no flags	Details
sealert with -130 installed still pointing to this bug (run as root to get additional info) (2.31 KB, text/plain) 2012-06-19 11:51 UTC, Andre Robatino	no flags	Details
Show Obsolete (1) View All

Description Julian 2012-06-04 14:53:36 UTC

libreport version: 2.0.10
executable:     /usr/bin/python2.7
hashmarkername: setroubleshoot
kernel:         3.3.7-1.fc17.x86_64
time:           Mon 04 Jun 2012 04:45:54 PM CEST

description:
:SELinux is preventing /usr/bin/bash from 'read' accesses on the file /etc/passwd.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that bash should be allowed read access on the passwd file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep sh /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:ddclient_t:s0
:Target Context                system_u:object_r:passwd_file_t:s0
:Target Objects                /etc/passwd [ file ]
:Source                        sh
:Source Path                   /usr/bin/bash
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           bash-4.2.28-1.fc17.x86_64
:Target RPM Packages           setup-2.8.48-1.fc17.noarch
:Policy RPM                    selinux-policy-3.10.0-128.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.3.7-1.fc17.x86_64 #1 SMP Mon May 21
:                              22:32:19 UTC 2012 x86_64 x86_64
:Alert Count                   11
:First Seen                    Sun 03 Jun 2012 09:56:27 AM CEST
:Last Seen                     Mon 04 Jun 2012 04:45:05 PM CEST
:Local ID                      6f5aa49d-37e0-4731-9ffd-525c09aaaed0
:
:Raw Audit Messages
:type=AVC msg=audit(1338821105.640:221): avc:  denied  { read } for  pid=13783 comm="sh" name="passwd" dev="dm-1" ino=34022713 scontext=system_u:system_r:ddclient_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
:
:
:type=SYSCALL msg=audit(1338821105.640:221): arch=x86_64 syscall=open success=no exit=EACCES a0=7f11b75586ca a1=80000 a2=1b6 a3=238 items=0 ppid=951 pid=13783 auid=4294967295 uid=991 gid=987 euid=991 suid=991 fsuid=991 egid=987 sgid=987 fsgid=987 tty=(none) ses=4294967295 comm=sh exe=/usr/bin/bash subj=system_u:system_r:ddclient_t:s0 key=(null)
:
:Hash: sh,ddclient_t,passwd_file_t,file,read
:
:audit2allowunable to open /sys/fs/selinux/policy:  Permission denied
:
:
:audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
:
:

Comment 1 Daniel Walsh 2012-06-04 15:03:12 UTC

Fixed in selinux-policy-3.10.0-129.fc17

Comment 2 Julian 2012-06-04 20:01:06 UTC

Oopsy, seems that i hit the "cancel" button too late or i would have written a more thorough description. sorry.

Thanks for fixing this anyway, though!

Comment 3 Fedora Update System 2012-06-11 20:59:38 UTC

selinux-policy-3.10.0-130.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-130.fc17

Comment 4 Fedora Update System 2012-06-15 23:57:17 UTC

Package selinux-policy-3.10.0-130.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-130.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-9520/selinux-policy-3.10.0-130.fc17
then log in and leave karma (feedback).

Comment 5 Fedora Update System 2012-06-17 00:02:10 UTC

selinux-policy-3.10.0-130.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Andre Robatino 2012-06-19 11:40:14 UTC

Created attachment 592918 [details]
sealert with -130 installed still pointing to this bug

I am still seeing this bug with -130 installed, upon rebooting and logging in. Oddly, I'm not seeing bug 832501 anymore, even though that's only supposed to be fixed in -132 which I haven't tested. I did a "fixfiles onboot" and rebooted just to make sure labels were up to date.

Comment 7 Andre Robatino 2012-06-19 11:51:08 UTC

Created attachment 592922 [details]
sealert with -130 installed still pointing to this bug (run as root to get additional info)

Running sealert as root gives additional info. Obsoleting previous attachment which was run as ordinary user.

Comment 8 Daniel Walsh 2012-06-19 13:16:40 UTC

Your right, miroslav can you back port this fix from F18 to F17.

Andre do you see any lack of functionality?

Comment 9 Andre Robatino 2012-06-19 14:23:38 UTC

(In reply to comment #8)

> Andre do you see any lack of functionality?

Not sure - my ddclient.conf file contains a reference to whatismyip.org, and /var/log/messages shows a message

Jun 19 07:45:46 compaq-pc ddclient[909]: WARNING:  cannot connect to whatismyip.org:80 socket: IO::Socket::INET: connect: Network is unreachable

on boot, but I don't know if it has anything to do with this.

Comment 10 Andre Robatino 2012-06-19 16:50:58 UTC

Ignore what I said about bug 832501. It's still broken in -130. For the sealert to happen, there has to a UPS event (it doesn't happen on reboot). I'll try testing -132.

Comment 11 Daniel Walsh 2012-06-19 18:45:44 UTC

That is not a permission denied ,but a bug saying that whatismyip.org is not reachable.

SELinux would allow this access.

Comment 12 Miroslav Grepl 2012-06-20 09:11:12 UTC

Fixed in selinux-policy-3.10.0-133.fc17

Comment 13 Fedora Update System 2012-06-26 21:47:16 UTC

selinux-policy-3.10.0-134.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-134.fc17

Comment 14 Fedora Update System 2012-06-28 03:37:01 UTC

Package selinux-policy-3.10.0-134.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-134.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-10008/selinux-policy-3.10.0-134.fc17
then log in and leave karma (feedback).

Comment 15 Fedora Update System 2012-06-30 21:51:03 UTC

selinux-policy-3.10.0-134.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.