Bug 828320 - SELinux is preventing /usr/bin/bash from 'read' accesses on the file /etc/passwd.
SELinux is preventing /usr/bin/bash from 'read' accesses on the file /etc/pas...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
17
x86_64 Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:ad84ae95049aa838ab9d9bfa2e0...
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-06-04 10:53 EDT by Julian
Modified: 2012-06-30 17:51 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-30 17:51:03 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
sealert with -130 installed still pointing to this bug (2.25 KB, text/plain)
2012-06-19 07:40 EDT, Andre Robatino
no flags Details
sealert with -130 installed still pointing to this bug (run as root to get additional info) (2.31 KB, text/plain)
2012-06-19 07:51 EDT, Andre Robatino
no flags Details

  None (edit)
Description Julian 2012-06-04 10:53:36 EDT
libreport version: 2.0.10
executable:     /usr/bin/python2.7
hashmarkername: setroubleshoot
kernel:         3.3.7-1.fc17.x86_64
time:           Mon 04 Jun 2012 04:45:54 PM CEST

description:
:SELinux is preventing /usr/bin/bash from 'read' accesses on the file /etc/passwd.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that bash should be allowed read access on the passwd file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep sh /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:ddclient_t:s0
:Target Context                system_u:object_r:passwd_file_t:s0
:Target Objects                /etc/passwd [ file ]
:Source                        sh
:Source Path                   /usr/bin/bash
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           bash-4.2.28-1.fc17.x86_64
:Target RPM Packages           setup-2.8.48-1.fc17.noarch
:Policy RPM                    selinux-policy-3.10.0-128.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.3.7-1.fc17.x86_64 #1 SMP Mon May 21
:                              22:32:19 UTC 2012 x86_64 x86_64
:Alert Count                   11
:First Seen                    Sun 03 Jun 2012 09:56:27 AM CEST
:Last Seen                     Mon 04 Jun 2012 04:45:05 PM CEST
:Local ID                      6f5aa49d-37e0-4731-9ffd-525c09aaaed0
:
:Raw Audit Messages
:type=AVC msg=audit(1338821105.640:221): avc:  denied  { read } for  pid=13783 comm="sh" name="passwd" dev="dm-1" ino=34022713 scontext=system_u:system_r:ddclient_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
:
:
:type=SYSCALL msg=audit(1338821105.640:221): arch=x86_64 syscall=open success=no exit=EACCES a0=7f11b75586ca a1=80000 a2=1b6 a3=238 items=0 ppid=951 pid=13783 auid=4294967295 uid=991 gid=987 euid=991 suid=991 fsuid=991 egid=987 sgid=987 fsgid=987 tty=(none) ses=4294967295 comm=sh exe=/usr/bin/bash subj=system_u:system_r:ddclient_t:s0 key=(null)
:
:Hash: sh,ddclient_t,passwd_file_t,file,read
:
:audit2allowunable to open /sys/fs/selinux/policy:  Permission denied
:
:
:audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
:
:
Comment 1 Daniel Walsh 2012-06-04 11:03:12 EDT
Fixed in selinux-policy-3.10.0-129.fc17
Comment 2 Julian 2012-06-04 16:01:06 EDT
Oopsy, seems that i hit the "cancel" button too late or i would have written a more thorough description. sorry.

Thanks for fixing this anyway, though!
Comment 3 Fedora Update System 2012-06-11 16:59:38 EDT
selinux-policy-3.10.0-130.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-130.fc17
Comment 4 Fedora Update System 2012-06-15 19:57:17 EDT
Package selinux-policy-3.10.0-130.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-130.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-9520/selinux-policy-3.10.0-130.fc17
then log in and leave karma (feedback).
Comment 5 Fedora Update System 2012-06-16 20:02:10 EDT
selinux-policy-3.10.0-130.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Andre Robatino 2012-06-19 07:40:14 EDT
Created attachment 592918 [details]
sealert with -130 installed still pointing to this bug

I am still seeing this bug with -130 installed, upon rebooting and logging in. Oddly, I'm not seeing bug 832501 anymore, even though that's only supposed to be fixed in -132 which I haven't tested. I did a "fixfiles onboot" and rebooted just to make sure labels were up to date.
Comment 7 Andre Robatino 2012-06-19 07:51:08 EDT
Created attachment 592922 [details]
sealert with -130 installed still pointing to this bug (run as root to get additional info)

Running sealert as root gives additional info. Obsoleting previous attachment which was run as ordinary user.
Comment 8 Daniel Walsh 2012-06-19 09:16:40 EDT
Your right, miroslav can you back port this fix from F18 to F17.

Andre do you see any lack of functionality?
Comment 9 Andre Robatino 2012-06-19 10:23:38 EDT
(In reply to comment #8)

> Andre do you see any lack of functionality?

Not sure - my ddclient.conf file contains a reference to whatismyip.org, and /var/log/messages shows a message

Jun 19 07:45:46 compaq-pc ddclient[909]: WARNING:  cannot connect to whatismyip.org:80 socket: IO::Socket::INET: connect: Network is unreachable

on boot, but I don't know if it has anything to do with this.
Comment 10 Andre Robatino 2012-06-19 12:50:58 EDT
Ignore what I said about bug 832501. It's still broken in -130. For the sealert to happen, there has to a UPS event (it doesn't happen on reboot). I'll try testing -132.
Comment 11 Daniel Walsh 2012-06-19 14:45:44 EDT
That is not a permission denied ,but a bug saying that whatismyip.org is not reachable.

SELinux would allow this access.
Comment 12 Miroslav Grepl 2012-06-20 05:11:12 EDT
Fixed in selinux-policy-3.10.0-133.fc17
Comment 13 Fedora Update System 2012-06-26 17:47:16 EDT
selinux-policy-3.10.0-134.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-134.fc17
Comment 14 Fedora Update System 2012-06-27 23:37:01 EDT
Package selinux-policy-3.10.0-134.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-134.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-10008/selinux-policy-3.10.0-134.fc17
then log in and leave karma (feedback).
Comment 15 Fedora Update System 2012-06-30 17:51:03 EDT
selinux-policy-3.10.0-134.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.