Bug 838664 - pingus binaries have a wrong context 'ping_exec_t'
pingus binaries have a wrong context 'ping_exec_t'
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
17
All Linux
unspecified Severity low
: ---
: ---
Assigned To: Miroslav Grepl
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-07-09 13:54 EDT by Alphonse Steiner
Modified: 2012-08-01 14:22 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-08-01 14:22:02 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Alphonse Steiner 2012-07-09 13:54:22 EDT
Description of problem:
The binaries from the game 'pingus' have the context 'ping_exec_t' instead of 'bin_t' (I presume).
This is because the filecontext of 'ping' is defined with a wildcard:
/etc/selinux/targeted/contexts/files/file_contexts:/usr/bin/ping.*      --      system_u:object_r:ping_exec_t:s0

The game is then  unable to run for confined users. A workaround is:
chcon -t bin_t /usr/bin/pingus


If I define a context for /usr/bin/pingus, which one has priority: the wildcard rule or the specific one? I did not found an answer yet.
Comment 1 Miroslav Grepl 2012-07-10 02:05:44 EDT
What AVC msgs are you getting?
Comment 2 Alphonse Steiner 2012-07-10 05:46:05 EDT
Here the AVC:

type=AVC msg=audit(1341913280.881:1492): avc:  denied  { read } for  pid=28320 comm="pingus" path="/usr/bin/bash" dev="sda5" ino=550819 scontext=staff_u:staff_r:ping_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1341913280.881:1492): arch=c000003e syscall=10 success=no exit=-13 a0=6d9000 a1=1000 a2=1 a3=7fffa909c0d0 items=0 ppid=28304 pid=28320 auid=502 uid=502 gid=502 euid=502 suid=502 fsuid=502 egid=502 sgid=502 fsgid=502 tty=pts4 ses=2 comm="pingus" exe="/usr/bin/bash" subj=staff_u:staff_r:ping_t:s0-s0:c0.c1023 key=(null)

The user is confined as 'staff_u'.
You can see that pingus is running in context 'ping_t', which is the problem.
Comment 3 Daniel Walsh 2012-07-10 23:03:06 EDT
I agree we should label this as bin_t. Fixed in Rawhide.
Comment 4 Fedora Update System 2012-07-27 11:34:43 EDT
selinux-policy-3.10.0-142.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-142.fc17
Comment 5 Fedora Update System 2012-07-27 21:24:30 EDT
Package selinux-policy-3.10.0-142.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-142.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-11215/selinux-policy-3.10.0-142.fc17
then log in and leave karma (feedback).
Comment 6 Alphonse Steiner 2012-07-28 03:44:25 EDT
Only half-fixed.

# ll -Z /usr/bin/ping*
-rwxr-xr-x. root root system_u:object_r:ping_exec_t:s0 /usr/bin/ping
-rwxr-xr-x. root root system_u:object_r:ping_exec_t:s0 /usr/bin/ping6
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/pingus
-rwxr-xr-x. root root system_u:object_r:ping_exec_t:s0 /usr/bin/pingus.bin

So, pingus has the good context, but not pingus.bin (pingus is a shell script that launch pingus.bin).

Here the new AVC:
type=AVC msg=audit(1343461181.891:2049): avc:  denied  { execmem } for  pid=18213 comm="pingus.bin" scontext=staff_u:staff_r:ping_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:ping_t:s0-s0:c0.c1023 tclass=process
Comment 7 Miroslav Grepl 2012-07-30 04:37:20 EDT
I amf fixing it.

# chcon -t bin_t /usr/bin/pingus.bin

selinux-policy-3.10.0-143.fc17
Comment 8 Fedora Update System 2012-08-01 14:22:02 EDT
selinux-policy-3.10.0-142.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.