Bug 838664 - pingus binaries have a wrong context 'ping_exec_t'
Summary: pingus binaries have a wrong context 'ping_exec_t'
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 17
Hardware: All
OS: Linux
unspecified
low
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-07-09 17:54 UTC by Alphonse Steiner
Modified: 2012-08-01 18:22 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-08-01 18:22:02 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Alphonse Steiner 2012-07-09 17:54:22 UTC 
Description of problem:
The binaries from the game 'pingus' have the context 'ping_exec_t' instead of 'bin_t' (I presume).
This is because the filecontext of 'ping' is defined with a wildcard:
/etc/selinux/targeted/contexts/files/file_contexts:/usr/bin/ping.*      --      system_u:object_r:ping_exec_t:s0

The game is then  unable to run for confined users. A workaround is:
chcon -t bin_t /usr/bin/pingus


If I define a context for /usr/bin/pingus, which one has priority: the wildcard rule or the specific one? I did not found an answer yet.
Comment 1 Miroslav Grepl 2012-07-10 06:05:44 UTC 
What AVC msgs are you getting?
Comment 2 Alphonse Steiner 2012-07-10 09:46:05 UTC 
Here the AVC:

type=AVC msg=audit(1341913280.881:1492): avc:  denied  { read } for  pid=28320 comm="pingus" path="/usr/bin/bash" dev="sda5" ino=550819 scontext=staff_u:staff_r:ping_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1341913280.881:1492): arch=c000003e syscall=10 success=no exit=-13 a0=6d9000 a1=1000 a2=1 a3=7fffa909c0d0 items=0 ppid=28304 pid=28320 auid=502 uid=502 gid=502 euid=502 suid=502 fsuid=502 egid=502 sgid=502 fsgid=502 tty=pts4 ses=2 comm="pingus" exe="/usr/bin/bash" subj=staff_u:staff_r:ping_t:s0-s0:c0.c1023 key=(null)

The user is confined as 'staff_u'.
You can see that pingus is running in context 'ping_t', which is the problem.
Comment 3 Daniel Walsh 2012-07-11 03:03:06 UTC 
I agree we should label this as bin_t. Fixed in Rawhide.
Comment 4 Fedora Update System 2012-07-27 15:34:43 UTC 
selinux-policy-3.10.0-142.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-142.fc17
Comment 5 Fedora Update System 2012-07-28 01:24:30 UTC 
Package selinux-policy-3.10.0-142.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-142.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-11215/selinux-policy-3.10.0-142.fc17
then log in and leave karma (feedback).
Comment 6 Alphonse Steiner 2012-07-28 07:44:25 UTC 
Only half-fixed.

# ll -Z /usr/bin/ping*
-rwxr-xr-x. root root system_u:object_r:ping_exec_t:s0 /usr/bin/ping
-rwxr-xr-x. root root system_u:object_r:ping_exec_t:s0 /usr/bin/ping6
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/pingus
-rwxr-xr-x. root root system_u:object_r:ping_exec_t:s0 /usr/bin/pingus.bin

So, pingus has the good context, but not pingus.bin (pingus is a shell script that launch pingus.bin).

Here the new AVC:
type=AVC msg=audit(1343461181.891:2049): avc:  denied  { execmem } for  pid=18213 comm="pingus.bin" scontext=staff_u:staff_r:ping_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:ping_t:s0-s0:c0.c1023 tclass=process
Comment 7 Miroslav Grepl 2012-07-30 08:37:20 UTC 
I amf fixing it.

# chcon -t bin_t /usr/bin/pingus.bin

selinux-policy-3.10.0-143.fc17
Comment 8 Fedora Update System 2012-08-01 18:22:02 UTC 
selinux-policy-3.10.0-142.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.