855341 – init script searches cwd which can cause SELinux denials

Bug 855341 - init script searches cwd which can cause SELinux denials

Summary: init script searches cwd which can cause SELinux denials

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	openswan
Sub Component:
Version:	5.8
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Paul Wouters
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-09-07 13:03 UTC by Patrik Kis
Modified:	2013-04-08 13:01 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-03-19 19:21:48 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Patrik Kis 2012-09-07 13:03:15 UTC

Description of problem:
Some administrators don't use "service" command when managing a service. They
still do it this way:
/etc/init.d/SERVICE start
/etc/init.d/SERVICE restart
/etc/init.d/SERVICE stop
This procedure can cause SELinux denials when an administrator issues the
command in unusual location (usual location is for example / or /root ,
selinux-policy is aware of usual locations and SELinux denials are
dontaudited). I would like to ask to fix the init script in such a way that it
does not search for programs in current working directory.

Version-Release number of selected component (if applicable):
openswan-2.6.32-4.el5

How reproducible:
always

# for I in /var/log/audit /usr /root / ; do cd ${I};  /etc/init.d/ipsec stop;  /etc/init.d/ipsec stop;  /etc/init.d/ipsec start;  /etc/init.d/ipsec stop;  service ipsec stop;  service ipsec stop;  service ipsec start;  service ipsec stop

# ausearch -m avc -ts recent
----
time->Fri Sep  7 15:02:01 2012
type=SYSCALL msg=audit(1347022921.234:138): arch=c000003e syscall=4 success=no exit=-13 a0=9a48c90 a1=7fff5763d750 a2=7fff5763d750 a3=0 items=0 ppid=5994 pid=5995 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="ipsec" exe="/bin/bash" subj=root:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1347022921.234:138): avc:  denied  { getattr } for  pid=5995 comm="ipsec" path="/var/log/audit" dev=dm-0 ino=1212469 scontext=root:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir
----
time->Fri Sep  7 15:02:01 2012
type=SYSCALL msg=audit(1347022921.254:139): arch=c000003e syscall=4 success=no exit=-13 a0=59bad80 a1=7fff86f148e0 a2=7fff86f148e0 a3=0 items=0 ppid=5994 pid=5995 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="_realsetup" exe="/bin/bash" subj=root:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1347022921.254:139): avc:  denied  { getattr } for  pid=5995 comm="_realsetup" path="/var/log/audit" dev=dm-0 ino=1212469 scontext=root:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir
----
time->Fri Sep  7 15:02:01 2012
type=SYSCALL msg=audit(1347022921.289:140): arch=c000003e syscall=4 success=no exit=-13 a0=17f65c90 a1=7fffde01b730 a2=7fffde01b730 a3=0 items=0 ppid=6011 pid=6012 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="ipsec" exe="/bin/bash" subj=root:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1347022921.289:140): avc:  denied  { getattr } for  pid=6012 comm="ipsec" path="/var/log/audit" dev=dm-0 ino=1212469 scontext=root:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir
----
time->Fri Sep  7 15:02:01 2012
type=SYSCALL msg=audit(1347022921.309:141): arch=c000003e syscall=4 success=no exit=-13 a0=a406d80 a1=7ffffe416120 a2=7ffffe416120 a3=0 items=0 ppid=6011 pid=6012 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="_realsetup" exe="/bin/bash" subj=root:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1347022921.309:141): avc:  denied  { getattr } for  pid=6012 comm="_realsetup" path="/var/log/audit" dev=dm-0 ino=1212469 scontext=root:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir
----
time->Fri Sep  7 15:02:01 2012
type=SYSCALL msg=audit(1347022921.341:142): arch=c000003e syscall=4 success=no exit=-13 a0=1a2abb90 a1=7fff59121140 a2=7fff59121140 a3=0 items=0 ppid=6028 pid=6029 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="ipsec" exe="/bin/bash" subj=root:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1347022921.341:142): avc:  denied  { getattr } for  pid=6029 comm="ipsec" path="/var/log/audit" dev=dm-0 ino=1212469 scontext=root:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir
----
time->Fri Sep  7 15:02:01 2012
type=SYSCALL msg=audit(1347022921.361:143): arch=c000003e syscall=4 success=no exit=-13 a0=1c85eb90 a1=7fffe1833f70 a2=7fffe1833f70 a3=0 items=0 ppid=6025 pid=6030 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="ipsec" exe="/bin/bash" subj=root:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1347022921.361:143): avc:  denied  { getattr } for  pid=6030 comm="ipsec" path="/var/log/audit" dev=dm-0 ino=1212469 scontext=root:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir
----
time->Fri Sep  7 15:02:01 2012
type=SYSCALL msg=audit(1347022921.381:144): arch=c000003e syscall=4 success=no exit=-13 a0=1f3ae150 a1=7fffd36ca0b0 a2=7fffd36ca0b0 a3=0 items=0 ppid=6031 pid=6032 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="ipsec" exe="/bin/bash" subj=root:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1347022921.381:144): avc:  denied  { getattr } for  pid=6032 comm="ipsec" path="/var/log/audit" dev=dm-0 ino=1212469 scontext=root:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir
----
time->Fri Sep  7 15:02:01 2012
type=SYSCALL msg=audit(1347022921.398:145): arch=c000003e syscall=4 success=no exit=-13 a0=7e4d240 a1=7fffc8051aa0 a2=7fffc8051aa0 a3=0 items=0 ppid=6031 pid=6032 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="_realsetup" exe="/bin/bash" subj=root:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1347022921.398:145): avc:  denied  { getattr } for  pid=6032 comm="_realsetup" path="/var/log/audit" dev=dm-0 ino=1212469 scontext=root:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir
----
time->Fri Sep  7 15:02:01 2012
type=SYSCALL msg=audit(1347022921.684:146): arch=c000003e syscall=4 success=no exit=-13 a0=17f55c90 a1=7fff892e41a0 a2=7fff892e41a0 a3=0 items=0 ppid=6151 pid=6152 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="ipsec" exe="/bin/bash" subj=root:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1347022921.684:146): avc:  denied  { getattr } for  pid=6152 comm="ipsec" path="/var/log/audit" dev=dm-0 ino=1212469 scontext=root:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir
----
time->Fri Sep  7 15:02:01 2012
type=SYSCALL msg=audit(1347022921.702:147): arch=c000003e syscall=4 success=no exit=-13 a0=84f1d80 a1=7fffc2a8f700 a2=7fffc2a8f700 a3=0 items=0 ppid=6151 pid=6152 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="_realsetup" exe="/bin/bash" subj=root:system_r:ipsec_mgmt_t:s0 key=(null)
type=AVC msg=audit(1347022921.702:147): avc:  denied  { getattr } for  pid=6152 comm="_realsetup" path="/var/log/audit" dev=dm-0 ino=1212469 scontext=root:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:auditd_log_t:s0 tclass=dir
----
time->Fri Sep  7 15:02:10 2012
type=SYSCALL msg=audit(1347022930.026:148): arch=c000003e syscall=4 success=no exit=-13 a0=2b1c5a06b338 a1=7fff45cc5ad0 a2=7fff45cc5ad0 a3=4000 items=0 ppid=7341 pid=7342 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="pluto" exe="/usr/libexec/ipsec/pluto" subj=root:system_r:ipsec_t:s0 key=(null)
type=AVC msg=audit(1347022930.026:148): avc:  denied  { search } for  pid=7342 comm="pluto" name="net" dev=proc ino=4026531985 scontext=root:system_r:ipsec_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir


Actual results:
AVCs appear

Expected results:
no AVC appears



+++ This bug was initially created as a clone of Bug #628879 +++

Comment 1 RHEL Program Management 2012-09-07 13:17:07 UTC

This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.

Comment 2 Patrik Kis 2012-09-14 12:33:39 UTC

Hi Avesh,
I recently cloned this bug for RHEL5 because it appeared while I was testing openswan on RHEL5-9.
Do you think it is worth to fix it? I'm not sure if it is worth of rebase.
Patrik

Comment 3 RHEL Program Management 2012-10-30 05:59:27 UTC

This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.

Comment 4 Eric Paris 2013-03-19 19:21:48 UTC

After review we do not think this bug is high enough priority to be resolved in RHEL 5.  It should be harmless.  If you have similar problems in RHEL6 or RHEL7 please feel free to reopen this bug against the later component.  Thank you for the report.

Note You need to log in before you can comment on or make changes to this bug.