Bug 879664 - SELinux is preventing /usr/sbin/glibc_post_upgrade.i686 from using the 'transition' accesses on a process.
Summary: SELinux is preventing /usr/sbin/glibc_post_upgrade.i686 from using the 'trans...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 18
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:b1991e8139579b9b868cadcad0f...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-11-23 15:47 UTC by Mads Kiilerich
Modified: 2013-10-25 10:38 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2013-10-25 10:38:07 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
File: type (9 bytes, text/plain)
2012-11-23 15:47 UTC, Mads Kiilerich 		no flags Details
File: hashmarkername (14 bytes, text/plain)
2012-11-23 15:47 UTC, Mads Kiilerich 		no flags Details
View All

Description Mads Kiilerich 2012-11-23 15:47:49 UTC 
Additional info:
libreport version: 2.0.18
kernel:         3.6.6-3.fc18.x86_64

description:
:SELinux is preventing /usr/sbin/glibc_post_upgrade.i686 from using the 'transition' accesses on a process.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that glibc_post_upgrade.i686 should be allowed transition access on processes labeled rpm_script_t by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep glibc_post_upgr /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                unconfined_u:system_r:livecd_t:s0-s0:c0.c1023
:Target Context                unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023
:Target Objects                /usr/bin/bash [ process ]
:Source                        glibc_post_upgr
:Source Path                   /usr/sbin/glibc_post_upgrade.i686
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           bash-4.2.39-1.fc18.x86_64
:Target RPM Packages           bash-4.2.39-1.fc18.x86_64
:Policy RPM                    selinux-policy-3.11.1-50.fc18.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Permissive
:Host Name                     (removed)
:Platform                      Linux (removed) 3.6.6-3.fc18.x86_64 #1 SMP Mon Nov
:                              5 16:26:34 UTC 2012 x86_64 x86_64
:Alert Count                   136
:First Seen                    2012-10-17 20:16:54 CEST
:Last Seen                     2012-11-23 15:51:12 CET
:Local ID                      232f9307-04c6-4961-83da-35560d1a76c5
:
:Raw Audit Messages
:type=AVC msg=audit(1353682272.177:1164): avc:  denied  { transition } for  pid=2773 comm="rpm" path="/usr/bin/bash" dev="loop0" ino=136882 scontext=unconfined_u:system_r:livecd_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=process
:
:
:type=SYSCALL msg=audit(1353682272.177:1164): arch=x86_64 syscall=execve per=8 success=yes exit=0 a0=1471b30 a1=145e790 a2=1479590 a3=7fff895334c0 items=0 ppid=2772 pid=2773 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=29 comm=sh exe=/usr/bin/bash subj=unconfined_u:system_r:rpm_script_t:s0-s0:c0.c1023 key=(null)
:
:Hash: glibc_post_upgr,livecd_t,rpm_script_t,process,transition
:
:audit2allow
:audit2allow -R
Comment 1 Mads Kiilerich 2012-11-23 15:47:53 UTC 
Created attachment 650531 [details]
File: type
Comment 2 Mads Kiilerich 2012-11-23 15:47:59 UTC 
Created attachment 650532 [details]
File: hashmarkername
Comment 3 Miroslav Grepl 2012-11-26 14:43:47 UTC 
Ok,
the problem is we had

optional_policy(`
       # Allow SELinux aware applications to request rpm_script execution
       rpm_transition_script(livecd_t)
       rpm_domtrans(livecd_t)
')

which we removed to make livecd tools working without additional AVC msgs.
Note You need to log in before you can comment on or make changes to this bug.