Bug 971127 - SELinux is preventing /usr/bin/bash from 'read' accesses on the file /etc/passwd.
Summary: SELinux is preventing /usr/bin/bash from 'read' accesses on the file /etc/pas...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 18
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:7aa81805c8f45ddb56c19927e1f...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-06-05 18:23 UTC by Moez Roy
Modified: 2013-07-25 00:38 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-3.11.1-98.fc18
Clone Of:
Environment:
Last Closed: 2013-07-25 00:38:57 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Moez Roy 2013-06-05 18:23:52 UTC
Description of problem:
SELinux is preventing /usr/bin/bash from 'read' accesses on the file /etc/passwd.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that bash should be allowed read access on the passwd file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep sh /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:system_r:openshift_app_t:s0-s0:c0.c10
                              23
Target Context                system_u:object_r:passwd_file_t:s0
Target Objects                /etc/passwd [ file ]
Source                        sh
Source Path                   /usr/bin/bash
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           bash-4.2.45-1.fc18.x86_64
Target RPM Packages           setup-2.8.57-1.fc18.noarch
Policy RPM                    selinux-policy-3.11.1-97.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 3.9.4-200.fc18.x86_64 #1 SMP Fri
                              May 24 20:10:49 UTC 2013 x86_64 x86_64
Alert Count                   2
First Seen                    2013-06-05 11:19:00 PDT
Last Seen                     2013-06-05 11:19:00 PDT
Local ID                      f970579b-82a3-4264-b354-eaf0fb8e9baa

Raw Audit Messages
type=AVC msg=audit(1370456340.79:652): avc:  denied  { read } for  pid=5728 comm="sh" name="passwd" dev="dm-2" ino=2492695 scontext=unconfined_u:system_r:openshift_app_t:s0-s0:c0.c1023 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file


type=AVC msg=audit(1370456340.79:652): avc:  denied  { open } for  pid=5728 comm="sh" path="/etc/passwd" dev="dm-2" ino=2492695 scontext=unconfined_u:system_r:openshift_app_t:s0-s0:c0.c1023 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file


type=SYSCALL msg=audit(1370456340.79:652): arch=x86_64 syscall=open success=yes exit=ESRCH a0=7f6710bd06ca a1=80000 a2=1b6 a3=238 items=0 ppid=5725 pid=5728 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=10 tty=(none) comm=sh exe=/usr/bin/bash subj=unconfined_u:system_r:openshift_app_t:s0-s0:c0.c1023 key=(null)

Hash: sh,openshift_app_t,passwd_file_t,file,read

audit2allow

#============= openshift_app_t ==============
allow openshift_app_t passwd_file_t:file { read open };

audit2allow -R
require {
	type openshift_app_t;
}

#============= openshift_app_t ==============
auth_read_passwd(openshift_app_t)


Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.4-200.fc18.x86_64
type:           libreport

Comment 1 Daniel Walsh 2013-06-07 19:27:32 UTC
Currently we do not want openshift apps to read /etc/passwd  If you run in enforcing mode does your app work.

8ec462331abe3c920590e08d68e93a5f1984fe5f allows this for now in git

Comment 2 Miroslav Grepl 2013-06-11 13:22:46 UTC
Back ported.

commit 819fb7c1f40967762881f7f1fdaa8ddd1577d6d0
Author: Dan Walsh <dwalsh>
Date:   Fri Jun 7 15:27:10 2013 -0400

    For now we need to allow openshift_app_t to read the /etc/passwd fil

Comment 3 Fedora Update System 2013-06-27 13:34:59 UTC
selinux-policy-3.11.1-98.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-98.fc18

Comment 4 Fedora Update System 2013-06-28 06:09:09 UTC
Package selinux-policy-3.11.1-98.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-98.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-11859/selinux-policy-3.11.1-98.fc18
then log in and leave karma (feedback).

Comment 5 Fedora Update System 2013-07-25 00:38:57 UTC
selinux-policy-3.11.1-98.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.