Bug 980990 - SELinux is preventing /usr/bin/bash from using the 'transition' accesses on a process.
SELinux is preventing /usr/bin/bash from using the 'transition' accesses on a...
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2013-07-03 14:24 EDT by Ian Pilcher
Modified: 2013-07-12 08:12 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-07-12 08:12:34 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Ian Pilcher 2013-07-03 14:24:01 EDT
Description of problem:
Trying to use runcon to debug another SELinux-related issue (https://bugzilla.redhat.com/show_bug.cgi?id=818754#c44).

# runcon system_u:system_r:openvswitch_t:s0 modprobe openvswitch
SELinux is preventing /usr/bin/bash from using the 'transition' accesses on a process.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that bash should be allowed transition access on processes labeled openvswitch_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# grep sh /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
Target Context                system_u:system_r:openvswitch_t:s0
Target Objects                /usr/bin/kmod [ process ]
Source                        sh
Source Path                   /usr/bin/bash
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           coreutils-8.21-11.fc19.x86_64
Target RPM Packages           kmod-13-2.fc19.x86_64
Policy RPM                    selinux-policy-3.12.1-54.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.9.8-300.fc19.x86_64 #1 SMP Thu
                              Jun 27 19:24:23 UTC 2013 x86_64 x86_64
Alert Count                   5
First Seen                    2013-07-03 12:35:35 CDT
Last Seen                     2013-07-03 13:14:46 CDT
Local ID                      2ac40fb6-626e-46b9-8f93-0d41ce8b4fba

Raw Audit Messages
type=AVC msg=audit(1372875286.860:218): avc:  denied  { transition } for  pid=5267 comm="runcon" path="/usr/bin/kmod" dev="dm-1" ino=1850541 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:openvswitch_t:s0 tclass=process

type=SYSCALL msg=audit(1372875286.860:218): arch=x86_64 syscall=execve success=no exit=EACCES a0=7fff4ddfb54e a1=7fff4ddfb768 a2=7fff4ddfb780 a3=3a745f6863746977 items=0 ppid=3141 pid=5267 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=pts1 comm=runcon exe=/usr/bin/runcon subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

Hash: sh,unconfined_t,openvswitch_t,process,transition

Additional info:
reporter:       libreport-2.1.5
hashmarkername: setroubleshoot
kernel:         3.9.8-300.fc19.x86_64
type:           libreport
Comment 1 Daniel Walsh 2013-07-10 18:45:26 EDT
Not that simple, You can either add a 

Transitioning from one domain to another involves multiple access rules.

allow unconfined_t openvswitch_t:process transition;

But if you were executing 

runcon -r system_r -t openvswitch_t /bin/kmod

You would also need.

allow openvswitch_t insmod_exec_t:file entrypoint;

But that is not necessarily what you want since you might want to see if openvswitch_t can transition to insmod_t when executing kmod.

Something like:

runcon -r system_r -t openvswitch_t /bin/sh -c /bin/kmod

Which would require
allow openvswitch_t bin_t:file entrypoint;
Comment 2 Miroslav Grepl 2013-07-12 08:12:34 EDT
Basically you can do it using these steps:

Check if there is no transition

# sesearch -A -s openvswitch_t -t insmod_t -c processes

=> no output => you can run

# runcon -u system_u -r system_r -t initrc_t -- runcon -t openvswitch_t -- kmod

for example. But it ends up with 

allow openvswitch_t insmod_exec_t:file entrypoint;

So you need to change labeling for kmod and then you can run "runcon"

# chcon -t openvswitch_exec_t /bin/kmod
# runcon -u system_u -r system_r -t initrc_t -- runcon -t openvswitch_t -- kmod

which will run kmod in the openvswitch_t domain. After testing MAKE SURE you run

# restorecon -v /bin/kmod

Note You need to log in before you can comment on or make changes to this bug.