Bug 980990 - SELinux is preventing /usr/bin/bash from using the 'transition' accesses on a process.
Summary: SELinux is preventing /usr/bin/bash from using the 'transition' accesses on a...
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 19
Hardware: x86_64
OS: Unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
Whiteboard: abrt_hash:d16b3eb171540da72ff238653b7...
Depends On:
TreeView+ depends on / blocked
Reported: 2013-07-03 18:24 UTC by Ian Pilcher
Modified: 2013-07-12 12:12 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2013-07-12 12:12:34 UTC
Type: ---

Attachments (Terms of Use)

Description Ian Pilcher 2013-07-03 18:24:01 UTC
Description of problem:
Trying to use runcon to debug another SELinux-related issue (https://bugzilla.redhat.com/show_bug.cgi?id=818754#c44).

# runcon system_u:system_r:openvswitch_t:s0 modprobe openvswitch
SELinux is preventing /usr/bin/bash from using the 'transition' accesses on a process.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that bash should be allowed transition access on processes labeled openvswitch_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# grep sh /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
Target Context                system_u:system_r:openvswitch_t:s0
Target Objects                /usr/bin/kmod [ process ]
Source                        sh
Source Path                   /usr/bin/bash
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           coreutils-8.21-11.fc19.x86_64
Target RPM Packages           kmod-13-2.fc19.x86_64
Policy RPM                    selinux-policy-3.12.1-54.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.9.8-300.fc19.x86_64 #1 SMP Thu
                              Jun 27 19:24:23 UTC 2013 x86_64 x86_64
Alert Count                   5
First Seen                    2013-07-03 12:35:35 CDT
Last Seen                     2013-07-03 13:14:46 CDT
Local ID                      2ac40fb6-626e-46b9-8f93-0d41ce8b4fba

Raw Audit Messages
type=AVC msg=audit(1372875286.860:218): avc:  denied  { transition } for  pid=5267 comm="runcon" path="/usr/bin/kmod" dev="dm-1" ino=1850541 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:openvswitch_t:s0 tclass=process

type=SYSCALL msg=audit(1372875286.860:218): arch=x86_64 syscall=execve success=no exit=EACCES a0=7fff4ddfb54e a1=7fff4ddfb768 a2=7fff4ddfb780 a3=3a745f6863746977 items=0 ppid=3141 pid=5267 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=pts1 comm=runcon exe=/usr/bin/runcon subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

Hash: sh,unconfined_t,openvswitch_t,process,transition

Additional info:
reporter:       libreport-2.1.5
hashmarkername: setroubleshoot
kernel:         3.9.8-300.fc19.x86_64
type:           libreport

Comment 1 Daniel Walsh 2013-07-10 22:45:26 UTC
Not that simple, You can either add a 

Transitioning from one domain to another involves multiple access rules.

allow unconfined_t openvswitch_t:process transition;

But if you were executing 

runcon -r system_r -t openvswitch_t /bin/kmod

You would also need.

allow openvswitch_t insmod_exec_t:file entrypoint;

But that is not necessarily what you want since you might want to see if openvswitch_t can transition to insmod_t when executing kmod.

Something like:

runcon -r system_r -t openvswitch_t /bin/sh -c /bin/kmod

Which would require
allow openvswitch_t bin_t:file entrypoint;

Comment 2 Miroslav Grepl 2013-07-12 12:12:34 UTC
Basically you can do it using these steps:

Check if there is no transition

# sesearch -A -s openvswitch_t -t insmod_t -c processes

=> no output => you can run

# runcon -u system_u -r system_r -t initrc_t -- runcon -t openvswitch_t -- kmod

for example. But it ends up with 

allow openvswitch_t insmod_exec_t:file entrypoint;

So you need to change labeling for kmod and then you can run "runcon"

# chcon -t openvswitch_exec_t /bin/kmod
# runcon -u system_u -r system_r -t initrc_t -- runcon -t openvswitch_t -- kmod

which will run kmod in the openvswitch_t domain. After testing MAKE SURE you run

# restorecon -v /bin/kmod

Note You need to log in before you can comment on or make changes to this bug.