Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 236774 - avc denial of useradd writing to /var/log/faillog
Summary: avc denial of useradd writing to /var/log/faillog
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
: 238474 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-04-17 16:26 UTC by Zack Cerza
Modified: 2007-11-30 22:12 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-05-02 21:18:53 UTC


Attachments (Terms of Use)
anaconda.log (deleted)
2007-04-30 19:12 UTC, Zack Cerza
no flags Details
/root/install.log from Fedora 7 Test 4 installation (deleted)
2007-04-30 19:32 UTC, Gilles Detillieux
no flags Details
/var/log/anaconda.log from Fedora 7 Test 4 installation (deleted)
2007-04-30 19:35 UTC, Gilles Detillieux
no flags Details

Description Zack Cerza 2007-04-17 16:26:50 UTC
Description of problem:
The following occured when I was installing openoffice.org-writer (and 18
dependencies):

avc: denied { read, write } for comm="useradd" dev=sda3 egid=0 euid=0
exe="/usr/sbin/useradd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="faillog"
pid=9251 scontext=user_u:system_r:useradd_t:s0 sgid=0
subj=user_u:system_r:useradd_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:var_log_t:s0 tty=pts1 uid=0 

Version-Release number of selected component (if applicable):
shadow-utils-4.0.18.1-13.fc7.i386
selinux-policy-targeted-2.5.12-2.fc7.noarch

Comment 1 Daniel Walsh 2007-04-17 17:49:41 UTC
This is a labeling problem that should be fixed on initial install of FC7. 
restorecon -R -v /var/log 
will fix it.

Comment 2 Gilles Detillieux 2007-04-27 20:41:14 UTC
I just installed Fedora 7 Test 4 (6.93), and I got a similar avc error to the
one above.  For me, it happened when I did a "yum install caching-nameserver". 
Yum installed "bind" as a dependency, and bind's preinstall script did a useradd
to create the "named" user ID.  That triggered the error when trying to access
faillog.  The restorecon command above reset the context for /var/log/faillog,
/var/log/tallylog and /var/log/yum.log.  They were all var_log_t, and were
changed to faillog_t for the first two, and rpm_log_t for yum.log.

Whatever should be fixed in FC7 isn't fixed yet in Test 4.

Comment 3 Zack Cerza 2007-04-27 21:08:45 UTC
Looks like this isn't fixed. Dan, should new bugs be filed for the other two
files mentioned in comment #2?

Comment 4 Daniel Walsh 2007-04-28 13:13:42 UTC
Anaconda was supposed to fix up the /var/log directory when it finished the
install.  Pete did that code get removed?

Comment 5 Jeremy Katz 2007-04-30 19:07:07 UTC
(In reply to comment #4)
> Anaconda was supposed to fix up the /var/log directory when it finished the
> install.  Pete did that code get removed?

We've never labeled all of /var/log; /var/log/faillog should get the right label
when it's installed as part of the pam package.  I'd really like to see the
/root/install.log and /var/log/anaconda.log of the system instead of just
papering over more of this stuff

Comment 6 Zack Cerza 2007-04-30 19:12:09 UTC
Created attachment 153812 [details]
anaconda.log

Oddly enough, there is no /root/install.log.

This system was installed via Live USB of Test 3.

Comment 7 Gilles Detillieux 2007-04-30 19:32:48 UTC
Created attachment 153813 [details]
/root/install.log from Fedora 7 Test 4 installation

Comment 8 Gilles Detillieux 2007-04-30 19:35:04 UTC
Created attachment 153814 [details]
/var/log/anaconda.log from Fedora 7 Test 4 installation

I can also provide the corresponding syslogs if you need them too.

Comment 9 Jeremy Katz 2007-04-30 21:41:59 UTC
Zack -- for the live CD case, things look right with test4 and beyond (there was
something a little hurky there with test3)

(In reply to comment #2)
> I just installed Fedora 7 Test 4 (6.93), and I got a similar avc error to the
> one above.  For me, it happened when I did a "yum install caching-nameserver". 
> Yum installed "bind" as a dependency, and bind's preinstall script did a useradd
> to create the "named" user ID.  That triggered the error when trying to access
> faillog.  The restorecon command above reset the context for /var/log/faillog,
> /var/log/tallylog 

These two are both part of the pam package and created with install in the %post
script.  Dan -- I thought that install was supposed to dtrt with setting SELinux
contexts?  If not, then the pam %post needs to be setting the context also.

> and /var/log/yum.log.  They were all var_log_t, and were
> changed to faillog_t for the first two, and rpm_log_t for yum.log.

/var/log/yum.log isn't included in a package and just gets created at runtime. 
It sounds like a potentially missing transition rule from var_log_t to rpm_log_t
for things running in rpm_exec_t?

Comment 10 Jeremy Katz 2007-05-01 12:14:47 UTC
*** Bug 238474 has been marked as a duplicate of this bug. ***

Comment 11 Daniel Walsh 2007-05-01 12:18:17 UTC
No the problem is that the selinux-policy-targeted is not installed before pam.
 So when pam does the install command the file_context file does not exist so
the faillog and tallylog files get created with the default context var_log_t. 
So our options are to make pam rely on a particular version of selinux-policy or
have anaconda fix the labeling in its post.  

Comment 12 Gilles Detillieux 2007-05-01 15:06:46 UTC
I'm guessing that making pam rely on a particular version of selinux-policy
could potentially lead to other problems.  I'm also wondering why this isn't a
problem with other packages.  In my install.log, selinux-policy-targeted is on
line 551 of 750 lines, so almost 3/4 of the packages are installed before the
policy is in place.  Is there no way of telling anaconda to install the selinux
packages, if they're selected, before other packages, without making the other
packages dependent on selinux if you choose to do without it?  Fixing things up
at the end would work too, but should this be limited to /var/log, or are there
potentially a whole lot of other files that will need fixing too?  Should I run
"restorecon -R -v /" and attach the output?

Comment 13 Jeremy Katz 2007-05-02 21:18:53 UTC
After talking with dwalsh yesterday, adding /var/log for now, but that's only a
temporary fix and for F8, we really need to get back to putting policy with the
packages instead of the monolithic blob we have today.


Note You need to log in before you can comment on or make changes to this bug.