* /bin/bash: Bad interpreter: Permission denied.
@ 2013-12-17 16:23 Jay Corrales
2013-12-17 16:35 ` Stephen Smalley
2013-12-18 20:14 ` Stephen Smalley
0 siblings, 2 replies; 13+ messages in thread
From: Jay Corrales @ 2013-12-17 16:23 UTC (permalink / raw)
To: SELinux
[-- Attachment #1: Type: text/plain, Size: 3674 bytes --]
Folks,
We're running RedHat Enterprise Linux 5 (rhel5) with selinux strict and
enforcing mode, and finding that something in our configuration prevents a
simple shell script from domain transitioning from user_t to awips_t
context. If we run a test virtual machine with a new install of rhel5, it
does run OK, but something in our current configuration prevents this
result. Wondering if it makes sense to run a tool like apol to find any
clues as to why? The audit log (/var/log/audit/audit.log) shows an AVC
requiring execute_no_trans for user_t (no listed here). I can send as a
follow up along with strace outputs if desired.
Thanks
[jay@localhost ~]$ /awips/fxa/bin/test.sh
/bin/bash: Bad interpreter: Permission denied.
[root@localhost ~]# ps faxZ
LABEL PID TTY STAT TIME COMMAND
system_u:system_r:sshd_t:SystemLow-SystemHigh 3953 ? Ss 0:00 \_ sshd:
jay [priv]
system_u:system_r:sshd_t:SystemLow-SystemHigh 3958 ? S 0:00 | \_ sshd:
jay@pts/1
user_u:user_r:user_t 3959 pts/1 Ss 0:00 | \_ -bash
...
[jay@localhost ~]$ cat /awips/fxa/bin/test.sh
#!/bin/bash
while /bin/true; do
id -Z sleep 10
done
[root@localhost ~]# sesearch -a -s user_t -t awips_exec_t -c file -p
execute
Found 1 av rules:
allow user_t awips_exec_t : file { ioctl read getattr lock execute };
Found 9 role allow rules:
allow staff_r sysadm_r ;
allow sysadm_r staff_r ;
allow sysadm_r user_r ;
allow system_r user_r ;
allow system_r staff_r ;
allow system_r sysadm_r ;
allow system_r gadmin_r ;
allow system_r guest_r ;
allow sysadm_r system_r ;
[root@localhost ~]# sesearch -a -s awips_t -t awips_exec_t -c file -p
entrypoint Found 1 av rules:
allow awips_t awips_exec_t : file { ioctl read getattr lock execute
entrypoint };
...
[root@localhost ~]# sesearch -a -s user_t -t awips_t -c process -p
transition Found 1 av rules:
allow user_t awips_t : process { transition sigkill signal };
...
File: awips.te
1 policy_module(awips,1.0.0)
2
3 require {
4 type user_t;
5 type initrc_devpts_t;
6 type devpts_t;
7 type user_devpts_t;
8 }
9
10 type awips_t;
11 type awips_exec_t;
12
13 domain_type(awips_t)
14 domain_entry_file(awips_t,awips_exec_t)
15
16 role user_r types awips_t;
17
18 domain_auto_trans(user_t,awips_exec_t,awips_t)
19
20 allow awips_t user_t:fd use;
21 allow awips_t user_t:fifo_file rw_file_perms;
22 allow awips_t user_t:process sigchld;
23
24 # AWIPS scripts run shell scripts
25 corecmd_exec_bin(awips_t)
26 corecmd_exec_shell(awips_t)
27
28 # must have execute rights on shell script
29 allow user_t awips_exec_t:file rx_file_perms;
30
31 # output to terminal
32 allow awips_t initrc_devpts_t:chr_file { read write };
33 allow awips_t devpts_t:dir { getattr search };
34 allow awips_t user_devpts_t:chr_file { read write getattr };
35
36 # load shared libs
37 libs_use_ld_so(awips_t);
38 libs_use_shared_libs(awips_t);
39
40 # respond to ctrl-c
41 allow user_t awips_t:process { signal sigkill };
42 allow awips_t self:process signal;
File: awips.fc
1 # default to read-only access
2 /awips(/.*)? gen_context(system_u:object_r:bin_t,s0)
3
4 # script files and app that calls a script
5 /awips/fxa/bin -d gen_context(system_u:object_r:bin_t,s0)
6 /awips/fxa/bin/test.sh --
gen_context(system_u:object_r:awips_exec_t,s0)
[-- Attachment #2: Type: text/html, Size: 15321 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread* Re: /bin/bash: Bad interpreter: Permission denied. 2013-12-17 16:23 /bin/bash: Bad interpreter: Permission denied Jay Corrales @ 2013-12-17 16:35 ` Stephen Smalley 2013-12-17 18:03 ` Jay Corrales 2013-12-18 20:14 ` Stephen Smalley 1 sibling, 1 reply; 13+ messages in thread From: Stephen Smalley @ 2013-12-17 16:35 UTC (permalink / raw) To: Jay Corrales, SELinux On 12/17/2013 11:23 AM, Jay Corrales wrote: > Folks, > > We're running RedHat Enterprise Linux 5 (rhel5) with selinux strict and > enforcing mode, and finding that something in our configuration prevents a > simple shell script from domain transitioning from user_t to awips_t > context. If we run a test virtual machine with a new install of rhel5, it > does run OK, but something in our current configuration prevents this > result. Wondering if it makes sense to run a tool like apol to find any > clues as to why? The audit log (/var/log/audit/audit.log) shows an AVC > requiring execute_no_trans for user_t (no listed here). I can send as a > follow up along with strace outputs if desired. Yes, send the avc message. > > Thanks > > [jay@localhost ~]$ /awips/fxa/bin/test.sh > /bin/bash: Bad interpreter: Permission denied. > > [root@localhost ~]# ps faxZ > > > > LABEL PID TTY STAT TIME COMMAND > > system_u:system_r:sshd_t:SystemLow-SystemHigh 3953 ? Ss 0:00 \_ sshd: > jay [priv] > > system_u:system_r:sshd_t:SystemLow-SystemHigh 3958 ? S 0:00 | \_ sshd: > jay@pts/1 > > user_u:user_r:user_t 3959 pts/1 Ss 0:00 | \_ -bash > > ... > > > [jay@localhost ~]$ cat /awips/fxa/bin/test.sh > #!/bin/bash > while /bin/true; do > id -Z sleep 10 > done > [root@localhost ~]# sesearch -a -s user_t -t awips_exec_t -c file -p > execute > > > > Found 1 av rules: > > allow user_t awips_exec_t : file { ioctl read getattr lock execute }; > > > > > > Found 9 role allow rules: > > allow staff_r sysadm_r ; > > allow sysadm_r staff_r ; > > allow sysadm_r user_r ; > > allow system_r user_r ; > > allow system_r staff_r ; > > allow system_r sysadm_r ; > > allow system_r gadmin_r ; > > allow system_r guest_r ; > > allow sysadm_r system_r ; > > > > [root@localhost ~]# sesearch -a -s awips_t -t awips_exec_t -c file -p > entrypoint Found 1 av rules: > allow awips_t awips_exec_t : file { ioctl read getattr lock execute > entrypoint }; > ... > > [root@localhost ~]# sesearch -a -s user_t -t awips_t -c process -p > transition Found 1 av rules: > allow user_t awips_t : process { transition sigkill signal }; > ... > > > > File: awips.te > > 1 policy_module(awips,1.0.0) > > 2 > > 3 require { > > 4 type user_t; > > 5 type initrc_devpts_t; > > 6 type devpts_t; > > 7 type user_devpts_t; > > 8 } > > 9 > > 10 type awips_t; > > 11 type awips_exec_t; > > 12 > > 13 domain_type(awips_t) > > 14 domain_entry_file(awips_t,awips_exec_t) > > 15 > > 16 role user_r types awips_t; > > 17 > > 18 domain_auto_trans(user_t,awips_exec_t,awips_t) > > 19 > > 20 allow awips_t user_t:fd use; > > 21 allow awips_t user_t:fifo_file rw_file_perms; > > 22 allow awips_t user_t:process sigchld; > > 23 > > 24 # AWIPS scripts run shell scripts > > 25 corecmd_exec_bin(awips_t) > > 26 corecmd_exec_shell(awips_t) > > 27 > > 28 # must have execute rights on shell script > > 29 allow user_t awips_exec_t:file rx_file_perms; > > 30 > > 31 # output to terminal > > 32 allow awips_t initrc_devpts_t:chr_file { read write }; > > 33 allow awips_t devpts_t:dir { getattr search }; > > 34 allow awips_t user_devpts_t:chr_file { read write getattr }; > > 35 > > 36 # load shared libs > > 37 libs_use_ld_so(awips_t); > > 38 libs_use_shared_libs(awips_t); > > 39 > > 40 # respond to ctrl-c > > 41 allow user_t awips_t:process { signal sigkill }; > > 42 allow awips_t self:process signal; > > > > > > File: awips.fc > > 1 # default to read-only access > > 2 /awips(/.*)? gen_context(system_u:object_r:bin_t,s0) > > 3 > > 4 # script files and app that calls a script > > 5 /awips/fxa/bin -d gen_context(system_u:object_r:bin_t,s0) > > 6 /awips/fxa/bin/test.sh -- > gen_context(system_u:object_r:awips_exec_t,s0) > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: /bin/bash: Bad interpreter: Permission denied. 2013-12-17 16:35 ` Stephen Smalley @ 2013-12-17 18:03 ` Jay Corrales 2013-12-17 18:15 ` Stephen Smalley 0 siblings, 1 reply; 13+ messages in thread From: Jay Corrales @ 2013-12-17 18:03 UTC (permalink / raw) To: Stephen Smalley; +Cc: SELinux [-- Attachment #1: Type: text/plain, Size: 8060 bytes --] bash-3.2$ /awips/fxa/bin/test.sh bash: /awips/fxa/bin/test.sh: /bin/bash: bad interpreter: Permission denied bash-3.2$ bash-3.2$ /tmp/strace /awips/fxa/bin/test.sh execve("/awips/fxa/bin/test.sh", ["/awips/fxa/bin/test.sh"], [/* 38 vars */]) = -1 EACCES (Permission denied) dup(2) = 3 fcntl64(3, F_GETFL) = 0x2 (flags O_RDWR) fstat64(3, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 4), ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f64000 _llseek(3, 0, 0xbfe66ce4, SEEK_CUR) = -1 ESPIPE (Illegal seek) write(3, "strace: exec: Permission denied\n", 32strace: exec: Permission denied ) = 32 close(3) = 0 munmap(0xb7f64000, 4096) = 0 exit_group(1) = ? bash-3.2$ type=AVC msg=audit(1387301151.195:82549): avc: denied { execute_no_trans } for pid=24492 comm="bash" path="/awips/fxa/bin/test.sh" dev=sda2 ino=800003 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:lx_apps_script_exec_t:s0 tclass=file type=SYSCALL msg=audit(1387301151.195:82549): arch=40000003 syscall=11 success=no exit=-13 a0=8d0d228 a1=8d0d2d0 a2=8cfd1f0 a3=0 items=1 ppid=24476 pid=24492 auid=10037 uid=10037 gid=210 euid=10037 suid=10037 fsuid=10037 egid=210 sgid=210 fsgid=210 tty=pts4 ses=778 comm="bash" exe="/bin/bash" subj=user_u:user_r:user_t:s0 key="KEY_failed_execute_program" type=CWD msg=audit(1387301151.195:82549): cwd="/home/awips_jay" type=PATH msg=audit(1387301151.195:82549): item=0 name="/awips/fxa/bin/test.sh" inode=800003 dev=08:02 mode=0100755 ouid=206 ogid=210 rdev=00:00 obj=system_u:object_r:lx_apps_script_exec_t:s0 type=SYSCALL msg=audit(1387301151.199:82550): arch=40000003 syscall=5 success=no exit=-2 a0=8d01928 a1=0 a2=1 a3=0 items=1 ppid=24476 pid=24492 auid=10037 uid=10037 gid=210 euid=10037 suid=10037 fsuid=10037 egid=210 sgid=210 fsgid=210 tty=pts4 ses=778 comm="bash" exe="/bin/bash" subj=user_u:user_r:user_t:s0 key=(null) type=CWD msg=audit(1387301151.199:82550): cwd="/home/awips_jay" type=PATH msg=audit(1387301151.199:82550): item=0 name="/usr/share/locale/en_US/LC_MESSAGES/bash.mo" type=SYSCALL msg=audit(1387301151.199:82551): arch=40000003 syscall=5 success=no exit=-2 a0=8d0d310 a1=0 a2=1 a3=8d0d2f0 items=1 ppid=24476 pid=24492 auid=10037 uid=10037 gid=210 euid=10037 suid=10037 fsuid=10037 egid=210 sgid=210 fsgid=210 tty=pts4 ses=778 comm="bash" exe="/bin/bash" subj=user_u:user_r:user_t:s0 key=(null) type=CWD msg=audit(1387301151.199:82551): cwd="/home/awips_jay" type=PATH msg=audit(1387301151.199:82551): item=0 name="/usr/share/locale/en/LC_MESSAGES/bash.mo" type=SYSCALL msg=audit(1387301151.199:82552): arch=40000003 syscall=5 success=no exit=-2 a0=8d0d360 a1=0 a2=1 a3=0 items=1 ppid=24476 pid=24492 auid=10037 uid=10037 gid=210 euid=10037 suid=10037 fsuid=10037 egid=210 sgid=210 fsgid=210 tty=pts4 ses=778 comm="bash" exe="/bin/bash" subj=user_u:user_r:user_t:s0 key=(null) type=CWD msg=audit(1387301151.199:82552): cwd="/home/awips_jay" type=PATH msg=audit(1387301151.199:82552): item=0 name="/usr/share/locale/en_US/LC_MESSAGES/libc.mo" type=SYSCALL msg=audit(1387301151.199:82553): arch=40000003 syscall=5 success=no exit=-2 a0=8d0d3b0 a1=0 a2=1 a3=8d0d390 items=1 ppid=24476 pid=24492 auid=10037 uid=10037 gid=210 euid=10037 suid=10037 fsuid=10037 egid=210 sgid=210 fsgid=210 tty=pts4 ses=778 comm="bash" exe="/bin/bash" subj=user_u:user_r:user_t:s0 key=(null) type=CWD msg=audit(1387301151.199:82553): cwd="/home/awips_jay" type=PATH msg=audit(1387301151.199:82553): item=0 name="/usr/share/locale/en/LC_MESSAGES/libc.mo" On Tue, Dec 17, 2013 at 8:35 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote: > On 12/17/2013 11:23 AM, Jay Corrales wrote: > > Folks, > > > > We're running RedHat Enterprise Linux 5 (rhel5) with selinux strict and > > enforcing mode, and finding that something in our configuration prevents > a > > simple shell script from domain transitioning from user_t to awips_t > > context. If we run a test virtual machine with a new install of rhel5, it > > does run OK, but something in our current configuration prevents this > > result. Wondering if it makes sense to run a tool like apol to find any > > clues as to why? The audit log (/var/log/audit/audit.log) shows an AVC > > requiring execute_no_trans for user_t (no listed here). I can send as a > > follow up along with strace outputs if desired. > > Yes, send the avc message. > > > > > Thanks > > > > [jay@localhost ~]$ /awips/fxa/bin/test.sh > > /bin/bash: Bad interpreter: Permission denied. > > > > [root@localhost ~]# ps faxZ > > > > > > > > LABEL PID TTY STAT TIME COMMAND > > > > system_u:system_r:sshd_t:SystemLow-SystemHigh 3953 ? Ss 0:00 \_ sshd: > > jay [priv] > > > > system_u:system_r:sshd_t:SystemLow-SystemHigh 3958 ? S 0:00 | \_ > sshd: > > jay@pts/1 > > > > user_u:user_r:user_t 3959 pts/1 Ss 0:00 | \_ > -bash > > > > ... > > > > > > [jay@localhost ~]$ cat /awips/fxa/bin/test.sh > > #!/bin/bash > > while /bin/true; do > > id -Z sleep 10 > > done > > [root@localhost ~]# sesearch -a -s user_t -t awips_exec_t -c file -p > > execute > > > > > > > > Found 1 av rules: > > > > allow user_t awips_exec_t : file { ioctl read getattr lock execute }; > > > > > > > > > > > > Found 9 role allow rules: > > > > allow staff_r sysadm_r ; > > > > allow sysadm_r staff_r ; > > > > allow sysadm_r user_r ; > > > > allow system_r user_r ; > > > > allow system_r staff_r ; > > > > allow system_r sysadm_r ; > > > > allow system_r gadmin_r ; > > > > allow system_r guest_r ; > > > > allow sysadm_r system_r ; > > > > > > > > [root@localhost ~]# sesearch -a -s awips_t -t awips_exec_t -c file -p > > entrypoint Found 1 av rules: > > allow awips_t awips_exec_t : file { ioctl read getattr lock execute > > entrypoint }; > > ... > > > > [root@localhost ~]# sesearch -a -s user_t -t awips_t -c process -p > > transition Found 1 av rules: > > allow user_t awips_t : process { transition sigkill signal }; > > ... > > > > > > > > File: awips.te > > > > 1 policy_module(awips,1.0.0) > > > > 2 > > > > 3 require { > > > > 4 type user_t; > > > > 5 type initrc_devpts_t; > > > > 6 type devpts_t; > > > > 7 type user_devpts_t; > > > > 8 } > > > > 9 > > > > 10 type awips_t; > > > > 11 type awips_exec_t; > > > > 12 > > > > 13 domain_type(awips_t) > > > > 14 domain_entry_file(awips_t,awips_exec_t) > > > > 15 > > > > 16 role user_r types awips_t; > > > > 17 > > > > 18 domain_auto_trans(user_t,awips_exec_t,awips_t) > > > > 19 > > > > 20 allow awips_t user_t:fd use; > > > > 21 allow awips_t user_t:fifo_file rw_file_perms; > > > > 22 allow awips_t user_t:process sigchld; > > > > 23 > > > > 24 # AWIPS scripts run shell scripts > > > > 25 corecmd_exec_bin(awips_t) > > > > 26 corecmd_exec_shell(awips_t) > > > > 27 > > > > 28 # must have execute rights on shell script > > > > 29 allow user_t awips_exec_t:file rx_file_perms; > > > > 30 > > > > 31 # output to terminal > > > > 32 allow awips_t initrc_devpts_t:chr_file { read write }; > > > > 33 allow awips_t devpts_t:dir { getattr search }; > > > > 34 allow awips_t user_devpts_t:chr_file { read write getattr }; > > > > 35 > > > > 36 # load shared libs > > > > 37 libs_use_ld_so(awips_t); > > > > 38 libs_use_shared_libs(awips_t); > > > > 39 > > > > 40 # respond to ctrl-c > > > > 41 allow user_t awips_t:process { signal sigkill }; > > > > 42 allow awips_t self:process signal; > > > > > > > > > > > > File: awips.fc > > > > 1 # default to read-only access > > > > 2 /awips(/.*)? gen_context(system_u:object_r:bin_t,s0) > > > > 3 > > > > 4 # script files and app that calls a script > > > > 5 /awips/fxa/bin -d gen_context(system_u:object_r:bin_t,s0) > > > > 6 /awips/fxa/bin/test.sh -- > > gen_context(system_u:object_r:awips_exec_t,s0) > > > > [-- Attachment #2: Type: text/html, Size: 10041 bytes --] ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: /bin/bash: Bad interpreter: Permission denied. 2013-12-17 18:03 ` Jay Corrales @ 2013-12-17 18:15 ` Stephen Smalley [not found] ` <CACVacMu4EvcdZzLVbBRFUvgg_RA0Mc7awZ0x_mzoxadmO6TSkw@mail.gmail.com> 0 siblings, 1 reply; 13+ messages in thread From: Stephen Smalley @ 2013-12-17 18:15 UTC (permalink / raw) To: Jay Corrales; +Cc: SELinux On 12/17/2013 01:03 PM, Jay Corrales wrote: > type=AVC msg=audit(1387301151.195:82549): avc: denied { execute_no_trans } > for pid=24492 comm="bash" path="/awips/fxa/bin/test.sh" dev=sda2 ino=800003 > scontext=user_u:user_r:user_t:s0 > tcontext=system_u:object_r:lx_apps_script_exec_t:s0 tclass=file I don't understand how to correlate this to the policy you listed. The tcontext above has the script labeled with lx_apps_script_exec_t, while your policy had it as awips_exec_t. Also, as a side note, domain transition on a shell script is fundamentally unsafe unless the caller is strictly more trusted than the callee. Only suitable when the caller is trusted. Use a binary executable for any situation where the caller is untrusted. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 13+ messages in thread
[parent not found: <CACVacMu4EvcdZzLVbBRFUvgg_RA0Mc7awZ0x_mzoxadmO6TSkw@mail.gmail.com>]
* Re: /bin/bash: Bad interpreter: Permission denied. [not found] ` <CACVacMu4EvcdZzLVbBRFUvgg_RA0Mc7awZ0x_mzoxadmO6TSkw@mail.gmail.com> @ 2013-12-18 15:32 ` Jay Corrales 2013-12-18 17:55 ` Stephen Smalley 0 siblings, 1 reply; 13+ messages in thread From: Jay Corrales @ 2013-12-18 15:32 UTC (permalink / raw) To: Stephen Smalley; +Cc: SELinux [-- Attachment #1: Type: text/plain, Size: 1449 bytes --] Folks, We think we've run into a bug with rhel5. Could be that the policy database contains corruption, or contains some data structures that lead to buggy results (e.g. AVC execute_no_trans). Is there a way to see additional debug info in the LSM during run time? I've tried adding "debug" to the boot time kernel parameters, but does not add any new logging or reporting info for selinux. Thanks On Tue, Dec 17, 2013 at 2:51 PM, Jay Corrales <jscorrales1122@gmail.com>wrote: > lx_apps_script_exec_t is how it is in the lab. awips_exec_t is the reduced > example posted. > > On Tue, Dec 17, 2013 at 10:15 AM, Stephen Smalley <sds@tycho.nsa.gov>wrote: > >> On 12/17/2013 01:03 PM, Jay Corrales wrote: >> > type=AVC msg=audit(1387301151.195:82549): avc: denied { >> execute_no_trans } >> > for pid=24492 comm="bash" path="/awips/fxa/bin/test.sh" dev=sda2 >> ino=800003 >> > scontext=user_u:user_r:user_t:s0 >> > tcontext=system_u:object_r:lx_apps_script_exec_t:s0 tclass=file >> >> I don't understand how to correlate this to the policy you listed. >> The tcontext above has the script labeled with lx_apps_script_exec_t, >> while your policy had it as awips_exec_t. >> >> Also, as a side note, domain transition on a shell script is >> fundamentally unsafe unless the caller is strictly more trusted than the >> callee. Only suitable when the caller is trusted. Use a binary >> executable for any situation where the caller is untrusted. >> > [-- Attachment #2: Type: text/html, Size: 2134 bytes --] ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: /bin/bash: Bad interpreter: Permission denied. 2013-12-18 15:32 ` Jay Corrales @ 2013-12-18 17:55 ` Stephen Smalley 2013-12-18 21:53 ` Jay Corrales 0 siblings, 1 reply; 13+ messages in thread From: Stephen Smalley @ 2013-12-18 17:55 UTC (permalink / raw) To: Jay Corrales; +Cc: SELinux On 12/18/2013 10:32 AM, Jay Corrales wrote: > Folks, > > We think we've run into a bug with rhel5. Could be that the policy > database contains corruption, or contains some data structures that lead > to buggy results (e.g. AVC execute_no_trans). Is there a way to see > additional debug info in the LSM during run time? I've tried adding > "debug" to the boot time kernel parameters, but does not add any new > logging or reporting info for selinux. More likely just a bug in your policy. I can't really tell though as you haven't shown an AVC that corresponds to the policy that you listed. You can easily check whether you did or did not allow something by using sesearch from setools. ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: /bin/bash: Bad interpreter: Permission denied. 2013-12-18 17:55 ` Stephen Smalley @ 2013-12-18 21:53 ` Jay Corrales 2013-12-18 22:02 ` Stephen Smalley 0 siblings, 1 reply; 13+ messages in thread From: Jay Corrales @ 2013-12-18 21:53 UTC (permalink / raw) To: Stephen Smalley; +Cc: SELinux On 12/18/13, Stephen Smalley <sds@tycho.nsa.gov> wrote: > On 12/18/2013 10:32 AM, Jay Corrales wrote: >> Folks, >> >> We think we've run into a bug with rhel5. Could be that the policy >> database contains corruption, or contains some data structures that lead >> to buggy results (e.g. AVC execute_no_trans). Is there a way to see >> additional debug info in the LSM during run time? I've tried adding >> "debug" to the boot time kernel parameters, but does not add any new >> logging or reporting info for selinux. > > More likely just a bug in your policy. I can't really tell though as > you haven't shown an AVC that corresponds to the policy that you listed. We restored an image of our previous build and ran the policy. There was no perm denied error. It ran perfectly. The difference in builds represents an installer media and updated policies. leading me to believe there is something fundamentally wrong with the installer media producing a corrupted policy database. Is there a way to know why it is reporting an AVC for execute_no_trans? The audit.log does not show enough info for this. We were hoping for some way to look at the LSM, other than running an embedded kernel and attaching gdb. Thanks ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: /bin/bash: Bad interpreter: Permission denied. 2013-12-18 21:53 ` Jay Corrales @ 2013-12-18 22:02 ` Stephen Smalley 2013-12-19 4:39 ` Jay Corrales 0 siblings, 1 reply; 13+ messages in thread From: Stephen Smalley @ 2013-12-18 22:02 UTC (permalink / raw) To: Jay Corrales; +Cc: SELinux On 12/18/2013 04:53 PM, Jay Corrales wrote: > On 12/18/13, Stephen Smalley <sds@tycho.nsa.gov> wrote: >> On 12/18/2013 10:32 AM, Jay Corrales wrote: >>> Folks, >>> >>> We think we've run into a bug with rhel5. Could be that the policy >>> database contains corruption, or contains some data structures that lead >>> to buggy results (e.g. AVC execute_no_trans). Is there a way to see >>> additional debug info in the LSM during run time? I've tried adding >>> "debug" to the boot time kernel parameters, but does not add any new >>> logging or reporting info for selinux. >> >> More likely just a bug in your policy. I can't really tell though as >> you haven't shown an AVC that corresponds to the policy that you listed. > > We restored an image of our previous build and ran the policy. There > was no perm denied error. It ran perfectly. The difference in builds > represents an installer media and updated policies. leading me to > believe there is something fundamentally wrong with the installer > media producing a corrupted policy database. > > Is there a way to know why it is reporting an AVC for > execute_no_trans? The audit.log does not show enough info for this. We > were hoping for some way to look at the LSM, other than running an > embedded kernel and attaching gdb. nosuid mount would suppress the transition. Or maybe you don't have the type_transition rule in your policy at all? ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: /bin/bash: Bad interpreter: Permission denied. 2013-12-18 22:02 ` Stephen Smalley @ 2013-12-19 4:39 ` Jay Corrales 0 siblings, 0 replies; 13+ messages in thread From: Jay Corrales @ 2013-12-19 4:39 UTC (permalink / raw) To: Stephen Smalley; +Cc: SELinux Ah OK, nosuid was the answer. I did read this somewhere, but fell out of mind. Thank you On 12/18/13, Stephen Smalley <sds@tycho.nsa.gov> wrote: > On 12/18/2013 04:53 PM, Jay Corrales wrote: >> On 12/18/13, Stephen Smalley <sds@tycho.nsa.gov> wrote: >>> On 12/18/2013 10:32 AM, Jay Corrales wrote: >>>> Folks, >>>> >>>> We think we've run into a bug with rhel5. Could be that the policy >>>> database contains corruption, or contains some data structures that >>>> lead >>>> to buggy results (e.g. AVC execute_no_trans). Is there a way to see >>>> additional debug info in the LSM during run time? I've tried adding >>>> "debug" to the boot time kernel parameters, but does not add any new >>>> logging or reporting info for selinux. >>> >>> More likely just a bug in your policy. I can't really tell though as >>> you haven't shown an AVC that corresponds to the policy that you listed. >> >> We restored an image of our previous build and ran the policy. There >> was no perm denied error. It ran perfectly. The difference in builds >> represents an installer media and updated policies. leading me to >> believe there is something fundamentally wrong with the installer >> media producing a corrupted policy database. >> >> Is there a way to know why it is reporting an AVC for >> execute_no_trans? The audit.log does not show enough info for this. We >> were hoping for some way to look at the LSM, other than running an >> embedded kernel and attaching gdb. > > nosuid mount would suppress the transition. > > Or maybe you don't have the type_transition rule in your policy at all? > > > ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: /bin/bash: Bad interpreter: Permission denied. 2013-12-17 16:23 /bin/bash: Bad interpreter: Permission denied Jay Corrales 2013-12-17 16:35 ` Stephen Smalley @ 2013-12-18 20:14 ` Stephen Smalley 2013-12-18 21:46 ` Jay Corrales 1 sibling, 1 reply; 13+ messages in thread From: Stephen Smalley @ 2013-12-18 20:14 UTC (permalink / raw) To: Jay Corrales, SELinux On 12/17/2013 11:23 AM, Jay Corrales wrote: > Folks, > > We're running RedHat Enterprise Linux 5 (rhel5) with selinux strict and > enforcing mode, and finding that something in our configuration prevents a > simple shell script from domain transitioning from user_t to awips_t > context. If we run a test virtual machine with a new install of rhel5, it > does run OK, but something in our current configuration prevents this > result. Wondering if it makes sense to run a tool like apol to find any > clues as to why? The audit log (/var/log/audit/audit.log) shows an AVC > requiring execute_no_trans for user_t (no listed here). Here you say you have a execute_no_trans denial. > [root@localhost ~]# sesearch -a -s user_t -t awips_exec_t -c file -p > execute Here you search for execute permission. They are different. Also, what does ls -Z show for the script? ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: /bin/bash: Bad interpreter: Permission denied. 2013-12-18 20:14 ` Stephen Smalley @ 2013-12-18 21:46 ` Jay Corrales 2013-12-18 21:52 ` Stephen Smalley 0 siblings, 1 reply; 13+ messages in thread From: Jay Corrales @ 2013-12-18 21:46 UTC (permalink / raw) To: Stephen Smalley; +Cc: SELinux ls -Z shows system_u:object_r:awips_exec_t. If execute_no_trans allow is add, it does not run in the awips_exec_t domain, but in user_t. On 12/18/13, Stephen Smalley <sds@tycho.nsa.gov> wrote: > On 12/17/2013 11:23 AM, Jay Corrales wrote: >> Folks, >> >> We're running RedHat Enterprise Linux 5 (rhel5) with selinux strict and >> enforcing mode, and finding that something in our configuration prevents >> a >> simple shell script from domain transitioning from user_t to awips_t >> context. If we run a test virtual machine with a new install of rhel5, it >> does run OK, but something in our current configuration prevents this >> result. Wondering if it makes sense to run a tool like apol to find any >> clues as to why? The audit log (/var/log/audit/audit.log) shows an AVC >> requiring execute_no_trans for user_t (no listed here). > > Here you say you have a execute_no_trans denial. > >> [root@localhost ~]# sesearch -a -s user_t -t awips_exec_t -c file -p >> execute > > Here you search for execute permission. > > They are different. > > Also, what does ls -Z show for the script? > > > ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: /bin/bash: Bad interpreter: Permission denied. 2013-12-18 21:46 ` Jay Corrales @ 2013-12-18 21:52 ` Stephen Smalley 2013-12-18 21:55 ` Jay Corrales 0 siblings, 1 reply; 13+ messages in thread From: Stephen Smalley @ 2013-12-18 21:52 UTC (permalink / raw) To: Jay Corrales; +Cc: SELinux On 12/18/2013 04:46 PM, Jay Corrales wrote: > ls -Z shows system_u:object_r:awips_exec_t. If execute_no_trans allow > is add, it does not run in the awips_exec_t domain, but in user_t. Um, what is the file mode, i.e. is it executable? > > On 12/18/13, Stephen Smalley <sds@tycho.nsa.gov> wrote: >> On 12/17/2013 11:23 AM, Jay Corrales wrote: >>> Folks, >>> >>> We're running RedHat Enterprise Linux 5 (rhel5) with selinux strict and >>> enforcing mode, and finding that something in our configuration prevents >>> a >>> simple shell script from domain transitioning from user_t to awips_t >>> context. If we run a test virtual machine with a new install of rhel5, it >>> does run OK, but something in our current configuration prevents this >>> result. Wondering if it makes sense to run a tool like apol to find any >>> clues as to why? The audit log (/var/log/audit/audit.log) shows an AVC >>> requiring execute_no_trans for user_t (no listed here). >> >> Here you say you have a execute_no_trans denial. >> >>> [root@localhost ~]# sesearch -a -s user_t -t awips_exec_t -c file -p >>> execute >> >> Here you search for execute permission. >> >> They are different. >> >> Also, what does ls -Z show for the script? >> >> >> > > ^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: /bin/bash: Bad interpreter: Permission denied. 2013-12-18 21:52 ` Stephen Smalley @ 2013-12-18 21:55 ` Jay Corrales 0 siblings, 0 replies; 13+ messages in thread From: Jay Corrales @ 2013-12-18 21:55 UTC (permalink / raw) To: Stephen Smalley; +Cc: SELinux On 12/18/13, Stephen Smalley <sds@tycho.nsa.gov> wrote: > On 12/18/2013 04:46 PM, Jay Corrales wrote: >> ls -Z shows system_u:object_r:awips_exec_t. If execute_no_trans allow >> is add, it does not run in the awips_exec_t domain, but in user_t. > > Um, what is the file mode, i.e. is it executable? 0755, yes the executable bit is set. ^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2013-12-19 4:39 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-12-17 16:23 /bin/bash: Bad interpreter: Permission denied Jay Corrales
2013-12-17 16:35 ` Stephen Smalley
2013-12-17 18:03 ` Jay Corrales
2013-12-17 18:15 ` Stephen Smalley
[not found] ` <CACVacMu4EvcdZzLVbBRFUvgg_RA0Mc7awZ0x_mzoxadmO6TSkw@mail.gmail.com>
2013-12-18 15:32 ` Jay Corrales
2013-12-18 17:55 ` Stephen Smalley
2013-12-18 21:53 ` Jay Corrales
2013-12-18 22:02 ` Stephen Smalley
2013-12-19 4:39 ` Jay Corrales
2013-12-18 20:14 ` Stephen Smalley
2013-12-18 21:46 ` Jay Corrales
2013-12-18 21:52 ` Stephen Smalley
2013-12-18 21:55 ` Jay Corrales
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.