Ask Your Question
2

SELinux: nothing to do ???

asked 2017-08-23 22:56:32 -0600

toddandmargo gravatar image

updated 2017-08-24 11:31:08 -0600

Hi All,

When I try to activate a license on Basis (a database), SE Linux goes nuts. Here is one of the messages:

 SELinux is preventing basis from execute access on the file /var/lib/sss/mc/passwd.
    *****  Plugin catchall (100. confidence) suggests   **************************
    If you believe that basis should be allowed execute access on the passwd file by default.
    Then you should report this as a bug.
    You can generate a local policy module to allow this access.
    Do
    allow this access for now by executing:
    # ausearch -c 'basis' --raw | audit2allow -M my-basis
    # semodule -X 300 -i my-basis.pp

When I run the recommended actions, I told "Nothing to do" by all 14 or so of them. Here is one of them:

# ausearch -c 'basis' --raw | audit2allow -M my-basis
Nothing to do

<editorial comment="">AAAHHH!!!!!!</editorial>

I am stumped.

Additional information:

# ls -Zl /var/lib/sss/mc/passwd
-rw-r--r--. 1 root root system_u:object_r:sssd_public_t:s0 8406312 Aug 23 23:58 /var/lib/sss/mc/passwd
# audit2allow -b


#============= init_t ==============
allow init_t default_t:file execute_no_trans;

#============= named_t ==============
allow named_t var_t:chr_file open;

# execstack -q /rla/pub/basis/bbj/blm/basis
X /rla/pub/basis/bbj/blm/basis

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Okay one more to go.

SELinux is preventing basis from execute access on the file /var/lib/sss/mc/passwd.

 *****  Plugin catchall (100. confidence) suggests   **************************

If you believe that basis should be allowed execute access on the passwd file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'basis' --raw | audit2allow -M my-basis
# semodule -X 300 -i my-basis.pp

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:sssd_public_t:s0
Target Objects                /var/lib/sss/mc/passwd [ file ]
Source                        basis
Source Path                   basis
Port                          <Unknown>
Host                          FedoraServer.alpine.local
Source RPM Packages           
Target RPM Packages           sssd-common-1.15.3-1.fc26.x86_64
Policy RPM                    selinux-policy-3.13.1-260.4.fc26.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     FedoraServer.alpine.local
Platform                      Linux FedoraServer.alpine.local
                              4.12.5-300.fc26.x86_64 #1 SMP Mon Aug 7 15:27:25
                              UTC 2017 x86_64 x86_64
Alert Count                   2
First Seen                    2017-08-24 09:27:57 PDT
Last Seen                     2017-08-24 09:27:57 PDT
Local ID                      565830fd-1db6-4a66-98e3-fc65ee081063

Raw Audit Messages
type=AVC msg=audit(1503592077.536:704): avc:  denied  { execute } for  pid=12680 comm="basis" path="/var/lib/sss/mc/passwd" dev="md126p2" ino=1075324189 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=0


Hash: basis,init_t,sssd_public_t,file,execute

# ls -alZ  /var/lib/sss/mc/passwd
-rw-r--r--. 1 root root system_u:object_r:sssd_public_t:s0 8406312 Aug 24 09:27 /var/lib/sss/mc/passwd

# ausearch -c 'basis' --raw | audit2allow -M my-basis
Nothing to do.

# audit2allow -b
<no matches>

# execstack -q /rla/pub/basis/bbj/blm/basis
X /rla/pub/basis/bbj/blm/basis
edit retag flag offensive close merge delete

Comments

you might try sudo setenforce 0 and run the program to activate the license, then sudo setenfoce 1 to restore the selinux to full security.

SteveEbey73701 gravatar imageSteveEbey73701 ( 2017-08-23 23:04:46 -0600 )edit

I have been doing that to test. But when the regular program gets going, the SELinux errors will be prodigious to say the least. The software vendor placed his executable code and databases into a shared Samba directory. (He won't change it either.)

toddandmargo gravatar imagetoddandmargo ( 2017-08-23 23:43:47 -0600 )edit

ls -Zl should show

-rw-r--r--. 1 root root system_u:object_r:sssd_public_t:s0 6806312 Aug 31  2013 /var/lib/sss/mc/passwd

Show us the output of audit2allow -b

Find the executable of basis and show us the output of execstack -q pahtto/basis

Edit your question and add the information there.

villykruse gravatar imagevillykruse ( 2017-08-24 01:01:24 -0600 )edit

pathto is supposed to be wherever the file basis was found. We can't know where that file may be stored so you need to look for it.

villykruse gravatar imagevillykruse ( 2017-08-24 02:40:29 -0600 )edit

Sorry. I thought "pahtto" was a special command that I did not understand. I did not realize it was a typo. I will add the information to the original post. Thank you for helping me with this!

toddandmargo gravatar imagetoddandmargo ( 2017-08-24 04:47:35 -0600 )edit

2 Answers

Sort by ยป oldest newest most voted
0

answered 2017-08-24 11:13:30 -0600

toddandmargo gravatar image

Thank you!!!!!! After that the suggestions from the SELinux monitor worked.

# audit2allow -b -M my-basis-workaround
# semodule -i my-basis-workaround.pp

# /sbin/restorecon -v /dev/random

# ausearch -c 'basisrunlm' --raw | audit2allow -M my-basisrunlm
# semodule -X 300 -i my-basisrunlm.pp

# ausearch -c 'basisrunlm' --raw | audit2allow -M my-basisrunlm
# semodule -X 300 -i my-basisrunlm.pp

# ausearch -c 'basisrunlm' --raw | audit2allow -M my-basisrunlm
# semodule -X 300 -i my-basisrunlm.pp

# ausearch -c 'basis' --raw | audit2allow -M my-basis
# semodule -X 300 -i my-basis.pp
edit flag offensive delete link more
0

answered 2017-08-24 05:17:42 -0600

villykruse gravatar image

The following (if it works) is a workaround.

Run (as root user or via sudo)

audit2allow -b -M my-basis-workaround
semodule -i my-basis-workaround

The reason it is a workaround is that it takes away the protection against stack overflow attacks. The company behind Basis should really fix this properly in a way that does not compromise your security.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2017-08-23 22:56:32 -0600

Seen: 387 times

Last updated: Aug 24 '17