/bin/bash: Bad interpreter: Permission denied.

Jay Corrales <jscorrales1122@xxxxxxxxx> · Tue, 17 Dec 2013 08:23:38 -0800

Folks,

We're running RedHat Enterprise Linux 5 (rhel5) with selinux strict and enforcing mode, and finding that something in our configuration prevents a simple shell script from domain transitioning from user_t to awips_t context. If we run a test virtual machine with a new install of rhel5, it does run OK, but something in our current configuration prevents this result. Wondering if it makes sense to run a tool like apol to find any clues as to why? The audit log (/var/log/audit/audit.log) shows an AVC requiring execute_no_trans for user_t (no listed here). I can send as a follow up along with strace outputs if desired.

Thanks

[jay@localhost ~]$ /awips/fxa/bin/test.sh 
/bin/bash: Bad interpreter: Permission denied.
[root@localhost ~]# ps faxZ 

LABEL                             PID TTY      STAT   TIME COMMAND

system_u:system_r:sshd_t:SystemLow-SystemHigh 3953 ? Ss   0:00  \_ sshd: jay [priv] 

system_u:system_r:sshd_t:SystemLow-SystemHigh 3958 ? S   0:00  |   \_ sshd: jay@pts/1  

user_u:user_r:user_t             3959 pts/1    Ss     0:00  |       \_ -bash

... 

[jay@localhost ~]$ cat /awips/fxa/bin/test.sh 
#!/bin/bash 
while /bin/true; do 
 id -Z sleep 10 
done 
[root@localhost ~]# sesearch -a -s user_t -t awips_exec_t -c file -p execute 

Found 1 av rules:
   allow user_t awips_exec_t : file { ioctl read getattr lock execute }; 

Found 9 role allow rules:
   allow staff_r sysadm_r ;
   allow sysadm_r staff_r ;
   allow sysadm_r user_r ;
   allow system_r user_r ;
   allow system_r staff_r ;
   allow system_r sysadm_r ;
   allow system_r gadmin_r ;
   allow system_r guest_r ;
   allow sysadm_r system_r ;

[root@localhost ~]# sesearch -a -s awips_t -t awips_exec_t -c file -p entrypoint Found 1 av rules:
   allow awips_t awips_exec_t : file { ioctl read getattr lock execute entrypoint }; 
...
[root@localhost ~]# sesearch -a -s user_t -t awips_t -c process -p transition Found 1 av rules:
   allow user_t awips_t : process { transition sigkill signal }; 
...

File: awips.te
      1 policy_module(awips,1.0.0)
      2 
      3 require {
      4   type user_t;
      5   type initrc_devpts_t;
      6   type devpts_t;
      7   type user_devpts_t;
      8 }
      9 
     10 type awips_t;
     11 type awips_exec_t;
     12 
     13 domain_type(awips_t)
     14 domain_entry_file(awips_t,awips_exec_t)
     15 
     16 role user_r types awips_t;
     17 
     18 domain_auto_trans(user_t,awips_exec_t,awips_t)
     19 
     20 allow awips_t user_t:fd use;
     21 allow awips_t user_t:fifo_file rw_file_perms;
     22 allow awips_t user_t:process sigchld;
     23 
     24 # AWIPS scripts run shell scripts
     25 corecmd_exec_bin(awips_t)
     26 corecmd_exec_shell(awips_t)
     27 
     28 # must have execute rights on shell script
     29 allow user_t awips_exec_t:file rx_file_perms;
     30 
     31 # output to terminal
     32 allow awips_t initrc_devpts_t:chr_file { read write };
     33 allow awips_t devpts_t:dir { getattr search };
     34 allow awips_t user_devpts_t:chr_file { read write getattr };
     35 
     36 # load shared libs
     37 libs_use_ld_so(awips_t);
     38 libs_use_shared_libs(awips_t);
     39 
     40 # respond to ctrl-c
     41 allow user_t awips_t:process { signal sigkill };
     42 allow awips_t self:process signal;

File: awips.fc
      1 # default to read-only access
      2 /awips(/.*)?    gen_context(system_u:object_r:bin_t,s0)
      3 
      4 # script files and app that calls a script
      5 /awips/fxa/bin -d gen_context(system_u:object_r:bin_t,s0)
      6 /awips/fxa/bin/test.sh -- gen_context(system_u:object_r:awips_exec_t,s0)