Re: /bin/bash: Bad interpreter: Permission denied.

Jay Corrales <jscorrales1122@xxxxxxxxx> · Tue, 17 Dec 2013 10:03:02 -0800

bash-3.2$ /awips/fxa/bin/test.sh 
bash: /awips/fxa/bin/test.sh: /bin/bash: bad interpreter: Permission denied
bash-3.2$
bash-3.2$ /tmp/strace /awips/fxa/bin/test.sh 
execve("/awips/fxa/bin/test.sh", ["/awips/fxa/bin/test.sh"], [/* 38 vars */]) = -1 EACCES (Permission denied)
dup(2) = 3
fcntl64(3, F_GETFL) = 0x2 (flags O_RDWR)
fstat64(3, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 4), ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f64000
_llseek(3, 0, 0xbfe66ce4, SEEK_CUR) = -1 ESPIPE (Illegal seek)
write(3, "strace: exec: Permission denied\n", 32strace: exec: Permission denied
) = 32
close(3) = 0
munmap(0xb7f64000, 4096) = 0
exit_group(1) = ?
bash-3.2$ 

type=AVC msg=audit(1387301151.195:82549): avc: denied { execute_no_trans } for pid=24492 comm="bash" path="/awips/fxa/bin/test.sh" dev=sda2 ino=800003 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:lx_apps_script_exec_t:s0 tclass=file

type=SYSCALL msg=audit(1387301151.195:82549): arch=40000003 syscall=11 success=no exit=-13 a0=8d0d228 a1=8d0d2d0 a2=8cfd1f0 a3=0 items=1 ppid=24476 pid=24492 auid=10037 uid=10037 gid=210 euid=10037 suid=10037 fsuid=10037 egid=210 sgid=210 fsgid=210 tty=pts4 ses=778 comm="bash" exe="/bin/bash" subj=user_u:user_r:user_t:s0 key="KEY_failed_execute_program"

type=CWD msg=audit(1387301151.195:82549): cwd="/home/awips_jay"
type=PATH msg=audit(1387301151.195:82549): item=0 name="/awips/fxa/bin/test.sh" inode=800003 dev=08:02 mode=0100755 ouid=206 ogid=210 rdev=00:00 obj=system_u:object_r:lx_apps_script_exec_t:s0
type=SYSCALL msg=audit(1387301151.199:82550): arch=40000003 syscall=5 success=no exit=-2 a0=8d01928 a1=0 a2=1 a3=0 items=1 ppid=24476 pid=24492 auid=10037 uid=10037 gid=210 euid=10037 suid=10037 fsuid=10037 egid=210 sgid=210 fsgid=210 tty=pts4 ses=778 comm="bash" exe="/bin/bash" subj=user_u:user_r:user_t:s0 key=(null)

type=CWD msg=audit(1387301151.199:82550): cwd="/home/awips_jay"
type=PATH msg=audit(1387301151.199:82550): item=0 name="/usr/share/locale/en_US/LC_MESSAGES/bash.mo"
type=SYSCALL msg=audit(1387301151.199:82551): arch=40000003 syscall=5 success=no exit=-2 a0=8d0d310 a1=0 a2=1 a3=8d0d2f0 items=1 ppid=24476 pid=24492 auid=10037 uid=10037 gid=210 euid=10037 suid=10037 fsuid=10037 egid=210 sgid=210 fsgid=210 tty=pts4 ses=778 comm="bash" exe="/bin/bash" subj=user_u:user_r:user_t:s0 key=(null)

type=CWD msg=audit(1387301151.199:82551): cwd="/home/awips_jay"
type=PATH msg=audit(1387301151.199:82551): item=0 name="/usr/share/locale/en/LC_MESSAGES/bash.mo"
type=SYSCALL msg=audit(1387301151.199:82552): arch=40000003 syscall=5 success=no exit=-2 a0=8d0d360 a1=0 a2=1 a3=0 items=1 ppid=24476 pid=24492 auid=10037 uid=10037 gid=210 euid=10037 suid=10037 fsuid=10037 egid=210 sgid=210 fsgid=210 tty=pts4 ses=778 comm="bash" exe="/bin/bash" subj=user_u:user_r:user_t:s0 key=(null)

type=CWD msg=audit(1387301151.199:82552): cwd="/home/awips_jay"
type=PATH msg=audit(1387301151.199:82552): item=0 name="/usr/share/locale/en_US/LC_MESSAGES/libc.mo"
type=SYSCALL msg=audit(1387301151.199:82553): arch=40000003 syscall=5 success=no exit=-2 a0=8d0d3b0 a1=0 a2=1 a3=8d0d390 items=1 ppid=24476 pid=24492 auid=10037 uid=10037 gid=210 euid=10037 suid=10037 fsuid=10037 egid=210 sgid=210 fsgid=210 tty=pts4 ses=778 comm="bash" exe="/bin/bash" subj=user_u:user_r:user_t:s0 key=(null)

type=CWD msg=audit(1387301151.199:82553): cwd="/home/awips_jay"
type=PATH msg=audit(1387301151.199:82553): item=0 name="/usr/share/locale/en/LC_MESSAGES/libc.mo"

On Tue, Dec 17, 2013 at 8:35 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:

On 12/17/2013 11:23 AM, Jay Corrales wrote:
> Folks,
>
> We're running RedHat Enterprise Linux 5 (rhel5) with selinux strict and
> enforcing mode, and finding that something in our configuration prevents a

> simple shell script from domain transitioning from user_t to awips_t
> context. If we run a test virtual machine with a new install of rhel5, it
> does run OK, but something in our current configuration prevents this

> result. Wondering if it makes sense to run a tool like apol to find any
> clues as to why? The audit log (/var/log/audit/audit.log) shows an AVC
> requiring execute_no_trans for user_t (no listed here). I can send as a

> follow up along with strace outputs if desired.

Yes, send the avc message.

>
> Thanks
>
> [jay@localhost ~]$ /awips/fxa/bin/test.sh
> /bin/bash: Bad interpreter: Permission denied.
>
> [root@localhost ~]# ps faxZ
>
>
>

> LABEL                             PID TTY      STAT   TIME COMMAND
>
> system_u:system_r:sshd_t:SystemLow-SystemHigh 3953 ? Ss   0:00  \_ sshd:
> jay [priv]
>
> system_u:system_r:sshd_t:SystemLow-SystemHigh 3958 ? S   0:00  |   \_ sshd:

> jay@pts/1
>
> user_u:user_r:user_t             3959 pts/1    Ss     0:00  |       \_ -bash
>
> ...
>
>
> [jay@localhost ~]$ cat /awips/fxa/bin/test.sh
> #!/bin/bash

> while /bin/true; do
>  id -Z sleep 10
> done
> [root@localhost ~]# sesearch -a -s user_t -t awips_exec_t -c file -p
> execute
>
>
>
> Found 1 av rules:
>
>    allow user_t awips_exec_t : file { ioctl read getattr lock execute };

>
>
>
>
>
> Found 9 role allow rules:
>
>    allow staff_r sysadm_r ;
>
>    allow sysadm_r staff_r ;
>
>    allow sysadm_r user_r ;
>
>    allow system_r user_r ;

>
>    allow system_r staff_r ;
>
>    allow system_r sysadm_r ;
>
>    allow system_r gadmin_r ;
>
>    allow system_r guest_r ;
>
>    allow sysadm_r system_r ;

>
>
>
> [root@localhost ~]# sesearch -a -s awips_t -t awips_exec_t -c file -p
> entrypoint Found 1 av rules:
>    allow awips_t awips_exec_t : file { ioctl read getattr lock execute
> entrypoint };

> ...
>
> [root@localhost ~]# sesearch -a -s user_t -t awips_t -c process -p
> transition Found 1 av rules:
>    allow user_t awips_t : process { transition sigkill signal };
> ...
>

>
>
> File: awips.te
>
>       1 policy_module(awips,1.0.0)
>
>       2
>
>       3 require {
>
>       4   type user_t;
>
>       5   type initrc_devpts_t;

>
>       6   type devpts_t;
>
>       7   type user_devpts_t;
>
>       8 }
>
>       9
>
>      10 type awips_t;
>
>      11 type awips_exec_t;
>

>      12
>
>      13 domain_type(awips_t)
>
>      14 domain_entry_file(awips_t,awips_exec_t)
>
>      15
>
>      16 role user_r types awips_t;
>
>      17

>
>      18 domain_auto_trans(user_t,awips_exec_t,awips_t)
>
>      19
>
>      20 allow awips_t user_t:fd use;
>
>      21 allow awips_t user_t:fifo_file rw_file_perms;
>

>      22 allow awips_t user_t:process sigchld;
>
>      23
>
>      24 # AWIPS scripts run shell scripts
>
>      25 corecmd_exec_bin(awips_t)
>
>      26 corecmd_exec_shell(awips_t)

>
>      27
>
>      28 # must have execute rights on shell script
>
>      29 allow user_t awips_exec_t:file rx_file_perms;
>
>      30
>
>      31 # output to terminal

>
>      32 allow awips_t initrc_devpts_t:chr_file { read write };
>
>      33 allow awips_t devpts_t:dir { getattr search };
>
>      34 allow awips_t user_devpts_t:chr_file { read write getattr };

>
>      35
>
>      36 # load shared libs
>
>      37 libs_use_ld_so(awips_t);
>
>      38 libs_use_shared_libs(awips_t);
>
>      39
>
>      40 # respond to ctrl-c

>
>      41 allow user_t awips_t:process { signal sigkill };
>
>      42 allow awips_t self:process signal;
>
>
>
>
>
> File: awips.fc
>
>       1 # default to read-only access

>
>       2 /awips(/.*)?    gen_context(system_u:object_r:bin_t,s0)
>
>       3
>
>       4 # script files and app that calls a script
>
>       5 /awips/fxa/bin -d gen_context(system_u:object_r:bin_t,s0)

>
>       6 /awips/fxa/bin/test.sh --
> gen_context(system_u:object_r:awips_exec_t,s0)
>