bash-3.2$ /awips/fxa/bin/test.sh
bash: /awips/fxa/bin/test.sh: /bin/bash: bad interpreter: Permission denied
bash-3.2$
bash-3.2$ /tmp/strace /awips/fxa/bin/test.sh
execve("/awips/fxa/bin/test.sh", ["/awips/fxa/bin/test.sh"], [/* 38 vars */]) = -1 EACCES (Permission denied)
dup(2) = 3
fcntl64(3, F_GETFL) = 0x2 (flags O_RDWR)
fstat64(3, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 4), ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f64000
_llseek(3, 0, 0xbfe66ce4, SEEK_CUR) = -1 ESPIPE (Illegal seek)
write(3, "strace: exec: Permission denied\n", 32strace: exec: Permission denied
) = 32
close(3) = 0
munmap(0xb7f64000, 4096) = 0
exit_group(1) = ?
bash-3.2$
type=SYSCALL msg=audit(1387301151.195:82549): arch=40000003 syscall=11 success=no exit=-13 a0=8d0d228 a1=8d0d2d0 a2=8cfd1f0 a3=0 items=1 ppid=24476 pid=24492 auid=10037 uid=10037 gid=210 euid=10037 suid=10037 fsuid=10037 egid=210 sgid=210 fsgid=210 tty=pts4 ses=778 comm="bash" exe="/bin/bash" subj=user_u:user_r:user_t:s0 key="KEY_failed_execute_program"
type=CWD msg=audit(1387301151.195:82549): cwd="/home/awips_jay"
type=PATH msg=audit(1387301151.195:82549): item=0 name="/awips/fxa/bin/test.sh" inode=800003 dev=08:02 mode=0100755 ouid=206 ogid=210 rdev=00:00 obj=system_u:object_r:lx_apps_script_exec_t:s0
type=SYSCALL msg=audit(1387301151.199:82550): arch=40000003 syscall=5 success=no exit=-2 a0=8d01928 a1=0 a2=1 a3=0 items=1 ppid=24476 pid=24492 auid=10037 uid=10037 gid=210 euid=10037 suid=10037 fsuid=10037 egid=210 sgid=210 fsgid=210 tty=pts4 ses=778 comm="bash" exe="/bin/bash" subj=user_u:user_r:user_t:s0 key=(null)
type=CWD msg=audit(1387301151.199:82550): cwd="/home/awips_jay"
type=PATH msg=audit(1387301151.199:82550): item=0 name="/usr/share/locale/en_US/LC_MESSAGES/bash.mo"
type=SYSCALL msg=audit(1387301151.199:82551): arch=40000003 syscall=5 success=no exit=-2 a0=8d0d310 a1=0 a2=1 a3=8d0d2f0 items=1 ppid=24476 pid=24492 auid=10037 uid=10037 gid=210 euid=10037 suid=10037 fsuid=10037 egid=210 sgid=210 fsgid=210 tty=pts4 ses=778 comm="bash" exe="/bin/bash" subj=user_u:user_r:user_t:s0 key=(null)
type=CWD msg=audit(1387301151.199:82551): cwd="/home/awips_jay"
type=PATH msg=audit(1387301151.199:82551): item=0 name="/usr/share/locale/en/LC_MESSAGES/bash.mo"
type=SYSCALL msg=audit(1387301151.199:82552): arch=40000003 syscall=5 success=no exit=-2 a0=8d0d360 a1=0 a2=1 a3=0 items=1 ppid=24476 pid=24492 auid=10037 uid=10037 gid=210 euid=10037 suid=10037 fsuid=10037 egid=210 sgid=210 fsgid=210 tty=pts4 ses=778 comm="bash" exe="/bin/bash" subj=user_u:user_r:user_t:s0 key=(null)
type=CWD msg=audit(1387301151.199:82552): cwd="/home/awips_jay"
type=PATH msg=audit(1387301151.199:82552): item=0 name="/usr/share/locale/en_US/LC_MESSAGES/libc.mo"
type=SYSCALL msg=audit(1387301151.199:82553): arch=40000003 syscall=5 success=no exit=-2 a0=8d0d3b0 a1=0 a2=1 a3=8d0d390 items=1 ppid=24476 pid=24492 auid=10037 uid=10037 gid=210 euid=10037 suid=10037 fsuid=10037 egid=210 sgid=210 fsgid=210 tty=pts4 ses=778 comm="bash" exe="/bin/bash" subj=user_u:user_r:user_t:s0 key=(null)
type=CWD msg=audit(1387301151.199:82553): cwd="/home/awips_jay"
type=PATH msg=audit(1387301151.199:82553): item=0 name="/usr/share/locale/en/LC_MESSAGES/libc.mo"
On 12/17/2013 11:23 AM, Jay Corrales wrote:Yes, send the avc message.
> Folks,
>
> We're running RedHat Enterprise Linux 5 (rhel5) with selinux strict and
> enforcing mode, and finding that something in our configuration prevents a
> simple shell script from domain transitioning from user_t to awips_t
> context. If we run a test virtual machine with a new install of rhel5, it
> does run OK, but something in our current configuration prevents this
> result. Wondering if it makes sense to run a tool like apol to find any
> clues as to why? The audit log (/var/log/audit/audit.log) shows an AVC
> requiring execute_no_trans for user_t (no listed here). I can send as a
> follow up along with strace outputs if desired.
>
> Thanks
>
> [jay@localhost ~]$ /awips/fxa/bin/test.sh
> /bin/bash: Bad interpreter: Permission denied.
>
> [root@localhost ~]# ps faxZ
>
>
>
> LABEL PID TTY STAT TIME COMMAND
>
> system_u:system_r:sshd_t:SystemLow-SystemHigh 3953 ? Ss 0:00 \_ sshd:
> jay [priv]
>
> system_u:system_r:sshd_t:SystemLow-SystemHigh 3958 ? S 0:00 | \_ sshd:
> jay@pts/1
>
> user_u:user_r:user_t 3959 pts/1 Ss 0:00 | \_ -bash
>
> ...
>
>
> [jay@localhost ~]$ cat /awips/fxa/bin/test.sh
> #!/bin/bash
> while /bin/true; do
> id -Z sleep 10
> done
> [root@localhost ~]# sesearch -a -s user_t -t awips_exec_t -c file -p
> execute
>
>
>
> Found 1 av rules:
>
> allow user_t awips_exec_t : file { ioctl read getattr lock execute };
>
>
>
>
>
> Found 9 role allow rules:
>
> allow staff_r sysadm_r ;
>
> allow sysadm_r staff_r ;
>
> allow sysadm_r user_r ;
>
> allow system_r user_r ;
>
> allow system_r staff_r ;
>
> allow system_r sysadm_r ;
>
> allow system_r gadmin_r ;
>
> allow system_r guest_r ;
>
> allow sysadm_r system_r ;
>
>
>
> [root@localhost ~]# sesearch -a -s awips_t -t awips_exec_t -c file -p
> entrypoint Found 1 av rules:
> allow awips_t awips_exec_t : file { ioctl read getattr lock execute
> entrypoint };
> ...
>
> [root@localhost ~]# sesearch -a -s user_t -t awips_t -c process -p
> transition Found 1 av rules:
> allow user_t awips_t : process { transition sigkill signal };
> ...
>
>
>
> File: awips.te
>
> 1 policy_module(awips,1.0.0)
>
> 2
>
> 3 require {
>
> 4 type user_t;
>
> 5 type initrc_devpts_t;
>
> 6 type devpts_t;
>
> 7 type user_devpts_t;
>
> 8 }
>
> 9
>
> 10 type awips_t;
>
> 11 type awips_exec_t;
>
> 12
>
> 13 domain_type(awips_t)
>
> 14 domain_entry_file(awips_t,awips_exec_t)
>
> 15
>
> 16 role user_r types awips_t;
>
> 17
>
> 18 domain_auto_trans(user_t,awips_exec_t,awips_t)
>
> 19
>
> 20 allow awips_t user_t:fd use;
>
> 21 allow awips_t user_t:fifo_file rw_file_perms;
>
> 22 allow awips_t user_t:process sigchld;
>
> 23
>
> 24 # AWIPS scripts run shell scripts
>
> 25 corecmd_exec_bin(awips_t)
>
> 26 corecmd_exec_shell(awips_t)
>
> 27
>
> 28 # must have execute rights on shell script
>
> 29 allow user_t awips_exec_t:file rx_file_perms;
>
> 30
>
> 31 # output to terminal
>
> 32 allow awips_t initrc_devpts_t:chr_file { read write };
>
> 33 allow awips_t devpts_t:dir { getattr search };
>
> 34 allow awips_t user_devpts_t:chr_file { read write getattr };
>
> 35
>
> 36 # load shared libs
>
> 37 libs_use_ld_so(awips_t);
>
> 38 libs_use_shared_libs(awips_t);
>
> 39
>
> 40 # respond to ctrl-c
>
> 41 allow user_t awips_t:process { signal sigkill };
>
> 42 allow awips_t self:process signal;
>
>
>
>
>
> File: awips.fc
>
> 1 # default to read-only access
>
> 2 /awips(/.*)? gen_context(system_u:object_r:bin_t,s0)
>
> 3
>
> 4 # script files and app that calls a script
>
> 5 /awips/fxa/bin -d gen_context(system_u:object_r:bin_t,s0)
>
> 6 /awips/fxa/bin/test.sh --
> gen_context(system_u:object_r:awips_exec_t,s0)
>