Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace experimental option 'grep -P' to 'grep -E' #737

Merged
merged 1 commit into from Dec 11, 2015
Merged

Replace experimental option 'grep -P' to 'grep -E' #737

merged 1 commit into from Dec 11, 2015

Conversation

phracek
Copy link
Contributor

@phracek phracek commented Dec 10, 2015

Signed-off-by: Petr Hracek phracek@redhat.com

Remove experimental 'grep -P' switch in the executable scripts
https://bugzilla.redhat.com/show_bug.cgi?id=1290205

When rear is being executed, e.g. /usr/sbin/rear mkrescue an SELinux AVC is generated.

type=AVC msg=audit(1448377615.693:35710): avc:  denied  { execmem } for  pid=21398 comm="grep" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

type=SYSCALL msg=audit(1448377615.693:35710): arch=x86_64 syscall=mmap success=no exit=EACCES a0=0 a1=10000 a2=7 a3=22 items=0 ppid=9928 pid=21398 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm=grep exe=/usr/bin/grep subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

SELinux is preventing /usr/bin/grep from using the execmem access on a process. The root cause seems to be the usage of "grep -P".

Replace the switch from 'grep -P' to 'grep -E' from the following scripts

$ grep -wnr "grep -P" /usr/share/rear/ 
/usr/share/rear/layout/save/default/31_autoexclude_usb.sh:39:        local usb_mntpt=$(grep -P "^$REAL_USB_DEVICE\s" /proc/mounts | cut -d" " -f2 | tail -1)
/usr/share/rear/output/USB/Linux-i386/30_create_extlinux.sh:6:            strings $file | grep -P -m1 "^(EXT|SYS)LINUX \\d+.\\d+" | cut -d' ' -f2
/usr/share/rear/output/USB/Linux-i386/85_make_USB_bootable.sh:25:usb_filesystem=$(grep -P "^($USB_DEVICE|$REAL_USB_DEVICE)\\s" /proc/mounts | cut -d' ' -f3 | tail -1)
/usr/share/rear/prep/USB/Linux-i386/35_check_usb_disk.sh:12:StopIfError "USB device '$USB_DEVICE' is already mounted on $(grep -P "^$REAL_USB_DEVICE\\s" /proc/mounts | cut -d' ' -f2 |tail -1)"

@phracek
Replace experimental option 'grep -P' to 'grep -E'
c0eaef1 
Signed-off-by: Petr Hracek <phracek@redhat.com>
@gdha gdha mentioned this pull request Dec 11, 2015
Closed
@gdha gdha self-assigned this Dec 11, 2015
@gdha gdha added the bug The code does not do what it is meant to do label Dec 11, 2015
@gdha gdha added this to the Rear v1.18 milestone Dec 11, 2015
@gdha
Copy link
Member

gdha commented Dec 11, 2015

@phracek Seems all modifications are in the USB track - we must check afterwards it nothing is broken.

gdha added a commit that referenced this pull request Dec 11, 2015
@gdha
Merge pull request #737 from phracek/master
d0fe4a5 
Replace experimental option 'grep -P' to 'grep -E' (used with OUTPUT=USB)
@gdha gdha merged commit d0fe4a5 into rear:master Dec 11, 2015
@tcerna
Copy link

tcerna commented Jun 30, 2016

Hi,
I think that this problem was not fixed.

# rpm -q rear
rear-1.17.2-5.el7.x86_64
  1. At first I set selinux variable
# setsebool deny_execmem=true
# getsebool deny_execmem
deny_execmem --> on
  1. Run rear
# rear mkrescue
  1. See in /var/log/audit/audit.log
type=AVC msg=audit(1467285960.762:438): avc:  denied  { execmem } for  pid=30102 comm="grep" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1467285960.762:438): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=10000 a2=7 a3=22 items=0 ppid=29336 pid=30102 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="grep" exe="/usr/bin/grep" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

Why is there this SELinux AVC?

I tried to find all 'grep -P' and there is still 2 discoveries

# grep -wnr "grep -P" /usr/share/rear/
/usr/share/rear/prep/USB/Linux-i386/35_check_usb_disk.sh:12:StopIfError "USB device '$USB_DEVICE' is already mounted on $(grep -P "^$REAL_USB_DEVICE\\s" /proc/mounts | cut -d' ' -f2 |tail -1)"
/usr/share/rear/output/USB/Linux-i386/30_create_extlinux.sh:6:            strings $file | grep -P -m1 "^(EXT|SYS)LINUX \\d+.\\d+" | cut -d' ' -f2

I did some experiment. Rewrite manually these discoveries to 'grep -E' and try to tun rear again and see the same SELinux AVC were generated.

# grep -wnr "grep -P" /usr/share/rear/
# rear mkrescue
# cat /var/log/audit/audit.log
type=AVC msg=audit(1467285960.762:438): avc:  denied  { execmem } for  pid=30102 comm="grep" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1467285960.762:438): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=10000 a2=7 a3=22 items=0 ppid=29336 pid=30102 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="grep" exe="/usr/bin/grep" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

Can you fix this problem or explain me what I'm doing badly?

@gdha
Copy link
Member

gdha commented Jun 30, 2016

@tcerna I believe this is fixed in 1.18 and you are testing 1.17.2?

@tcerna
Copy link

tcerna commented Jun 30, 2016

Yes. I tested it in 1.17.2 version. I will wait for new package upload in our system and try it again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@gdha gdha

Labels
bug The code does not do what it is meant to do
Projects
None yet
Milestone
Rear v1.18
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@phracek @gdha @tcerna @jsmeix