#737 PR merged: Replace experimental option 'grep -P' to 'grep -E'

Labels: bug

phracek opened issue at 2015-12-10 12:15:

Signed-off-by: Petr Hracek phracek@redhat.com

Remove experimental 'grep -P' switch in the executable scripts
https://bugzilla.redhat.com/show_bug.cgi?id=1290205

When rear is being executed, e.g. /usr/sbin/rear mkrescue an SELinux AVC is generated.

type=AVC msg=audit(1448377615.693:35710): avc:  denied  { execmem } for  pid=21398 comm="grep" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

type=SYSCALL msg=audit(1448377615.693:35710): arch=x86_64 syscall=mmap success=no exit=EACCES a0=0 a1=10000 a2=7 a3=22 items=0 ppid=9928 pid=21398 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm=grep exe=/usr/bin/grep subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

SELinux is preventing /usr/bin/grep from using the execmem access on a process. The root cause seems to be the usage of "grep -P".

Replace the switch from 'grep -P' to 'grep -E' from the following scripts

$ grep -wnr "grep -P" /usr/share/rear/ 
/usr/share/rear/layout/save/default/31_autoexclude_usb.sh:39:        local usb_mntpt=$(grep -P "^$REAL_USB_DEVICE\s" /proc/mounts | cut -d" " -f2 | tail -1)
/usr/share/rear/output/USB/Linux-i386/30_create_extlinux.sh:6:            strings $file | grep -P -m1 "^(EXT|SYS)LINUX \\d+.\\d+" | cut -d' ' -f2
/usr/share/rear/output/USB/Linux-i386/85_make_USB_bootable.sh:25:usb_filesystem=$(grep -P "^($USB_DEVICE|$REAL_USB_DEVICE)\\s" /proc/mounts | cut -d' ' -f3 | tail -1)
/usr/share/rear/prep/USB/Linux-i386/35_check_usb_disk.sh:12:StopIfError "USB device '$USB_DEVICE' is already mounted on $(grep -P "^$REAL_USB_DEVICE\\s" /proc/mounts | cut -d' ' -f2 |tail -1)"

gdha commented at 2015-12-11 10:08:

@phracek Seems all modifications are in the USB track - we must check afterwards it nothing is broken.

tcerna commented at 2016-06-30 11:49:

Hi,
I think that this problem was not fixed.

# rpm -q rear
rear-1.17.2-5.el7.x86_64
  1. At first I set selinux variable
# setsebool deny_execmem=true
# getsebool deny_execmem
deny_execmem --> on
  1. Run rear
# rear mkrescue
  1. See in /var/log/audit/audit.log
type=AVC msg=audit(1467285960.762:438): avc:  denied  { execmem } for  pid=30102 comm="grep" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1467285960.762:438): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=10000 a2=7 a3=22 items=0 ppid=29336 pid=30102 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="grep" exe="/usr/bin/grep" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

Why is there this SELinux AVC?

I tried to find all 'grep -P' and there is still 2 discoveries

# grep -wnr "grep -P" /usr/share/rear/
/usr/share/rear/prep/USB/Linux-i386/35_check_usb_disk.sh:12:StopIfError "USB device '$USB_DEVICE' is already mounted on $(grep -P "^$REAL_USB_DEVICE\\s" /proc/mounts | cut -d' ' -f2 |tail -1)"
/usr/share/rear/output/USB/Linux-i386/30_create_extlinux.sh:6:            strings $file | grep -P -m1 "^(EXT|SYS)LINUX \\d+.\\d+" | cut -d' ' -f2

I did some experiment. Rewrite manually these discoveries to 'grep -E' and try to tun rear again and see the same SELinux AVC were generated.

# grep -wnr "grep -P" /usr/share/rear/
# rear mkrescue
# cat /var/log/audit/audit.log
type=AVC msg=audit(1467285960.762:438): avc:  denied  { execmem } for  pid=30102 comm="grep" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1467285960.762:438): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=10000 a2=7 a3=22 items=0 ppid=29336 pid=30102 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="grep" exe="/usr/bin/grep" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

Can you fix this problem or explain me what I'm doing badly?

gdha commented at 2016-06-30 12:00:

@tcerna I believe this is fixed in 1.18 and you are testing 1.17.2?

tcerna commented at 2016-06-30 13:22:

Yes. I tested it in 1.17.2 version. I will wait for new package upload in our system and try it again.

[Export of Github issue for rear/rear.]