Bug 1020301

Summary: selinux prevents /usr/libexec/pegasus/cimprovagt from search,read,create operations
Product: Red Hat Enterprise Linux 7 Reporter: David Spurek <dspurek>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0CC: dspurek, ebenes, mgrepl, mmalik, pkis
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.12.1-100.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 10:38:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 922084    

Description David Spurek 2013-10-17 12:13:06 UTC 
Description of problem:
selinux prevents /usr/libexec/pegasus/cimprovagt from search,read,create operations 

Problem happens when I am trying join to IPA or AD domain with realmd called via openlmi

join to ipa domain:
time->Thu Oct 17 04:14:50 2013
type=SOCKADDR msg=audit(1381997690.478:277): saddr=01002F7661722F6C69622F7373732F70697065732F6E73730000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
type=SYSCALL msg=audit(1381997690.478:277): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fff17fb0220 a2=6e a3=7fff17fafef0 items=0 ppid=15709 pid=15710 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimprovagt" exe="/usr/libexec/pegasus/cimprovagt" subj=system_u:system_r:pegasus_openlmi_services_t:s0 key=(null)
type=AVC msg=audit(1381997690.478:277): avc:  denied  { search } for  pid=15710 comm="cimprovagt" name="sss" dev="dm-1" ino=201819913 scontext=system_u:system_r:pegasus_openlmi_services_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir
----
time->Thu Oct 17 04:14:50 2013
type=SYSCALL msg=audit(1381997690.516:278): arch=c000003e syscall=41 success=no exit=-13 a0=10 a1=2 a2=0 a3=305 items=0 ppid=1 pid=15712 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimprovagt" exe="/usr/libexec/pegasus/cimprovagt" subj=system_u:system_r:pegasus_openlmi_services_t:s0 key=(null)
type=AVC msg=audit(1381997690.516:278): avc:  denied  { create } for  pid=15712 comm="cimprovagt" scontext=system_u:system_r:pegasus_openlmi_services_t:s0 tcontext=system_u:system_r:pegasus_openlmi_services_t:s0 tclass=netlink_route_socket
----
time->Thu Oct 17 04:14:50 2013
type=PATH msg=audit(1381997690.517:279): item=0 name="/proc/net/unix" inode=4026532002 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:proc_net_t:s0 objtype=NORMAL
type=CWD msg=audit(1381997690.517:279):  cwd="/var/lib/Pegasus/cache/trace"
type=SYSCALL msg=audit(1381997690.517:279): arch=c000003e syscall=21 success=no exit=-13 a0=7fa8fdb51660 a1=4 a2=7fa8fdb5166e a3=305 items=1 ppid=1 pid=15712 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimprovagt" exe="/usr/libexec/pegasus/cimprovagt" subj=system_u:system_r:pegasus_openlmi_services_t:s0 key=(null)
type=AVC msg=audit(1381997690.517:279): avc:  denied  { read } for  pid=15712 comm="cimprovagt" name="unix" dev="proc" ino=4026532002 scontext=system_u:system_r:pegasus_openlmi_services_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
----
time->Thu Oct 17 04:14:50 2013
type=SYSCALL msg=audit(1381997690.517:280): arch=c000003e syscall=41 success=no exit=-13 a0=10 a1=3 a2=0 a3=0 items=0 ppid=1 pid=15712 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimprovagt" exe="/usr/libexec/pegasus/cimprovagt" subj=system_u:system_r:pegasus_openlmi_services_t:s0 key=(null)
type=AVC msg=audit(1381997690.517:280): avc:  denied  { create } for  pid=15712 comm="cimprovagt" scontext=system_u:system_r:pegasus_openlmi_services_t:s0 tcontext=system_u:system_r:pegasus_openlmi_services_t:s0 tclass=netlink_route_socket

join to AD domain:
time->Thu Oct 17 04:13:22 2013
type=SOCKADDR msg=audit(1381997602.197:124): saddr=01002F7661722F6C69622F7373732F70697065732F6E73730000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
type=SYSCALL msg=audit(1381997602.197:124): arch=c000003e syscall=42 success=no exit=-13 a0=4 a1=7fffcdd6ef70 a2=6e a3=7fffcdd6ec40 items=0 ppid=12062 pid=12063 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimprovagt" exe="/usr/libexec/pegasus/cimprovagt" subj=system_u:system_r:pegasus_openlmi_services_t:s0 key=(null)
type=AVC msg=audit(1381997602.197:124): avc:  denied  { search } for  pid=12063 comm="cimprovagt" name="sss" dev="dm-1" ino=201819913 scontext=system_u:system_r:pegasus_openlmi_services_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir
Fail: AVC messages found.

Running '/usr/sbin/sestatus'
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
Running 'rpm -q selinux-policy || true'
selinux-policy-3.12.1-77.2.el7.noarch

Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-77.2.el7
realmd-0.14.6-1.el7
openlmi-providers-0.2.0-0.el7

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 2 Miroslav Grepl 2013-10-17 13:44:27 UTC 
David,
any chance to switch to permissive to collect all AVC msgs? Thank you.
Comment 3 David Spurek 2013-10-17 21:05:04 UTC 
Hi Mirek, It is possible. Here are AVC messages in permissive:

time->Thu Oct 17 17:00:43 2013
type=SYSCALL msg=audit(1382043643.109:177): arch=c000003e syscall=41 success=yes exit=4 a0=10 a1=2 a2=0 a3=305 items=0 ppid=1 pid=10972 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimprovagt" exe="/usr/libexec/pegasus/cimprovagt" subj=system_u:system_r:pegasus_openlmi_services_t:s0 key=(null)
type=AVC msg=audit(1382043643.109:177): avc:  denied  { create } for  pid=10972 comm="cimprovagt" scontext=system_u:system_r:pegasus_openlmi_services_t:s0 tcontext=system_u:system_r:pegasus_openlmi_services_t:s0 tclass=netlink_route_socket
----
time->Thu Oct 17 17:00:43 2013
type=SYSCALL msg=audit(1382043643.109:178): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=1 a2=10 a3=7f2a854366a0 items=0 ppid=1 pid=10972 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimprovagt" exe="/usr/libexec/pegasus/cimprovagt" subj=system_u:system_r:pegasus_openlmi_services_t:s0 key=(null)
type=AVC msg=audit(1382043643.109:178): avc:  denied  { setopt } for  pid=10972 comm="cimprovagt" scontext=system_u:system_r:pegasus_openlmi_services_t:s0 tcontext=system_u:system_r:pegasus_openlmi_services_t:s0 tclass=netlink_route_socket
----
time->Thu Oct 17 17:00:43 2013
type=SYSCALL msg=audit(1382043643.109:179): arch=c000003e syscall=44 success=yes exit=17 a0=4 a1=7f2a854366b0 a2=11 a3=0 items=0 ppid=1 pid=10972 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimprovagt" exe="/usr/libexec/pegasus/cimprovagt" subj=system_u:system_r:pegasus_openlmi_services_t:s0 key=(null)
type=AVC msg=audit(1382043643.109:179): avc:  denied  { nlmsg_read } for  pid=10972 comm="cimprovagt" scontext=system_u:system_r:pegasus_openlmi_services_t:s0 tcontext=system_u:system_r:pegasus_openlmi_services_t:s0 tclass=netlink_route_socket
----
time->Thu Oct 17 17:00:43 2013
type=SOCKADDR msg=audit(1382043643.110:180): saddr=100000000000000000000000
type=SYSCALL msg=audit(1382043643.110:180): arch=c000003e syscall=49 success=yes exit=0 a0=4 a1=7f2a85436d00 a2=c a3=7f2a78000078 items=0 ppid=1 pid=10972 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimprovagt" exe="/usr/libexec/pegasus/cimprovagt" subj=system_u:system_r:pegasus_openlmi_services_t:s0 key=(null)
type=AVC msg=audit(1382043643.110:180): avc:  denied  { bind } for  pid=10972 comm="cimprovagt" scontext=system_u:system_r:pegasus_openlmi_services_t:s0 tcontext=system_u:system_r:pegasus_openlmi_services_t:s0 tclass=netlink_route_socket
----
time->Thu Oct 17 17:00:43 2013
type=SOCKADDR msg=audit(1382043643.110:181): saddr=10000000DB2A000000000000
type=SYSCALL msg=audit(1382043643.110:181): arch=c000003e syscall=51 success=yes exit=0 a0=4 a1=7f2a85436d00 a2=7f2a85436cfc a3=7f2a78000078 items=0 ppid=1 pid=10972 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimprovagt" exe="/usr/libexec/pegasus/cimprovagt" subj=system_u:system_r:pegasus_openlmi_services_t:s0 key=(null)
type=AVC msg=audit(1382043643.110:181): avc:  denied  { getattr } for  pid=10972 comm="cimprovagt" scontext=system_u:system_r:pegasus_openlmi_services_t:s0 tcontext=system_u:system_r:pegasus_openlmi_services_t:s0 tclass=netlink_route_socket
Comment 5 Miroslav Grepl 2013-10-22 11:40:14 UTC 
Added fixes.
Comment 6 Patrik Kis 2013-10-25 10:44:21 UTC 
There are still two AVC denial appearing to me with the new policy:

type=AVC msg=audit(1382697256.286:17077): avc:  denied  { search } for  pid=26337 comm="cimprovagt" name="sss" dev="dm-1" ino=121627 scontext=system_u:system_r:pegasus_openlmi_services_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir

type=AVC msg=audit(1382697459.268:17219): avc:  denied  { write } for  pid=30162 comm="cimprovagt" name="nss" dev="dm-1" ino=203163762 scontext=system_u:system_r:pegasus_openlmi_services_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file
Comment 7 Patrik Kis 2013-10-25 11:31:11 UTC 
----
time->Fri Oct 25 06:34:16 2013
type=SOCKADDR msg=audit(1382697256.286:17077): saddr=01002F7661722F6C69622F7373732F70697065732F6E73730000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
type=SYSCALL msg=audit(1382697256.286:17077): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fff42aaac80 a2=6e a3=7fff42aaa950 items=0 ppid=26336 pid=26337 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimprovagt" exe="/usr/libexec/pegasus/cimprovagt" subj=system_u:system_r:pegasus_openlmi_services_t:s0 key=(null)
type=AVC msg=audit(1382697256.286:17077): avc:  denied  { search } for  pid=26337 comm="cimprovagt" name="sss" dev="dm-1" ino=121627 scontext=system_u:system_r:pegasus_openlmi_services_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir
----
time->Fri Oct 25 06:37:39 2013
type=PATH msg=audit(1382697459.268:17219): item=0 name=(null) inode=203163762 dev=fd:01 mode=0140666 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:sssd_var_lib_t:s0 objtype=NORMAL
type=SOCKADDR msg=audit(1382697459.268:17219): saddr=01002F7661722F6C69622F7373732F70697065732F6E73730000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
type=SYSCALL msg=audit(1382697459.268:17219): arch=c000003e syscall=42 success=no exit=-111 a0=3 a1=7fffc264e280 a2=6e a3=7fffc264df50 items=1 ppid=30161 pid=30162 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimprovagt" exe="/usr/libexec/pegasus/cimprovagt" subj=system_u:system_r:pegasus_openlmi_services_t:s0 key=(null)
type=AVC msg=audit(1382697459.268:17219): avc:  denied  { write } for  pid=30162 comm="cimprovagt" name="nss" dev="dm-1" ino=203163762 scontext=system_u:system_r:pegasus_openlmi_services_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file
Comment 8 Patrik Kis 2013-10-29 11:04:44 UTC 
Shouldn't have the cases above fixed too?
Comment 9 Miroslav Grepl 2013-10-29 12:07:17 UTC 
Need to fix them.
Comment 10 Miroslav Grepl 2013-10-29 12:20:22 UTC 
commit b31c17d5bf9fde2975d39b6d82ffafc0851c2a37
Author: Miroslav Grepl <mgrepl>
Date:   Tue Oct 29 13:20:23 2013 +0100

    Allow pegasus_openlmi_services_t to stream connect to sssd_t
Comment 11 Milos Malik 2013-11-08 13:59:16 UTC 
# rpm -qa selinux-policy\*
selinux-policy-minimum-3.12.1-98.el7.noarch
selinux-policy-mls-3.12.1-98.el7.noarch
selinux-policy-devel-3.12.1-98.el7.noarch
selinux-policy-3.12.1-98.el7.noarch
selinux-policy-doc-3.12.1-98.el7.noarch
selinux-policy-targeted-3.12.1-98.el7.noarch
# sesearch -t proc_net_t -c file -A -C | grep pegasus
   allow pegasus_t proc_net_t : file { ioctl read getattr lock open } ; 
   allow pegasus_openlmi_system_t proc_net_t : file { ioctl read getattr lock open } ; 
#

An allow rule for pegasus_openlmi_services_t is missing.
Comment 12 Miroslav Grepl 2013-11-11 12:55:02 UTC 
commit cd0c4b8eed6b94b376ccc4cb2ace7441b7300604
Author: Miroslav Grepl <mgrepl>
Date:   Mon Nov 11 13:54:34 2013 +0100

    Allow cimprovagt service providers to read network states
Comment 14 Ludek Smid 2014-06-13 10:38:14 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.