Bug 1023202

Summary: luci: started python process has "unconfined_u:system_r:initrc_t:s0" label
Product: Red Hat Enterprise Linux 6 Reporter: Jan Pokorný [poki] <jpokorny>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4CC: dwalsh, jpokorny, lvrabec, mgrepl, mmalik, rmccabe, rsteiger
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-250.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1026374 (view as bug list) Environment:
Last Closed: 2014-10-14 07:57:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1026374    
Bug Blocks:    

Description Jan Pokorný [poki] 2013-10-24 21:15:36 UTC 
See the subject, reproducer:

# yum install -y
# service luci start
# ps -Zp $(service luci status | awk '{print $5;}' )

In my case, both el6.4 and el6.5 reports something like this:
> LABEL                             PID TTY          TIME CMD
> unconfined_u:system_r:initrc_t:s0 6077 ?       00:00:00 python

The full command is:

> /usr/bin/python -Es /usr/bin/paster serve --daemon --user luci \
>  --group luci --log-file=/var/log/luci/luci.log \
>  --pid-file=/var/run/luci/luci.pid --server-name=init --app-name=init \
>  /var/lib/luci/etc/luci.ini

Was told this is not expected and I can also remember that in the past,
the luci-related things were labeled piranha*_t; see e.g. [bug 737635]
showing (if I interpret scontext ~ subject context correctly) that
expected process label should be:

> unconfined_u:system_r:piranha_web_t


Note: from what I can tell, not problem in enforcing mode so far


el6.4 details:
# rpm -q luci python python-paste-script selinux-policy
luci-0.26.0-37.el6_4.1.x86_64
python-2.6.6-36.el6.x86_64
python-paste-script-1.7.3-5.el6_3.noarch
selinux-policy-3.7.19-195.el6.noarch

el6.5 details:
# rpm -q luci python python-paste-script selinux-policy
> luci-0.26.0-48.el6.x86_64
> python-2.6.6-51.el6.x86_64
> python-paste-script-1.7.3-5.el6_3.noarch
> selinux-policy-3.7.19-228.el6.noarch
Comment 3 Miroslav Grepl 2013-10-25 07:30:31 UTC 
Ok, this is way how the paster is involved. Basically we did fixes in Fedora for this where we changed the way how to confine it.

http://mgrepl.wordpress.com/2012/06/20/how-would-tools-like-paster-work-with-selinux/

This is a bug for RHEL6.6.
Comment 4 Jan Pokorný [poki] 2013-10-30 14:21:41 UTC 
Note wrt. reproducer "smoothness":
- avoid python-repoze-who-friendlyform from EPEL
  (aged problem, cf. [bug 750474 comment 6])

If I read the referenced blog post correctly, we should rather provide
a custom "launcher" script just to fit the current expected phased
transition scheme involving paster (so as not to complicate the matters
in the policy)?
Comment 5 Miroslav Grepl 2013-11-04 14:10:19 UTC 
Jan,
yes. We need to have a helper scripts for luci. Also I will need to back port piranha.te policy changes to RHEL6.6 to make it working.
Comment 6 Jan Pokorný [poki] 2013-11-04 14:23:27 UTC 
Ok, the script itself is a subject of [bug 1026374] (set as a blocker here).
Comment 7 Lukas Vrabec 2014-07-15 09:16:32 UTC 
Jan, 
We need helper script for luci, to fix this issue as Miroslav wrote above.
Comment 15 Lukas Vrabec 2014-08-11 07:46:16 UTC 
I'll send patch.

commit d6aa56214a2641cf611adbb598015aa8ebe211b4
Author: Lukas Vrabec <lvrabec>
Date:   Mon Aug 11 09:44:54 2014 +0200

    Fix path to luci(/usr/sbin/luci) Resolves:1023202
Comment 16 Milos Malik 2014-08-11 15:05:51 UTC 
jpokorny found following AVC, which appeared after selinux-policy update when luci service is restarted. My understanding is that the new luci instance (running as piranha_web_t) signals the old luci instance (running as initrc_t) to stop.
----
type=SYSCALL msg=audit(08/11/2014 16:21:36.486:4469) : arch=x86_64 syscall=kill success=no exit=-13(Permission denied) a0=0x1327 a1=SIG0 a2=0x1 a3=0x7ffff9251360 items=0 ppid=23175 pid=23176 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=luci exe=/usr/bin/python subj=unconfined_u:system_r:piranha_web_t:s0 key=(null) 
type=AVC msg=audit(08/11/2014 16:21:36.486:4469) : avc:  denied  { signull } for  pid=23176 comm=luci scontext=unconfined_u:system_r:piranha_web_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process 
----

# service luci restart
Stop luci...                                               [FAILED]
Start luci...                                              [  OK  ]
#

Unfortunately, the old luci instance stays running.
Comment 26 errata-xmlrpc 2014-10-14 07:57:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1568.html