Bug 1033669

Summary: SELinux prevents sfcbd from reading /dev/urandom
Product: Red Hat Enterprise Linux 7 Reporter: Petr Sklenar <psklenar>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.12.1-106.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 09:19:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 922084    

Description Petr Sklenar 2013-11-22 15:08:36 UTC 
Description of problem:
systemctl start sblim-sfcb  causes avc denial

Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-103.el7.noarch
sblim-sfcb-1.3.16-7.el7.x86_64
How reproducible:
always

Steps to Reproduce:
1.systemctl start sblim-sfcb

Actual results:
[root@unused-4-155 ~]# ausearch -ts recent -m avc 
<no matches>
[root@unused-4-155 ~]# systemctl start sblim-sfcb
[root@unused-4-155 ~]# systemctl status sblim-sfcb
sblim-sfcb.service - Small Footprint CIM Broker Service
   Loaded: loaded (/usr/lib/systemd/system/sblim-sfcb.service; disabled)
   Active: active (running) since Fri 2013-11-22 15:02:25 GMT; 4s ago
 Main PID: 18324 (sfcbd)
   CGroup: /system.slice/sblim-sfcb.service
           ├─18324 /usr/sbin/sfcbd
           ├─18325 /usr/sbin/sfcbd
           ├─18327 /usr/sbin/sfcbd
           ├─18328 /usr/sbin/sfcbd
           ├─18330 /usr/sbin/sfcbd
           ├─18333 /usr/sbin/sfcbd
           ├─18337 /usr/sbin/sfcbd
           └─18350 /usr/sbin/sfcbd

Nov 22 15:02:25 unused-4-155.brq.redhat.com sfcbd[18324]: --- initSocketPairs: 64
Nov 22 15:02:25 unused-4-155.brq.redhat.com sfcbd[18324]: --- localConnectServer started
Nov 22 15:02:25 unused-4-155.brq.redhat.com sfcbd[18324]: --- Caching ClassProvider for /var/lib/sfcb/registration/repository/root/interop/classSc...4 bytes
Nov 22 15:02:25 unused-4-155.brq.redhat.com sfcbd[18324]: --- Max Http procs: 8
Nov 22 15:02:25 unused-4-155.brq.redhat.com sfcbd[18324]: --- sfcbd HTTP Daemon V1.3.16 configured for port 5989 - 18327
Nov 22 15:02:25 unused-4-155.brq.redhat.com sfcbd[18324]: --- sfcbd HTTP Daemon V1.3.16 configured for socket /tmp/sfcbHttpSocket - 18327
Nov 22 15:02:25 unused-4-155.brq.redhat.com sfcbd[18324]: --- Using Basic Authentication
Nov 22 15:02:25 unused-4-155.brq.redhat.com sfcbd[18324]: --- Select timeout: 5 seconds
Nov 22 15:02:25 unused-4-155.brq.redhat.com sfcbd[18324]: --- Keep-alive timeout: 15 seconds
Nov 22 15:02:25 unused-4-155.brq.redhat.com sfcbd[18324]: --- Maximum requests per connection: 10
Hint: Some lines were ellipsized, use -l to show in full.
[root@unused-4-155 ~]# ausearch -ts recent -m avc 
----
time->Fri Nov 22 15:02:25 2013
type=SYSCALL msg=audit(1385132545.828:1176): arch=c000003e syscall=4 success=no exit=-13 a0=7f9502df6b83 a1=7fff862a4450 a2=7fff862a4450 a3=7fff862a4210 items=0 ppid=18324 pid=18327 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sfcbd" exe="/usr/sbin/sfcbd" subj=system_u:system_r:sblim_sfcbd_t:s0 key=(null)
type=AVC msg=audit(1385132545.828:1176): avc:  denied  { getattr } for  pid=18327 comm="sfcbd" path="/dev/urandom" dev="devtmpfs" ino=5463 scontext=system_u:system_r:sblim_sfcbd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
----
time->Fri Nov 22 15:02:25 2013
type=SYSCALL msg=audit(1385132545.869:1177): arch=c000003e syscall=2 success=no exit=-13 a0=7f9500cc2c8e a1=900 a2=4797 a3=7fff862a43b0 items=0 ppid=18324 pid=18327 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sfcbd" exe="/usr/sbin/sfcbd" subj=system_u:system_r:sblim_sfcbd_t:s0 key=(null)
type=AVC msg=audit(1385132545.869:1177): avc:  denied  { read } for  pid=18327 comm="sfcbd" name="urandom" dev="devtmpfs" ino=5463 scontext=system_u:system_r:sblim_sfcbd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
----
time->Fri Nov 22 15:02:25 2013
type=SYSCALL msg=audit(1385132545.869:1178): arch=c000003e syscall=2 success=no exit=-13 a0=7f9500cc2c9b a1=900 a2=fffffffffffffff3 a3=7fff862a43b0 items=0 ppid=18324 pid=18327 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sfcbd" exe="/usr/sbin/sfcbd" subj=system_u:system_r:sblim_sfcbd_t:s0 key=(null)
type=AVC msg=audit(1385132545.869:1178): avc:  denied  { read } for  pid=18327 comm="sfcbd" name="random" dev="devtmpfs" ino=5462 scontext=system_u:system_r:sblim_sfcbd_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file
[root@unused-4-155 ~]# getenforce 
Enforcing
[root@unused-4-155 ~]# setenforce 0
[root@unused-4-155 ~]# systemctl restart sblim-sfcb
[root@unused-4-155 ~]# ausearch -ts recent -m avc 
----
time->Fri Nov 22 15:02:25 2013
type=SYSCALL msg=audit(1385132545.828:1176): arch=c000003e syscall=4 success=no exit=-13 a0=7f9502df6b83 a1=7fff862a4450 a2=7fff862a4450 a3=7fff862a4210 items=0 ppid=18324 pid=18327 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sfcbd" exe="/usr/sbin/sfcbd" subj=system_u:system_r:sblim_sfcbd_t:s0 key=(null)
type=AVC msg=audit(1385132545.828:1176): avc:  denied  { getattr } for  pid=18327 comm="sfcbd" path="/dev/urandom" dev="devtmpfs" ino=5463 scontext=system_u:system_r:sblim_sfcbd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
----
time->Fri Nov 22 15:02:25 2013
type=SYSCALL msg=audit(1385132545.869:1177): arch=c000003e syscall=2 success=no exit=-13 a0=7f9500cc2c8e a1=900 a2=4797 a3=7fff862a43b0 items=0 ppid=18324 pid=18327 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sfcbd" exe="/usr/sbin/sfcbd" subj=system_u:system_r:sblim_sfcbd_t:s0 key=(null)
type=AVC msg=audit(1385132545.869:1177): avc:  denied  { read } for  pid=18327 comm="sfcbd" name="urandom" dev="devtmpfs" ino=5463 scontext=system_u:system_r:sblim_sfcbd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
----
time->Fri Nov 22 15:02:25 2013
type=SYSCALL msg=audit(1385132545.869:1178): arch=c000003e syscall=2 success=no exit=-13 a0=7f9500cc2c9b a1=900 a2=fffffffffffffff3 a3=7fff862a43b0 items=0 ppid=18324 pid=18327 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sfcbd" exe="/usr/sbin/sfcbd" subj=system_u:system_r:sblim_sfcbd_t:s0 key=(null)
type=AVC msg=audit(1385132545.869:1178): avc:  denied  { read } for  pid=18327 comm="sfcbd" name="random" dev="devtmpfs" ino=5462 scontext=system_u:system_r:sblim_sfcbd_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file
----
time->Fri Nov 22 15:02:54 2013
type=SYSCALL msg=audit(1385132574.836:1183): arch=c000003e syscall=4 success=yes exit=0 a0=7f017c602b83 a1=7fff822c75c0 a2=7fff822c75c0 a3=7fff822c7380 items=0 ppid=18390 pid=18393 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sfcbd" exe="/usr/sbin/sfcbd" subj=system_u:system_r:sblim_sfcbd_t:s0 key=(null)
type=AVC msg=audit(1385132574.836:1183): avc:  denied  { getattr } for  pid=18393 comm="sfcbd" path="/dev/urandom" dev="devtmpfs" ino=5463 scontext=system_u:system_r:sblim_sfcbd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
----
time->Fri Nov 22 15:02:54 2013
type=SYSCALL msg=audit(1385132574.836:1184): arch=c000003e syscall=2 success=yes exit=138 a0=7f017c602b83 a1=0 a2=1b6 a3=7fff822c7380 items=0 ppid=18390 pid=18393 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sfcbd" exe="/usr/sbin/sfcbd" subj=system_u:system_r:sblim_sfcbd_t:s0 key=(null)
type=AVC msg=audit(1385132574.836:1184): avc:  denied  { open } for  pid=18393 comm="sfcbd" path="/dev/urandom" dev="devtmpfs" ino=5463 scontext=system_u:system_r:sblim_sfcbd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
type=AVC msg=audit(1385132574.836:1184): avc:  denied  { read } for  pid=18393 comm="sfcbd" name="urandom" dev="devtmpfs" ino=5463 scontext=system_u:system_r:sblim_sfcbd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file


Expected results:
no avc

Additional info:
Comment 2 Milos Malik 2013-11-22 15:16:20 UTC 
This problem is already discussed in comment#6 of bz#1026216.
Comment 3 Miroslav Grepl 2013-11-26 14:43:56 UTC 
commit 81b776d3e1f5307f421b31d0c126614a30542665
Author: Miroslav Grepl <mgrepl>
Date:   Tue Nov 26 15:43:18 2013 +0100

    Allow sblim domain to read /dev/urandom and /dev/random
Comment 7 Ludek Smid 2014-06-13 09:19:54 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.