| Summary: | SELinux prevents yum running as sosreport_t to unlink pid file | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Michal Trunecka <mtruneck> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.0 | CC: | ebenes, jprokes, ljozsa, mmalik, mtruneck |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.12.1-106.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-06-13 09:53:57 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | |||
| Bug Blocks: | 782468 | ||
I guess we will end up with optional_policy(` rpm_domtrans(sosreport_t) ') optional_policy(` unconfined_domain(sosreport_t) ') Do you get more AVC msgs in permissive mode? # rpm -qa selinux-policy\*
selinux-policy-mls-3.12.1-105.el7.noarch
selinux-policy-doc-3.12.1-105.el7.noarch
selinux-policy-targeted-3.12.1-105.el7.noarch
selinux-policy-3.12.1-105.el7.noarch
selinux-policy-minimum-3.12.1-105.el7.noarch
selinux-policy-devel-3.12.1-105.el7.noarch
#
Following message appeared at least ten times:
----
type=SYSCALL msg=audit(11/28/2013 13:45:55.473:1116) : arch=x86_64 syscall=setpgid success=no exit=-13(Permission denied) a0=0x0 a1=0x0 a2=0x7fff393a1eb1 a3=0x32509bbc8c items=0 ppid=6390 pid=11209 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=timeout exe=/usr/bin/timeout subj=system_u:system_r:sosreport_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(11/28/2013 13:45:55.473:1116) : avc: denied { setpgid } for pid=11209 comm=timeout scontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023 tclass=process
----
Following messages appeared once:
----
type=PATH msg=audit(11/28/2013 13:45:50.168:1081) : item=1 name=/var/log/up2date objtype=CREATE
type=PATH msg=audit(11/28/2013 13:45:50.168:1081) : item=0 name=/var/log/ inode=16818314 dev=fd:03 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_log_t:s0 objtype=PARENT
type=CWD msg=audit(11/28/2013 13:45:50.168:1081) : cwd=/var/tmp/abrt/Python-2013-11-28-13:44:59-6326
type=SYSCALL msg=audit(11/28/2013 13:45:50.168:1081) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x2301a60 a1=O_WRONLY|O_CREAT|O_APPEND a2=0666 a3=0x22f99e0 items=2 ppid=7117 pid=7118 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=python exe=/usr/bin/python2.7 subj=system_u:system_r:sosreport_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(11/28/2013 13:45:50.168:1081) : avc: denied { write } for pid=7118 comm=python name=log dev="vda3" ino=16818314 scontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
----
type=PATH msg=audit(11/28/2013 13:45:56.035:1117) : item=1 name=/var/cache/yum/x86_64/7Server objtype=CREATE
type=PATH msg=audit(11/28/2013 13:45:56.035:1117) : item=0 name=/var/cache/yum/x86_64/ inode=8910782 dev=fd:03 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:rpm_var_cache_t:s0 objtype=PARENT
type=CWD msg=audit(11/28/2013 13:45:56.035:1117) : cwd=/var/tmp/abrt/Python-2013-11-28-13:44:59-6326
type=SYSCALL msg=audit(11/28/2013 13:45:56.035:1117) : arch=x86_64 syscall=mkdir success=no exit=-13(Permission denied) a0=0x21981f0 a1=0755 a2=0x3255dbbf88 a3=0x0 items=2 ppid=11209 pid=11219 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=yum exe=/usr/bin/python2.7 subj=system_u:system_r:sosreport_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(11/28/2013 13:45:56.035:1117) : avc: denied { write } for pid=11219 comm=yum name=x86_64 dev="vda3" ino=8910782 scontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_var_cache_t:s0 tclass=dir
----
commit 90b623bb27b22e1b04617463f7c866af50e4787f
Author: Miroslav Grepl <mgrepl>
Date: Fri Nov 29 11:21:15 2013 +0100
Label /var/log/up2date as rpm_log_t and allow sosreport to manage rpm log/pid/cache files which is a part of ABRT policy for sosreport running as abrt_t
*** Bug 1033559 has been marked as a duplicate of this bug. *** *** Bug 1037732 has been marked as a duplicate of this bug. *** This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |
Description of problem: If you believe that python2.7 should be allowed unlink access on the yum.pid file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep yum /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:sosreport_t:s0-s0:c0.c1023 Target Context system_u:object_r:rpm_var_run_t:s0 Target Objects yum.pid [ file ] Source yum Source Path /usr/bin/python2.7 Port <Unknown> Host localhost.localdomain Source RPM Packages python-2.7.5-10.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-103.el7.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name rhel7 Platform Linux rhel7 3.10.0-54.el7.x86_64 #1 SMP Thu Nov 21 15:34:15 EST 2013 x86_64 x86_64 Alert Count 1212 First Seen 2013-11-27 16:16:11 GMT Last Seen 2013-11-28 09:50:05 GMT Local ID a73a1890-a53a-4430-a354-86608508f6be Raw Audit Messages type=AVC msg=audit(1385632205.171:108246747): avc: denied { unlink } for pid=31417 comm="yum" name="yum.pid" dev="tmpfs" ino=623956 scontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_var_run_t:s0 tclass=file type=SYSCALL msg=audit(1385632205.171:108246747): arch=x86_64 syscall=unlink success=no exit=EACCES a0=2e034f0 a1=1 a2=3703dbbf88 a3=0 items=0 ppid=31416 pid=31417 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=yum exe=/usr/bin/python2.7 subj=system_u:system_r:sosreport_t:s0-s0:c0.c1023 key=(null) Version-Release number of selected component (if applicable): selinux-policy-3.12.1-103.el7.noarch How reproducible: