Bug 1037484

Summary: bmc-watchdog runs as init_t
Product: Red Hat Enterprise Linux 7 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED CURRENTRELEASE QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0CC: lvrabec, mgrepl, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.12.1-110.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 12:49:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 877026    
Bug Blocks: 848829, 1042753    

Description Milos Malik 2013-12-03 09:30:35 UTC 
Description of problem:
 * bmc-watchdog uses too powerful SELinux domain

Version-Release number of selected component (if applicable):
freeipmi-bmc-watchdog-1.2.9-2.el7.x86_64
selinux-policy-3.12.1-105.el7.noarch
selinux-policy-devel-3.12.1-105.el7.noarch
selinux-policy-doc-3.12.1-105.el7.noarch
selinux-policy-minimum-3.12.1-105.el7.noarch
selinux-policy-mls-3.12.1-105.el7.noarch
selinux-policy-targeted-3.12.1-105.el7.noarch

How reproducible:
always

Steps to Reproduce:
# service bmc-watchdog status
Redirecting to /bin/systemctl status  bmc-watchdog.service
bmc-watchdog.service - BMC Watchdog Timer Daemon
   Loaded: loaded (/usr/lib/systemd/system/bmc-watchdog.service; disabled)
   Active: inactive (dead)

# service bmc-watchdog start
Redirecting to /bin/systemctl start  bmc-watchdog.service
# service bmc-watchdog status
Redirecting to /bin/systemctl status  bmc-watchdog.service
bmc-watchdog.service - BMC Watchdog Timer Daemon
   Loaded: loaded (/usr/lib/systemd/system/bmc-watchdog.service; disabled)
   Active: active (running) since Tue 2013-12-03 10:24:02 CET; 982ms ago
  Process: 6723 ExecStart=/usr/sbin/bmc-watchdog $OPTIONS (code=exited, status=0/SUCCESS)
 Main PID: 6725 (bmc-watchdog)
   CGroup: /system.slice/bmc-watchdog.service
           └─6725 /usr/sbin/bmc-watchdog -d -u 4 -p 0 -a 1 -F -P -L -S -O -i ...

Dec 03 10:24:02 rhel70.localdomain systemd[1]: Starting BMC Watchdog Timer D....
Dec 03 10:24:02 rhel70.localdomain systemd[1]: Started BMC Watchdog Timer Da....
Hint: Some lines were ellipsized, use -l to show in full.
# ps -efZ | grep bmc-watchdog
system_u:system_r:init_t:s0     root      6725     1 36 10:24 ?        00:00:04 /usr/sbin/bmc-watchdog -d -u 4 -p 0 -a 1 -F -P -L -S -O -i 900 -e 60
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 6738 2416  0 10:24 pts/0 00:00:00 grep --color=auto bmc-watchdog
#

Actual results:
 * bmc-watchdog runs as init_t

Expected results:
 * bmc-watchdog runs in its own SELinux domain
Comment 1 Miroslav Grepl 2013-12-03 10:04:18 UTC 
Milos,
does it work with "watchdog_exec_t"?


I will add

commit 63b4dceb33ffbfb86516a257926a711b4c653d45
Author: Miroslav Grepl <mgrepl>
Date:   Tue Dec 3 11:02:45 2013 +0100

    Allow watchdog to be executed from cron


if yes.
Comment 2 Milos Malik 2013-12-03 10:12:35 UTC 
After assigning watchdog_exec_t label to /usr/sbin/bmc-watchdog file following AVCs appeared in enforcing mode:
----
type=PATH msg=audit(12/03/2013 11:07:16.975:76987) : item=0 name=/dev/ipmi0 inod
e=4460792 dev=00:05 mode=character,644 ouid=root ogid=root rdev=f6:00 obj=unconf
ined_u:object_r:ipmi_device_t:s0 objtype=NORMAL 
type=CWD msg=audit(12/03/2013 11:07:16.975:76987) :  cwd=/ 
type=SYSCALL msg=audit(12/03/2013 11:07:16.975:76987) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7f25959905c8 a1=O_RDWR a2=0x7f25980ab310 a3=0x7fffd0711710 items=1 ppid=18756 pid=18757 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=bmc-watchdog exe=/usr/sbin/bmc-watchdog subj=system_u:system_r:watchdog_t:s0 key=(null) 
type=AVC msg=audit(12/03/2013 11:07:16.975:76987) : avc:  denied  { read write } for  pid=18757 comm=bmc-watchdog name=ipmi0 dev="devtmpfs" ino=4460792 scontext=system_u:system_r:watchdog_t:s0 tcontext=unconfined_u:object_r:ipmi_device_t:s0 tclass=chr_file 
----
type=PATH msg=audit(12/03/2013 11:07:16.976:76988) : item=0 name=/dev/mem inode=1027 dev=00:05 mode=character,640 ouid=root ogid=kmem rdev=01:01 obj=system_u:object_r:memory_device_t:s0 objtype=NORMAL 
type=CWD msg=audit(12/03/2013 11:07:16.976:76988) :  cwd=/ 
type=SYSCALL msg=audit(12/03/2013 11:07:16.976:76988) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7f2595997d2b a1=O_RDONLY a2=0x10000 a3=0x7fffd0711bb0 items=1 ppid=1 pid=18757 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=bmc-watchdog exe=/usr/sbin/bmc-watchdog subj=system_u:system_r:watchdog_t:s0 key=(null) 
type=AVC msg=audit(12/03/2013 11:07:16.976:76988) : avc:  denied  { read } for  pid=18757 comm=bmc-watchdog name=mem dev="devtmpfs" ino=1027 scontext=system_u:system_r:watchdog_t:s0 tcontext=system_u:object_r:memory_device_t:s0 tclass=chr_file 
----
type=PATH msg=audit(12/03/2013 11:07:16.977:77037) : item=0 name=/var/lib/freeipmi/ipckey inode=2494726 dev=08:04 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 objtype=NORMAL 
type=CWD msg=audit(12/03/2013 11:07:16.977:77037) :  cwd=/ 
type=SYSCALL msg=audit(12/03/2013 11:07:16.977:77037) : arch=x86_64 syscall=stat success=no exit=-13(Permission denied) a0=0x7f2595990541 a1=0x7fffd0711890 a2=0x7fffd0711890 a3=0x3 items=1 ppid=1 pid=18757 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=bmc-watchdog exe=/usr/sbin/bmc-watchdog subj=system_u:system_r:watchdog_t:s0 key=(null) 
type=AVC msg=audit(12/03/2013 11:07:16.977:77037) : avc:  denied  { getattr } for  pid=18757 comm=bmc-watchdog path=/var/lib/freeipmi/ipckey dev="sda4" ino=2494726 scontext=system_u:system_r:watchdog_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file 
----
Comment 3 Miroslav Grepl 2013-12-03 10:42:53 UTC 
Milos, I see

$ rpm -ql freeipmi-bmc-watchdog
/etc/sysconfig/bmc-watchdog
/usr/lib/systemd/system/bmc-watchdog.service
/usr/sbin/bmc-watchdog
/usr/share/doc/freeipmi/COPYING.bmc-watchdog
/usr/share/doc/freeipmi/DISCLAIMER.bmc-watchdog
/usr/share/doc/freeipmi/DISCLAIMER.bmc-watchdog.UC
/usr/share/man/man8/bmc-watchdog.8.gz


on my F20 system. It looks the /var/lib/freeipmi is created on the fly.
Comment 4 Milos Malik 2013-12-03 10:45:21 UTC 
It's a part of another package:

# rpm -qf /var/lib/freeipmi
freeipmi-1.2.9-2.el7.x86_64
# rpm -qf /var/lib/freeipmi/ipckey
freeipmi-1.2.9-2.el7.x86_64
#
Comment 5 Miroslav Grepl 2013-12-03 11:26:33 UTC 
Ok, taking back. 

We have more services from freeipmi which run as init_t. So we would introduce

freeipmi.pp
Comment 6 Miroslav Grepl 2013-12-03 11:27:29 UTC 
https://bugzilla.redhat.com/show_bug.cgi?id=1037475
https://bugzilla.redhat.com/show_bug.cgi?id=1037459
Comment 7 Miroslav Grepl 2013-12-10 13:29:26 UTC 
commit dee0ab128c1730828e041645811da995a2929f0b
Author: Miroslav Grepl <mgrepl>
Date:   Thu Dec 5 17:11:53 2013 +0100

    Add policy for freeipmi services
Comment 10 Miroslav Grepl 2013-12-12 14:02:21 UTC 
commit 635d073c3124218716c94266a511366d3cb69de6
Author: Miroslav Grepl <mgrepl>
Date:   Thu Dec 12 15:00:06 2013 +0100

    Update freeipmi policy
Comment 13 Ludek Smid 2014-06-13 12:49:30 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.