Bug 1038187

Summary: snapperd runs as initrc_t
Product: Red Hat Enterprise Linux 7 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED CURRENTRELEASE QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0CC: jcpunk
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.12.1-122.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 12:35:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 877026    
Bug Blocks: 848829    

Description Milos Malik 2013-12-04 15:05:28 UTC 
Description of problem:

Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-105.el7.noarch
selinux-policy-devel-3.12.1-105.el7.noarch
selinux-policy-doc-3.12.1-105.el7.noarch
selinux-policy-minimum-3.12.1-105.el7.noarch
selinux-policy-mls-3.12.1-105.el7.noarch
selinux-policy-targeted-3.12.1-105.el7.noarch
snapper-0.1.7-1.el7.x86_64
snapper-libs-0.1.7-1.el7.x86_64

How reproducible:
always

Steps to Reproduce:
# ps -efZ | grep -e init_t -e initrc_t
system_u:system_r:init_t:s0     root         1     0  0 10:09 ?        00:00:03 /usr/lib/systemd/systemd --switched-root --system --deserialize 23
system_u:system_r:init_t:s0     root     21493     1  0 15:20 ?        00:00:00 /usr/lib/systemd/systemd-machined
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 24168 2430  0 16:02 pts/0 00:00:00 grep --color=auto -e init_t -e initrc_t
# gdbus introspect --system -o / -d org.opensuse.Snapper >& /dev/null
# ps -efZ | grep -e init_t -e initrc_t
system_u:system_r:init_t:s0     root         1     0  0 10:09 ?        00:00:03 /usr/lib/systemd/systemd --switched-root --system --deserialize 23
system_u:system_r:init_t:s0     root     21493     1  0 15:20 ?        00:00:00 /usr/lib/systemd/systemd-machined
system_u:system_r:initrc_t:s0-s0:c0.c1023 root 24172 1  0 16:02 ?      00:00:00 /usr/sbin/snapperd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 24174 2430  0 16:02 pts/0 00:00:00 grep --color=auto -e init_t -e initrc_t
#

Actual results:
 * snapperd runs as initrc_t

Expected results:
 * snapperd runs in its own SELinux domain
Comment 1 Miroslav Grepl 2013-12-04 15:18:33 UTC 
We have this policy in Fedora.
Comment 2 Milos Malik 2014-01-24 09:37:22 UTC 
# rpm -qa | grep -e selinux-policy -e snapper | sort
selinux-policy-3.12.1-120.el7.noarch
selinux-policy-devel-3.12.1-120.el7.noarch
selinux-policy-doc-3.12.1-120.el7.noarch
selinux-policy-minimum-3.12.1-120.el7.noarch
selinux-policy-mls-3.12.1-120.el7.noarch
selinux-policy-sandbox-3.12.1-120.el7.noarch
selinux-policy-targeted-3.12.1-120.el7.noarch
snapper-0.1.7-2.el7.x86_64
snapper-libs-0.1.7-2.el7.x86_64
#

Here is the only AVC caught in enforcing mode:
----
type=PATH msg=audit(01/24/2014 10:32:29.980:439) : item=0 name=/usr/sbin/snapperd inode=18758096 dev=fd:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:snapperd_exec_t:s0 objtype=NORMAL 
type=CWD msg=audit(01/24/2014 10:32:29.980:439) :  cwd=/ 
type=SYSCALL msg=audit(01/24/2014 10:32:29.980:439) : arch=x86_64 syscall=execve success=no exit=-13(Permission denied) a0=0x7f478ab43740 a1=0x7f478ab436d0 a2=0x7f478ab43010 a3=0x0 items=1 ppid=11449 pid=11450 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dbus-daemon-lau exe=/usr/lib64/dbus-1/dbus-daemon-launch-helper subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(01/24/2014 10:32:29.980:439) : avc:  denied  { execute } for  pid=11450 comm=dbus-daemon-lau name=snapperd dev="vda3" ino=18758096 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:snapperd_exec_t:s0 tclass=file 
----
Comment 3 Milos Malik 2014-01-24 09:40:45 UTC 
Here are AVCs caught in permissive mode:
----
time->Fri Jan 24 10:38:06 2014
type=PATH msg=audit(1390556286.582:456): item=2 name=(null) inode=17427261 dev=fd:03 mode=0100640 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_log_t:s0 objtype=NORMAL
type=PATH msg=audit(1390556286.582:456): item=1 name=(null) inode=17427261 dev=fd:03 mode=0100640 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_log_t:s0 objtype=NORMAL
type=PATH msg=audit(1390556286.582:456): item=0 name="/var/log/" inode=16818314 dev=fd:03 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_log_t:s0 objtype=PARENT
type=CWD msg=audit(1390556286.582:456):  cwd="/"
type=SYSCALL msg=audit(1390556286.582:456): arch=c000003e syscall=2 success=yes exit=6 a0=1d661e8 a1=80441 a2=1b6 a3=0 items=3 ppid=12620 pid=12621 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="snapperd" exe="/usr/sbin/snapperd" subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1390556286.582:456): avc:  denied  { open } for  pid=12621 comm="snapperd" path="/var/log/snapper.log" dev="vda3" ino=17427261 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file
----
time->Fri Jan 24 10:38:06 2014
type=PATH msg=audit(1390556286.450:455): item=1 name=(null) inode=17729408 dev=fd:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL
type=PATH msg=audit(1390556286.450:455): item=0 name="/usr/sbin/snapperd" inode=18758096 dev=fd:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:snapperd_exec_t:s0 objtype=NORMAL
type=CWD msg=audit(1390556286.450:455):  cwd="/"
type=EXECVE msg=audit(1390556286.450:455): argc=1 a0="/usr/sbin/snapperd"
type=SYSCALL msg=audit(1390556286.450:455): arch=c000003e syscall=59 success=yes exit=0 a0=7f3a92f6d740 a1=7f3a92f6d6d0 a2=7f3a92f6d010 a3=0 items=2 ppid=12620 pid=12621 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="snapperd" exe="/usr/sbin/snapperd" subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1390556286.450:455): avc:  denied  { execute_no_trans } for  pid=12621 comm="dbus-daemon-lau" path="/usr/sbin/snapperd" dev="vda3" ino=18758096 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:snapperd_exec_t:s0 tclass=file
type=AVC msg=audit(1390556286.450:455): avc:  denied  { open } for  pid=12621 comm="dbus-daemon-lau" path="/usr/sbin/snapperd" dev="vda3" ino=18758096 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:snapperd_exec_t:s0 tclass=file
type=AVC msg=audit(1390556286.450:455): avc:  denied  { execute } for  pid=12621 comm="dbus-daemon-lau" name="snapperd" dev="vda3" ino=18758096 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:snapperd_exec_t:s0 tclass=file
----
Comment 7 Ludek Smid 2014-06-13 12:35:25 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.