Bug 1058772
Summary: | /razor-agent.log is in / once system is in enforcing mode | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Michal Bruncko <michal.bruncko> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED WONTFIX | QA Contact: | Milos Malik <mmalik> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.5 | CC: | dwalsh, jk, mgrepl, mmalik |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-02-25 11:25:50 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Michal Bruncko
2014-01-28 14:01:50 UTC
Bumping severity as this allows for DoS of root partition which may be small (e.g. cloud system). Also this should probably be CLOSED DUPLICATE of Bz1058772 (In reply to Kurt Seifried from comment #3) > Also this should probably be CLOSED DUPLICATE of Bz1058772 Whoops I take that back, I meant the other way around. Bz1058772 should be closed as a duplicate of this. Why? Issue is still in place. The only problem what I see is that I am missing AVC record in audit.log for this issue. 1. I have removed specific home-directory from /etc/sysconfig/spamassassin (it is not defined by default neither) 2. have enforcement mode enabled on system (setenforce 1) 3. restart spamd: /etc/init.d/spamassassin restart immediatelly after restart /razor-agent.log file was created with contents: Feb 25 19:16:37.939288 check[30902]: [ 2] [bootup] Logging initiated LogDebugLevel=3 to file:razor-agent.log for me, selinux is preventing to use/create "razor-agent.log" in /root/.razor/ directory (as effective user for spamd is "root" by default). this issue needs to be resolved either with: 1. adjusting existing selinux rules for /root/.razor/ directory (hope including /root directory) or 2. changing/set explicit home directory for spamd daemon for using different directory with correct selinux permissions this issue is pretty reproducible as well. The razor-agent.log file is created in / even if I run the reproducer in permissive mode. But following AVCs appear (they did not appear in enforcing mode): ---- type=PATH msg=audit(02/26/2015 10:35:20.307:458) : item=1 name=/root/.razor inode=344223 dev=fc:03 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:admin_home_t:s0 nametype=CREATE type=PATH msg=audit(02/26/2015 10:35:20.307:458) : item=0 name=/root/ inode=131077 dev=fc:03 mode=dir,550 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:admin_home_t:s0 nametype=PARENT type=CWD msg=audit(02/26/2015 10:35:20.307:458) : cwd=/ type=SYSCALL msg=audit(02/26/2015 10:35:20.307:458) : arch=x86_64 syscall=mkdir success=yes exit=0 a0=0x4511f00 a1=0755 a2=0x39f9742088 a3=0x10 items=2 ppid=26038 pid=26040 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=7 comm=spamd exe=/usr/bin/perl subj=unconfined_u:system_r:spamd_t:s0 key=(null) type=AVC msg=audit(02/26/2015 10:35:20.307:458) : avc: denied { create } for pid=26040 comm=spamd name=.razor scontext=unconfined_u:system_r:spamd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=dir type=AVC msg=audit(02/26/2015 10:35:20.307:458) : avc: denied { add_name } for pid=26040 comm=spamd name=.razor scontext=unconfined_u:system_r:spamd_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir type=AVC msg=audit(02/26/2015 10:35:20.307:458) : avc: denied { write } for pid=26040 comm=spamd name=root dev=vda3 ino=131077 scontext=unconfined_u:system_r:spamd_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir ---- type=PATH msg=audit(02/26/2015 10:35:20.722:459) : item=1 name=/root/.razor/servers.discovery.lst.lock inode=341920 dev=fc:03 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:admin_home_t:s0 nametype=CREATE type=PATH msg=audit(02/26/2015 10:35:20.722:459) : item=0 name=/root/.razor/ inode=344223 dev=fc:03 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:admin_home_t:s0 nametype=PARENT type=CWD msg=audit(02/26/2015 10:35:20.722:459) : cwd=/ type=SYSCALL msg=audit(02/26/2015 10:35:20.722:459) : arch=x86_64 syscall=open success=yes exit=9 a0=0x451deb0 a1=O_WRONLY|O_CREAT|O_TRUNC a2=0666 a3=0x39f971dd50 items=2 ppid=26038 pid=26040 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=7 comm=spamd exe=/usr/bin/perl subj=unconfined_u:system_r:spamd_t:s0 key=(null) type=AVC msg=audit(02/26/2015 10:35:20.722:459) : avc: denied { write open } for pid=26040 comm=spamd name=servers.discovery.lst.lock dev=vda3 ino=341920 scontext=unconfined_u:system_r:spamd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file type=AVC msg=audit(02/26/2015 10:35:20.722:459) : avc: denied { create } for pid=26040 comm=spamd name=servers.discovery.lst.lock scontext=unconfined_u:system_r:spamd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file type=AVC msg=audit(02/26/2015 10:35:20.722:459) : avc: denied { add_name } for pid=26040 comm=spamd name=servers.discovery.lst.lock scontext=unconfined_u:system_r:spamd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=dir type=AVC msg=audit(02/26/2015 10:35:20.722:459) : avc: denied { write } for pid=26040 comm=spamd name=.razor dev=vda3 ino=344223 scontext=unconfined_u:system_r:spamd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=dir ---- type=SYSCALL msg=audit(02/26/2015 10:35:20.723:460) : arch=x86_64 syscall=ioctl success=no exit=-25(Inappropriate ioctl for device) a0=0x9 a1=0x5401 a2=0x7fffb152f350 a3=0x48 items=0 ppid=26038 pid=26040 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=7 comm=spamd exe=/usr/bin/perl subj=unconfined_u:system_r:spamd_t:s0 key=(null) type=AVC msg=audit(02/26/2015 10:35:20.723:460) : avc: denied { ioctl } for pid=26040 comm=spamd path=/root/.razor/servers.discovery.lst.lock dev=vda3 ino=341920 scontext=unconfined_u:system_r:spamd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file ---- type=SYSCALL msg=audit(02/26/2015 10:35:20.723:461) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x9 a1=0x13890a0 a2=0x13890a0 a3=0x0 items=0 ppid=26038 pid=26040 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=7 comm=spamd exe=/usr/bin/perl subj=unconfined_u:system_r:spamd_t:s0 key=(null) type=AVC msg=audit(02/26/2015 10:35:20.723:461) : avc: denied { getattr } for pid=26040 comm=spamd path=/root/.razor/servers.discovery.lst.lock dev=vda3 ino=341920 scontext=unconfined_u:system_r:spamd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file ---- type=PATH msg=audit(02/26/2015 10:35:20.723:462) : item=1 name=/root/.razor/servers.discovery.lst.lock inode=341920 dev=fc:03 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:admin_home_t:s0 nametype=DELETE type=PATH msg=audit(02/26/2015 10:35:20.723:462) : item=0 name=/root/.razor/ inode=344223 dev=fc:03 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:admin_home_t:s0 nametype=PARENT type=CWD msg=audit(02/26/2015 10:35:20.723:462) : cwd=/ type=SYSCALL msg=audit(02/26/2015 10:35:20.723:462) : arch=x86_64 syscall=unlink success=yes exit=0 a0=0x451df40 a1=0x13890a0 a2=0x13890a0 a3=0x28 items=2 ppid=26038 pid=26040 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=7 comm=spamd exe=/usr/bin/perl subj=unconfined_u:system_r:spamd_t:s0 key=(null) type=AVC msg=audit(02/26/2015 10:35:20.723:462) : avc: denied { unlink } for pid=26040 comm=spamd name=servers.discovery.lst.lock dev=vda3 ino=341920 scontext=unconfined_u:system_r:spamd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file type=AVC msg=audit(02/26/2015 10:35:20.723:462) : avc: denied { remove_name } for pid=26040 comm=spamd name=servers.discovery.lst.lock dev=vda3 ino=341920 scontext=unconfined_u:system_r:spamd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=dir ---- Yes, you're right. If /root/.razor/ directory does not exist, razor-agent.log will be created in root directory even in permissive mode. But once that directory exists it will be selected for storing razor-agent.log file. Now if you remove /razor-agent.log and restart spamd daemon, file will be created in /root/.razor/ directory instead of root directory. I see there two issues: 1. /root/.razor/ is created in permissive mode, but not used for storing razor-agent.log file after its creation (but every next restart of spamd daemon new directory /root/.razor/ will be used for storing razor-agent.log file in permissive mode). 2. In enforcing selinux mode, /root/.razor/ directory will not be created and thus file razor-agent.log will be always stored in root directory instead. Summary: First issue is caused by razor part of spamassasin package (perl-Razor-Agent-2.85-6.el6.x86_64 package?) Second issue is caused by selinux restrictions. |