Bug 1084977

Summary: Policy for openlmi-providers, journald provider
Product: Red Hat Enterprise Linux 7 Reporter: Tomáš Bžatek <tbzatek>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: mmalik, tsmetana
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 10:38:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomáš Bžatek 2014-04-07 12:54:38 UTC 
As a continuation of bug 1024787, I have found more AVCs that prevent the journald openlmi provider working properly. Opening a new bugreport to prevent breakage in the late 7.0 cycle.

selinux-policy-3.12.1-151.el7.noarch

Default context of /usr/libexec/pegasus/cmpiLMI_Journald-cimprovagt is "system_u:object_r:pegasus_openlmi_admin_exec_t:s0". Also tried "pegasus_openlmi_system_t" with no difference.

Getting these AVCs in enforcing mode:

type=AVC msg=audit(1396874196.379:403): avc:  denied  { read } for  pid=2371 comm="cimprovagt" name="journal" dev="tmpfs" ino=8225 scontext=system_u:system_r:pegasus_openlmi_admin_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=dir

Permissive mode reveals several more:

type=AVC msg=audit(1396874661.620:413): avc:  denied  { read } for  pid=2449 comm="cimprovagt" name="journal" dev="tmpfs" ino=8225 scontext=system_u:system_r:pegasus_openlmi_admin_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=dir

ype=AVC msg=audit(1396874661.620:414): avc:  denied  { read } for  pid=2449 comm="cimprovagt" name="system.journal" dev="tmpfs" ino=8227 scontext=system_u:system_r:pegasus_openlmi_admin_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=file

type=AVC msg=audit(1396874661.620:414): avc:  denied  { open } for  pid=2449 comm="cimprovagt" path="/run/log/journal/24dd5c5103df43af9792d34744c14b71/system.journal" dev="tmpfs" ino=8227 scontext=system_u:system_r:pegasus_openlmi_admin_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=file

type=AVC msg=audit(1396874661.620:415): avc:  denied  { getattr } for  pid=2449 comm="cimprovagt" path="/run/log/journal/24dd5c5103df43af9792d34744c14b71/system.journal" dev="tmpfs" ino=8227 scontext=system_u:system_r:pegasus_openlmi_admin_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=file

type=AVC msg=audit(1396874661.620:416): avc:  denied  { getattr } for  pid=2449 comm="cimprovagt" name="/" dev="tmpfs" ino=1154 scontext=system_u:system_r:pegasus_openlmi_admin_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem


This is on recent 7.0 system, where journald is configured to a non-persistent storage I guess, residing in /run/log/journal. In Fedora 20, log files seem to reside in /var/log/journal for persistency. The AVCs are bit different:

type=AVC msg=audit(1396621304.832:1708): avc:  denied  { read } for  pid=17765 comm="cimprovagt" name="journal" dev="dm-1" ino=265576 scontext=system_u:system_r:pegasus_openlmi_admin_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir

type=AVC msg=audit(1396621868.351:1737): avc:  denied  { read } for  pid=17922 comm="cimprovagt" name="user-1000.journal" dev="dm-1" ino=266988 scontext=system_u:system_r:pegasus_openlmi_admin_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file

type=AVC msg=audit(1396621868.351:1737): avc:  denied  { open } for  pid=17922 comm="cimprovagt" path="/var/log/journal/f171ae8c7b22634415aecd50465d9ef2/user-1000.journal" dev="dm-1" ino=266988 scontext=system_u:system_r:pegasus_openlmi_admin_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file

Would be great to cover both cases for RHEL 7.1 in case somebody turns persistency on.
Comment 1 Tomáš Bžatek 2014-04-07 13:04:30 UTC 
Steps to repro:

$ lmishell -n
> c = connect("localhost", "root", "password")
> i = c.root.cimv2.LMI_JournalMessageLog.first_instance()
> r = i.PositionToFirstRecord()
> print r
LMIReturnValue(rval=2, rparams=NocaseDict({}), errorstr='')

^^ the rval should be zero and rparams dict should not be empty, switching to Permissive mode returns valid data.
Comment 2 Miroslav Grepl 2014-09-09 07:35:05 UTC 
#============= pegasus_openlmi_admin_t ==============

#!!!! This avc is allowed in the current policy
allow pegasus_openlmi_admin_t syslogd_var_run_t:dir read;

#!!!! This avc is allowed in the current policy
allow pegasus_openlmi_admin_t syslogd_var_run_t:file { read getattr open };

#!!!! This avc is allowed in the current policy
allow pegasus_openlmi_admin_t tmpfs_t:filesystem getattr;

#!!!! This avc is allowed in the current policy
allow pegasus_openlmi_admin_t var_log_t:dir read;

#!!!! This avc is allowed in the current policy
allow pegasus_openlmi_admin_t var_log_t:file { read open };
Comment 7 errata-xmlrpc 2015-03-05 10:38:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0458.html