Bug 1093733
| Summary: | SELinux is stopping libstoragemgmt smis and targetd plugin to use TCP connection. | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Gris Ge <fge> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.0 | CC: | bgoncalv, marc, mgrepl, mmalik, tasleson |
| Target Milestone: | rc | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.13.1-21.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-03-05 10:38:59 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
You will need to use setsebool -P lsmd_plugin_connect_any 1 boolean. Or is tcp/18700 used by default? It does work using "setsebool -P lsmd_plugin_connect_any 1". Should this setting be done when libstoragemgmt-smis-plugin is installed, or it will be documented on lsmcli man page? man lsmd_plugin_selinux Are there additional AVCs? # ausearch -m avc -i -ts recent it looks that was all. # ausearch -m avc -i -ts recent <no matches> (In reply to Miroslav Grepl from comment #1) > You will need to use > > setsebool -P lsmd_plugin_connect_any 1 > > boolean. Or is tcp/18700 used by default? Milos Malik, The tcp/18700 is not default port. libstoragemgmt SMI-S plugin using pywbem which acting like a TCP client application. The OS is choosing random ports above 1024. Are you suggesting use to create a man page 'lsmd_plugin_selinux' documenting the SELinux commands to enable SMI-S plugins? I noticed firefox does not need to set a SELinux bool value before make TCP connection. Is there any application whitelist for making TCP connection? Meanwhile, a similar bug #1069842 was fixed in selinux-policy-3.12.1-127.el7. Sounds like a regression to me. Thanks. The lsmd_plugin_selinux man page already exists and it's part of selinux-policy-devel package. Because tcp/18700 is not default port you need to enable lsmd_plugin_connect_any boolean to make it work. The lsmd plugins, I know of, are confined and run under lsmd_plugin_t context. On the other hand the firefox process gets its context from the user who runs it - usually unconfined_t, which means it is much less limited. About the regression point: First enable the lsmd_plugin_connect_any boolean (as described in the man page) and then let me know if new AVCs still appear. Hi Milos, Thanks for the explanation. Just realized we are talking TCP destination port. Yes. 18700 is the default port for targetd plugin. Please allow lsm plugin access these default destination ports: === SMI-S plugin: TCP 5888 SMI-S plugin: TCP 5889 Targetd plugin: TCP 18700 nstor plugin: TCP 2000 === Re-opening this bug. Sorry. The TCP ports in previous comment is incorrect. Please use this list: ==== SMI-S plugin: TCP 5988 # ^^^^ SMI-S plugin: TCP 5989 # ^^^^ Targetd plugin: TCP 18700 nstor plugin: TCP 2000 === Thanks for the list of destination ports. I'm going to modify our automated TC to reflect that. This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. The comment above is incorrect. The correct version is bellow. I'm sorry for any inconvenience. --------------------------------------------------------------- This request was NOT resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you need to escalate this bug. The automated TC triggers several AVCs of this kind in enforcing mode:
----
time->Thu Oct 9 22:29:21 2014
type=PATH msg=audit(1412886561.487:651): item=0 name="/etc/passwd" inode=18299892 dev=fd:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:passwd_file_t:s0 objtype=NORMAL
type=CWD msg=audit(1412886561.487:651): cwd="/"
type=SYSCALL msg=audit(1412886561.487:651): arch=c000003e syscall=2 success=no exit=-13 a0=7f257ec09d8a a1=80000 a2=1b6 a3=0 items=1 ppid=7699 pid=9130 auid=4294967295 uid=987 gid=983 euid=987 suid=987 fsuid=987 egid=983 sgid=983 fsgid=983 tty=(none) ses=4294967295 comm="python2" exe="/usr/bin/python2.7" subj=system_u:system_r:lsmd_plugin_t:s0 key=(null)
type=AVC msg=audit(1412886561.487:651): avc: denied { read } for pid=9130 comm="python2" name="passwd" dev="vda2" ino=18299892 scontext=system_u:system_r:lsmd_plugin_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
----
The automated TC triggers following AVCs in permissive mode:
----
time->Thu Oct 9 22:33:43 2014
type=PATH msg=audit(1412886823.501:684): item=0 name="/etc/passwd" inode=18299892 dev=fd:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:passwd_file_t:s0 objtype=NORMAL
type=CWD msg=audit(1412886823.501:684): cwd="/"
type=SYSCALL msg=audit(1412886823.501:684): arch=c000003e syscall=2 success=yes exit=6 a0=7fc67b29bd8a a1=80000 a2=1b6 a3=0 items=1 ppid=23197 pid=23318 auid=4294967295 uid=987 gid=983 euid=987 suid=987 fsuid=987 egid=983 sgid=983 fsgid=983 tty=(none) ses=4294967295 comm="python2" exe="/usr/bin/python2.7" subj=system_u:system_r:lsmd_plugin_t:s0 key=(null)
type=AVC msg=audit(1412886823.501:684): avc: denied { open } for pid=23318 comm="python2" path="/etc/passwd" dev="vda2" ino=18299892 scontext=system_u:system_r:lsmd_plugin_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=AVC msg=audit(1412886823.501:684): avc: denied { read } for pid=23318 comm="python2" name="passwd" dev="vda2" ino=18299892 scontext=system_u:system_r:lsmd_plugin_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
----
time->Thu Oct 9 22:33:43 2014
type=SYSCALL msg=audit(1412886823.501:685): arch=c000003e syscall=5 success=yes exit=0 a0=6 a1=7fff7c5a3c60 a2=7fff7c5a3c60 a3=0 items=0 ppid=23197 pid=23318 auid=4294967295 uid=987 gid=983 euid=987 suid=987 fsuid=987 egid=983 sgid=983 fsgid=983 tty=(none) ses=4294967295 comm="python2" exe="/usr/bin/python2.7" subj=system_u:system_r:lsmd_plugin_t:s0 key=(null)
type=AVC msg=audit(1412886823.501:685): avc: denied { getattr } for pid=23318 comm="python2" path="/etc/passwd" dev="vda2" ino=18299892 scontext=system_u:system_r:lsmd_plugin_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
----
commit b3abda8bb879d820b23ac2a52e2c9ce28bc033d6
Author: Lukas Vrabec <lvrabec>
Date: Mon Oct 13 11:05:33 2014 +0200
Allow lmsd_plugin to read passwd file. BZ(1093733)
https://github.com/selinux-policy/selinux-policy/commit/b3abda8bb879d820b23ac2a52e2c9ce28bc033d6
(In reply to Lukas Vrabec from comment #15) > commit b3abda8bb879d820b23ac2a52e2c9ce28bc033d6 > Author: Lukas Vrabec <lvrabec> > Date: Mon Oct 13 11:05:33 2014 +0200 > > Allow lmsd_plugin to read passwd file. BZ(1093733) > > https://github.com/selinux-policy/selinux-policy/commit/ > b3abda8bb879d820b23ac2a52e2c9ce28bc033d6 Just to clarify, the lsmd daemon when starting is doing the following: Calling getpwnam to see if the user libstoragemgmt is available. If it is it then makes calls to setgid, setgroups, setuid to drop privileges to that user. If there is a more appropriate way to do this please let me know. *** Bug 1162133 has been marked as a duplicate of this bug. *** commit 928ad6ecbd1963e3466f8f6c68644c6b5d983576
Author: Miroslav Grepl <mgrepl>
Date: Fri Jan 9 14:50:37 2015 +0100
Allow lsm plugins to connect to tcp/18700 by default.
It looks like the problem still persists on selinux-policy-3.13.1-19.el7.noarch
###########################################################################
Running '/usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 01/23/2015 12:44:45 < /dev/null >/mnt/testarea/tmp.rhts-db-submit-result.5mQSBu 2>&1'
----
time->Fri Jan 23 12:57:48 2015
type=USER_AVC msg=audit(1422014268.104:97): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received setenforce notice (enforcing=0) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Fri Jan 23 12:58:08 2015
type=SYSCALL msg=audit(1422014288.545:100): arch=c000003e syscall=42 success=yes exit=0 a0=5 a1=7ffff3f20b10 a2=10 a3=36 items=0 ppid=25316 pid=25479 auid=4294967295 uid=997 gid=995 euid=997 suid=997 fsuid=997 egid=995 sgid=995 fsgid=995 tty=(none) ses=4294967295 comm="python2" exe="/usr/bin/python2.7" subj=system_u:system_r:lsmd_plugin_t:s0 key=(null)
type=AVC msg=audit(1422014288.545:100): avc: denied { name_connect } for pid=25479 comm="python2" dest=5988 scontext=system_u:system_r:lsmd_plugin_t:s0 tcontext=system_u:object_r:pegasus_http_port_t:s0 tclass=tcp_socket
----
time->Fri Jan 23 12:58:32 2015
type=SYSCALL msg=audit(1422014312.204:103): arch=c000003e syscall=42 success=yes exit=0 a0=5 a1=7fff26060050 a2=10 a3=36 items=0 ppid=25504 pid=25743 auid=4294967295 uid=997 gid=995 euid=997 suid=997 fsuid=997 egid=995 sgid=995 fsgid=995 tty=(none) ses=4294967295 comm="python2" exe="/usr/bin/python2.7" subj=system_u:system_r:lsmd_plugin_t:s0 key=(null)
type=AVC msg=audit(1422014312.204:103): avc: denied { name_connect } for pid=25743 comm="python2" dest=5988 scontext=system_u:system_r:lsmd_plugin_t:s0 tcontext=system_u:object_r:pegasus_http_port_t:s0 tclass=tcp_socket
----
time->Fri Jan 23 12:59:28 2015
type=SYSCALL msg=audit(1422014368.542:108): arch=c000003e syscall=42 success=yes exit=0 a0=5 a1=7fffd19f43d0 a2=10 a3=36 items=0 ppid=26158 pid=26313 auid=4294967295 uid=997 gid=995 euid=997 suid=997 fsuid=997 egid=995 sgid=995 fsgid=995 tty=(none) ses=4294967295 comm="python2" exe="/usr/bin/python2.7" subj=system_u:system_r:lsmd_plugin_t:s0 key=(null)
type=AVC msg=audit(1422014368.542:108): avc: denied { name_connect } for pid=26313 comm="python2" dest=5989 scontext=system_u:system_r:lsmd_plugin_t:s0 tcontext=system_u:object_r:pegasus_https_port_t:s0 tclass=tcp_socket
Fail: AVC messages found.
###########################################################################
Jan 23 12:58:10 karkulka setroubleshoot: Plugin Exception restorecon_source
Jan 23 12:58:10 karkulka setroubleshoot: SELinux is preventing /usr/bin/python2.7 from name_connect access on the tcp_socket port 5988. For complete SELinux messages. run sealert -l 31ac1246-f696-4c49-9402-bcb3c2060fdf
Jan 23 12:58:10 karkulka python: SELinux is preventing /usr/bin/python2.7 from name_connect access on the tcp_socket port 5988.
###########################################################################
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28
Running 'rpm -q selinux-policy || true'
selinux-policy-3.13.1-19.el7.noarch
commit 0d97f0148cebf425381d43813c58ad9f9ce5051b
Author: Miroslav Grepl <mgrepl>
Date: Mon Jan 26 12:44:33 2015 +0100
Allow lsmd plugin to connect to tcp/5988 by default.
commit 06a7a977f429373e2b8d0fbee6112c05e13c0976
Author: Miroslav Grepl <mgrepl>
Date: Mon Jan 26 12:42:03 2015 +0100
Allow lsmd plugin to connect to tcp/5989 by default.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-0458.html |
Description of problem: Then executing these commands: ==== export LSMCLI_URI='smispy+ssl://admin@host:5989?namespace=root/emc&no_ssl_verify=yes' export LSMCLI_PASSWORD='some_password' lsmcli list --type systems ==== SELinux will stop the TCP connection: ==== SELinux is preventing /usr/bin/python2.7 from name_connect access on the tcp_socket . ***** Plugin connect_ports (92.2 confidence) suggests ********************* If you want to allow /usr/bin/python2.7 to connect to network port 18700 Then you need to modify the port type. Do # semanage port -a -t PORT_TYPE -p tcp 18700 where PORT_TYPE is one of the following: http_cache_port_t, http_port_t, ssh_port_t. ***** Plugin catchall_boolean (7.83 confidence) suggests ****************** If you want to allow lsmd to plugin connect any Then you must tell SELinux about this by enabling the 'lsmd_plugin_connect_any' boolean. You can read 'None' man page for more details. Do setsebool -P lsmd_plugin_connect_any 1 ***** Plugin catchall (1.41 confidence) suggests ************************** If you believe that python2.7 should be allowed name_connect access on the tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep python /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:lsmd_plugin_t:s0 Target Context system_u:object_r:unreserved_port_t:s0 Target Objects [ tcp_socket ] Source python Source Path /usr/bin/python2.7 Port 18700 Host fge-rhel7-mock.novalocal Source RPM Packages python-2.7.5-16.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-153.el7.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name fge-rhel7-mock.novalocal Platform Linux fge-rhel7-mock.novalocal 3.10.0-121.el7.x86_64 #1 SMP Tue Apr 8 10:48:19 EDT 2014 x86_64 x86_64 Alert Count 4 First Seen 2014-05-02 08:53:57 EDT Last Seen 2014-05-02 09:30:54 EDT Local ID d7b8c419-5c0f-4c02-9ea5-47c960433d13 Raw Audit Messages type=AVC msg=audit(1399037454.437:270): avc: denied { name_connect } for pid=3261 comm="python2.7" dest=18700 scontext=system_u:system_r:lsmd_plugin_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1399037454.437:270): arch=x86_64 syscall=connect success=no exit=EACCES a0=5 a1=7ffff8a83380 a2=10 a3=68 items=0 ppid=3033 pid=3261 auid=4294967295 uid=997 gid=994 euid=997 suid=997 fsuid=997 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_plugin_t:s0 key=(null) Hash: python,lsmd_plugin_t,unreserved_port_t,tcp_socket,name_connect ===== Version-Release number of selected component (if applicable): libstoragemgmt-targetd-plugin-0.0.24-4.el7.noarch libstoragemgmt-python-0.0.24-4.el7.noarch libstoragemgmt-smis-plugin-0.0.24-4.el7.noarch libstoragemgmt-nstor-plugin-0.0.24-4.el7.noarch libstoragemgmt-0.0.24-4.el7.x86_64 How reproducible: 100% Steps to Reproduce: 1. Install libstoragemgmt-smis-plugin 2. Start libstoramgemgt daemon: sudo systemctl start libstoragemgmt.service 3. Use lsmcli to list system of a SMI-S provider: export LSMCLI_URI='smispy+ssl://admin@host:5989?namespace=root/emc&no_ssl_verify=yes' export LSMCLI_PASSWORD='some_password' lsmcli list --type systems Actual results: SELinux stopped the TCP connection of SMI-S plugin. Expected results: No error. Additional info: The ONTAP plugin of libstoramgemgt(libstoragemgmt-netapp-plugin) is not impacted. And these plugins are impacted: libstoragemgmt-targetd-plugin-0.0.24-4.el7.noarch libstoragemgmt-smis-plugin-0.0.24-4.el7.noarch libstoragemgmt-nstor-plugin-0.0.24-4.el7.noarch