Bug 1154742

Summary: xinetd cannot start /usr/sbin/sserver
Product: Red Hat Enterprise Linux 7 Reporter: Patrik Kis <pkis>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: high    
Version: 7.1CC: lmiksik, mgrepl, mmalik, pkis, plautrba, pvrabec
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-8.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 10:46:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Patrik Kis 2014-10-20 16:27:11 UTC 
Description of problem:
Selinux-policy prevents xinetd to start sserver (from krb5 package). This used to work on RHEL-6 and RHEL-7.0 too.

type=SYSCALL msg=audit(1413821422.744:21218): arch=80000016 syscall=11 success=no exit=-13 a0=2aad8e02040 a1=2aad8e025e0 a2=2aad8df6890 a3=0 items=0 ppid=9732 pid=9860 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="xinetd" exe="/usr/sbin/xinetd" subj=system_u:system_r:inetd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1413821422.744:21218): avc:  denied  { entrypoint } for  pid=9860 comm="xinetd" path="/usr/sbin/sserver" dev="dm-1" ino=71377489 scontext=system_u:system_r:inetd_child_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-4.el7.noarch

How reproducible:
always
Comment 3 Milos Malik 2014-10-20 17:15:31 UTC 
Here is the only AVC that appeared in permissive mode:
----
type=PATH msg=audit(10/20/2014 19:13:33.150:833) : item=1 name=(null) inode=33658149 dev=fd:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL 
type=PATH msg=audit(10/20/2014 19:13:33.150:833) : item=0 name=/usr/sbin/sserver inode=35800899 dev=fd:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 objtype=NORMAL 
type=CWD msg=audit(10/20/2014 19:13:33.150:833) :  cwd=/ 
type=EXECVE msg=audit(10/20/2014 19:13:33.150:833) : argc=1 a0=sserver 
type=SYSCALL msg=audit(10/20/2014 19:13:33.150:833) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x7f459ade8890 a1=0x7f459addd8d0 a2=0x7f459ade3230 a3=0x353a383965663a66 items=2 ppid=9066 pid=9214 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sserver exe=/usr/sbin/sserver subj=system_u:system_r:inetd_child_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(10/20/2014 19:13:33.150:833) : avc:  denied  { entrypoint } for  pid=9214 comm=xinetd path=/usr/sbin/sserver dev="vda2" ino=35800899 scontext=system_u:system_r:inetd_child_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file 
----

# rpm -qf /usr/sbin/sserver 
krb5-server-1.12.2-8.el7.x86_64
# matchpathcon /usr/sbin/sserver 
/usr/sbin/sserver	system_u:object_r:bin_t:s0
#
Comment 4 Miroslav Grepl 2014-11-03 10:24:10 UTC 
Yes, this is caused by changes related to unconfined_services_t.

And now we have

corecmd_bin_domtrans(inetd_t, inetd_child_t)

optional_policy(`
    unconfined_domain(inetd_child_t)
').
Comment 5 Miroslav Grepl 2014-11-03 10:26:07 UTC 
Either we confine sserver 

or we add general rule

corecmd_bin_entry_type(inetd_child_t)

for these cases.

QA guys,
could you try to test it with this rule to see how it works.
Comment 6 Patrik Kis 2014-11-04 11:08:37 UTC 
Relabelling the sserver to inetd_child_exec_t helped; i.e. after 

# chcon -v --type inetd_child_exec_t /usr/sbin/sserver 

sserver was successfully started by xinetd and no AVC denials appeared.

Should I do a different test, please let me know.
Comment 7 Miroslav Grepl 2014-11-04 12:55:49 UTC 
I meant a local policy with


corecmd_bin_entry_type(inetd_child_t)


# chcon -v --type inetd_child_exec_t /usr/sbin/sserver 

is not a good label for sserver. It should be more something related to kerberos.
Comment 8 Patrik Kis 2014-11-04 14:48:47 UTC 
(In reply to Miroslav Grepl from comment #7)
> I meant a local policy with
> 
> 
> corecmd_bin_entry_type(inetd_child_t)
> 
Could you please specify exactly what policy should tested? Building a custom policy module just with the line above is failing. So it probably need something else, but I do not know what exactly.
Comment 9 Miroslav Grepl 2014-11-05 09:12:50 UTC 
$ cat mypol.te
policy_module(mypol, 1.0)

require{
 type inetd_child_t;
}

corecmd_bin_entry_type(inetd_child_t)



and 

# make -f /usr/share/selinux/devel/Makefile mypol.pp
# semodule -i mypol.pp
Comment 10 Patrik Kis 2014-11-05 09:27:13 UTC 
This policy module helped. The daemon sserver started and no AVC denials appeared.
Comment 11 Miroslav Grepl 2014-11-05 09:55:45 UTC 
commit 0ae616507aa951f641b1362a91aee7df2e1f0cb9
Author: Miroslav Grepl <mgrepl>
Date:   Wed Nov 5 10:55:01 2014 +0100

    Allow inetd service without own policy to run in inetd_child_t which is unconfined domain.
Comment 15 errata-xmlrpc 2015-03-05 10:46:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0458.html