Bug 1181613
| Summary: | ifup under mls / sysadm_r cannot execute systemd-sysctl | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Jiri Jaburek <jjaburek> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Jiri Jaburek <jjaburek> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.1 | CC: | ksrot, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | ppc64le | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.13.1-40.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-11-19 10:25:09 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2300.html |
Description of problem: If I do 'ifup' on a VLAN interface (or any other interface, I presume), I get: [root/sysadm_r/s0]# ifup vlan1 /usr/sbin/ifup: line 141: /usr/lib/systemd/systemd-sysctl: Permission denied ausearch reveals at least time->Tue Jan 13 13:48:45 2015 type=SYSCALL msg=audit(1421153325.557:817): arch=c0000015 syscall=11 success=yes exit=0 a0=1000f1b7d90 a1=1000f1831f0 a2=1000f1b8d40 a3=0 items=0 ppid=14749 pid=14772 auid=995 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1421153325.557:817): avc: denied { execute_no_trans } for pid=14772 comm="ifup" path="/usr/lib/systemd/systemd-sysctl" dev="dm-1" ino=537647072 scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:systemd_sysctl_exec_t:s0 tclass=file type=AVC msg=audit(1421153325.557:817): avc: denied { execute } for pid=14772 comm="ifup" name="systemd-sysctl" dev="dm-1" ino=537647072 scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:systemd_sysctl_exec_t:s0 tclass=file with audit2allow showing: #============= sysadm_t ============== allow sysadm_t systemd_sysctl_exec_t:file { execute execute_no_trans }; but there are more AVCs during ifup execution, some of which might block important actions which don't trigger an explicit error: ---- time->Tue Jan 13 13:48:45 2015 type=SYSCALL msg=audit(1421153325.557:817): arch=c0000015 syscall=11 success=yes exit=0 a0=1000f1b7d90 a1=1000f1831f0 a2=1000f1b8d40 a3=0 items=0 ppid=14749 pid=14772 auid=995 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1421153325.557:817): avc: denied { execute_no_trans } for pid=14772 comm="ifup" path="/usr/lib/systemd/systemd-sysctl" dev="dm-1" ino=537647072 scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:systemd_sysctl_exec_t:s0 tclass=file type=AVC msg=audit(1421153325.557:817): avc: denied { execute } for pid=14772 comm="ifup" name="systemd-sysctl" dev="dm-1" ino=537647072 scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:systemd_sysctl_exec_t:s0 tclass=file ---- time->Tue Jan 13 13:48:45 2015 type=SYSCALL msg=audit(1421153325.597:819): arch=c0000015 syscall=11 success=yes exit=0 a0=10025fec4a0 a1=10025ff0550 a2=10025fb9f00 a3=0 items=0 ppid=14749 pid=14808 auid=995 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="arping" exe="/usr/sbin/arping" subj=staff_u:sysadm_r:netutils_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1421153325.597:819): avc: denied { noatsecure } for pid=14808 comm="arping" scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=staff_u:sysadm_r:netutils_t:s0-s15:c0.c1023 tclass=process type=AVC msg=audit(1421153325.597:819): avc: denied { siginh } for pid=14808 comm="arping" scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=staff_u:sysadm_r:netutils_t:s0-s15:c0.c1023 tclass=process type=AVC msg=audit(1421153325.597:819): avc: denied { rlimitinh } for pid=14808 comm="arping" scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=staff_u:sysadm_r:netutils_t:s0-s15:c0.c1023 tclass=process ---- time->Tue Jan 13 13:48:45 2015 type=SYSCALL msg=audit(1421153325.597:820): arch=c0000015 syscall=5 success=yes exit=3 a0=3fffb31d7948 a1=80000 a2=1 a3=fefefefefefefeff items=0 ppid=14749 pid=14808 auid=995 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="arping" exe="/usr/sbin/arping" subj=staff_u:sysadm_r:netutils_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1421153325.597:820): avc: denied { read } for pid=14808 comm="arping" name="ld.so.cache" dev="dm-1" ino=1821122 scontext=staff_u:sysadm_r:netutils_t:s0-s15:c0.c1023 tcontext=system_u:object_r:ld_so_cache_t:s15:c0.c1023 tclass=file ---- time->Tue Jan 13 13:48:45 2015 type=SYSCALL msg=audit(1421153325.597:821): arch=c0000015 syscall=108 success=yes exit=0 a0=3 a1=3fffef237420 a2=3fffef237420 a3=fefefefefefefeff items=0 ppid=14749 pid=14808 auid=995 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="arping" exe="/usr/sbin/arping" subj=staff_u:sysadm_r:netutils_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(1421153325.597:821): avc: denied { getattr } for pid=14808 comm="arping" path="/etc/ld.so.cache" dev="dm-1" ino=1821122 scontext=staff_u:sysadm_r:netutils_t:s0-s15:c0.c1023 tcontext=system_u:object_r:ld_so_cache_t:s15:c0.c1023 tclass=file and audit2allow: #============= netutils_t ============== libs_use_ld_so(netutils_t) #============= sysadm_t ============== allow sysadm_t netutils_t:process { siginh noatsecure rlimitinh }; allow sysadm_t systemd_sysctl_exec_t:file { execute execute_no_trans }; All of the above is (again) under sysadm_r, with the sysadm_secadm module disabled (au* commands are done under secadm_r). Enabling the module seems to trigger even more AVCs on ifup, but since I'm running with dontaudit disabled, those could be false positives (as well as the output above!). My conclusion is that the simple allow sysadm_t systemd_sysctl_exec_t:file { execute execute_no_trans }; fixes the Permission denied error itself and I don't see any additional side effects, although I don't know how to reliably test whether some sysctls (interface-specific?) are really being changed. Also, should this be a supported operation on user-invoked ifup, or is this something that should be available only via systemd (as a daemon)? Version-Release number of selected component (if applicable): selinux-policy-3.13.1-16.el7.noarch How reproducible: always Actual results: ifup throws a permission denied error in mls under sysadm_r Expected results: ifup doesn't throw the error, succeeds successfully Additional info: This might be new systemd functionality, see bug 1138591.