Bug 1209518
| Summary: | redis-server runs as unconfined_service_t because file context pattern is incorrect | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Milos Malik <mmalik> | |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 7.1 | CC: | lhh, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde | |
| Target Milestone: | rc | Flags: | lvrabec:
needinfo-
lvrabec: needinfo- |
|
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | selinux-policy-3.13.1-32.el7 | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1531032 (view as bug list) | Environment: | ||
| Last Closed: | 2015-11-19 10:31:12 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
When correct label is set on the /usr/bin/redis-server file then the redis process triggers an AVC in enforcing mode:
# ls -Z /usr/bin/redis-server
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/redis-server
# chcon -t redis_exec_t /usr/bin/redis-server
# service redis start
Redirecting to /bin/systemctl start redis.service
# service redis status
Redirecting to /bin/systemctl status redis.service
redis.service - Redis persistent key-value database
Loaded: loaded (/usr/lib/systemd/system/redis.service; disabled)
Drop-In: /etc/systemd/system/redis.service.d
└─limit.conf
Active: active (running) since Tue 2015-04-07 16:36:17 CEST; 1s ago
Main PID: 23403 (redis-server)
CGroup: /system.slice/redis.service
└─23403 /usr/bin/redis-server 127.0.0.1:6379
Apr 07 16:36:17 rhel71.localdomain systemd[1]: Started Redis persistent key-value database.
# ps -efZ | grep redis
system_u:system_r:redis_t:s0 redis 23403 1 0 16:36 ? 00:00:00 /usr/bin/redis-server 127.0.0.1:6379
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 23470 21580 0 16:38 pts/0 00:00:00 grep --color=auto redis
#
----
type=PATH msg=audit(04/07/2015 16:19:46.167:2355) : item=0 name=/proc/sys/net/core/somaxconn objtype=UNKNOWN
type=CWD msg=audit(04/07/2015 16:19:46.167:2355) : cwd=/var/lib/redis
type=SYSCALL msg=audit(04/07/2015 16:19:46.167:2355) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7fda9c92957b a1=O_RDONLY a2=0x1b6 a3=0x16f items=1 ppid=1 pid=22044 auid=unset uid=redis gid=redis euid=redis suid=redis fsuid=redis egid=redis sgid=redis fsgid=redis tty=(none) ses=unset comm=redis-server exe=/usr/bin/redis-server subj=system_u:system_r:redis_t:s0 key=(null)
type=AVC msg=audit(04/07/2015 16:19:46.167:2355) : avc: denied { search } for pid=22044 comm=redis-server name=net dev="proc" ino=6869 scontext=system_u:system_r:redis_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir
----
Following AVCs appear in permissive mode:
----
type=PATH msg=audit(04/07/2015 16:43:24.339:2493) : item=0 name=/proc/sys/net/core/somaxconn inode=123603 dev=00:03 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_net_t:s0 objtype=NORMAL
type=CWD msg=audit(04/07/2015 16:43:24.339:2493) : cwd=/var/lib/redis
type=SYSCALL msg=audit(04/07/2015 16:43:24.339:2493) : arch=x86_64 syscall=open success=yes exit=5 a0=0x7fd892c4e57b a1=O_RDONLY a2=0x1b6 a3=0x16f items=1 ppid=1 pid=23589 auid=unset uid=redis gid=redis euid=redis suid=redis fsuid=redis egid=redis sgid=redis fsgid=redis tty=(none) ses=unset comm=redis-server exe=/usr/bin/redis-server subj=system_u:system_r:redis_t:s0 key=(null)
type=AVC msg=audit(04/07/2015 16:43:24.339:2493) : avc: denied { open } for pid=23589 comm=redis-server path=/proc/sys/net/core/somaxconn dev="proc" ino=123603 scontext=system_u:system_r:redis_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
type=AVC msg=audit(04/07/2015 16:43:24.339:2493) : avc: denied { read } for pid=23589 comm=redis-server name=somaxconn dev="proc" ino=123603 scontext=system_u:system_r:redis_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
type=AVC msg=audit(04/07/2015 16:43:24.339:2493) : avc: denied { search } for pid=23589 comm=redis-server name=net dev="proc" ino=6869 scontext=system_u:system_r:redis_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir
----
type=SYSCALL msg=audit(04/07/2015 16:43:24.339:2494) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x5 a1=0x7fff4017df10 a2=0x7fff4017df10 a3=0x0 items=0 ppid=1 pid=23589 auid=unset uid=redis gid=redis euid=redis suid=redis fsuid=redis egid=redis sgid=redis fsgid=redis tty=(none) ses=unset comm=redis-server exe=/usr/bin/redis-server subj=system_u:system_r:redis_t:s0 key=(null)
type=AVC msg=audit(04/07/2015 16:43:24.339:2494) : avc: denied { getattr } for pid=23589 comm=redis-server path=/proc/sys/net/core/somaxconn dev="proc" ino=123603 scontext=system_u:system_r:redis_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
----
unixsocket /var/run/redis/redis.sock
unixsocketperm 700
If /etc/redis.conf contains above-mentioned options then following AVC appears in enforcing mode:
----
type=PATH msg=audit(04/14/2015 09:36:38.695:193) : item=2 name=(null) objtype=CREATE
type=PATH msg=audit(04/14/2015 09:36:38.695:193) : item=1 name=(null) inode=19611 dev=00:12 mode=dir,755 ouid=redis ogid=redis rdev=00:00 obj=system_u:object_r:redis_var_run_t:s0 objtype=PARENT
type=PATH msg=audit(04/14/2015 09:36:38.695:193) : item=0 name=(null) inode=19611 dev=00:12 mode=dir,755 ouid=redis ogid=redis rdev=00:00 obj=system_u:object_r:redis_var_run_t:s0 objtype=PARENT
type=SOCKADDR msg=audit(04/14/2015 09:36:38.695:193) : saddr=local /var/run/redis/redis.sock
type=SYSCALL msg=audit(04/14/2015 09:36:38.695:193) : arch=x86_64 syscall=bind success=no exit=-13(Permission denied) a0=0x6 a1=0x7fffc0687b20 a2=0x6e a3=0x4 items=3 ppid=1 pid=24236 auid=unset uid=redis gid=redis euid=redis suid=redis fsuid=redis egid=redis sgid=redis fsgid=redis tty=(none) ses=unset comm=redis-server exe=/usr/bin/redis-server subj=system_u:system_r:redis_t:s0 key=(null)
type=AVC msg=audit(04/14/2015 09:36:38.695:193) : avc: denied { create } for pid=24236 comm=redis-server name=redis.sock scontext=system_u:system_r:redis_t:s0 tcontext=system_u:object_r:redis_var_run_t:s0 tclass=sock_file
----
Following AVCs appear in permissive mode:
----
type=PATH msg=audit(04/14/2015 09:46:10.268:234) : item=4 name=(null) inode=97450 dev=00:12 mode=socket,755 ouid=redis ogid=redis rdev=00:00 obj=system_u:object_r:redis_var_run_t:s0 objtype=CREATE
type=PATH msg=audit(04/14/2015 09:46:10.268:234) : item=3 name=(null) inode=19611 dev=00:12 mode=dir,755 ouid=redis ogid=redis rdev=00:00 obj=system_u:object_r:redis_var_run_t:s0 objtype=PARENT
type=PATH msg=audit(04/14/2015 09:46:10.268:234) : item=2 name=(null) objtype=CREATE
type=PATH msg=audit(04/14/2015 09:46:10.268:234) : item=1 name=(null) inode=19611 dev=00:12 mode=dir,755 ouid=redis ogid=redis rdev=00:00 obj=system_u:object_r:redis_var_run_t:s0 objtype=PARENT
type=PATH msg=audit(04/14/2015 09:46:10.268:234) : item=0 name=(null) inode=19611 dev=00:12 mode=dir,755 ouid=redis ogid=redis rdev=00:00 obj=system_u:object_r:redis_var_run_t:s0 objtype=PARENT
type=SOCKADDR msg=audit(04/14/2015 09:46:10.268:234) : saddr=local /var/run/redis/redis.sock
type=SYSCALL msg=audit(04/14/2015 09:46:10.268:234) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x6 a1=0x7fff812c2900 a2=0x6e a3=0x4 items=5 ppid=1 pid=2337 auid=unset uid=redis gid=redis euid=redis suid=redis fsuid=redis egid=redis sgid=redis fsgid=redis tty=(none) ses=unset comm=redis-server exe=/usr/bin/redis-server subj=system_u:system_r:redis_t:s0 key=(null)
type=AVC msg=audit(04/14/2015 09:46:10.268:234) : avc: denied { create } for pid=2337 comm=redis-server name=redis.sock scontext=system_u:system_r:redis_t:s0 tcontext=system_u:object_r:redis_var_run_t:s0 tclass=sock_file
----
type=PATH msg=audit(04/14/2015 09:46:10.269:235) : item=0 name=/var/run/redis/redis.sock inode=97450 dev=00:12 mode=socket,755 ouid=redis ogid=redis rdev=00:00 obj=system_u:object_r:redis_var_run_t:s0 objtype=NORMAL
type=CWD msg=audit(04/14/2015 09:46:10.269:235) : cwd=/var/lib/redis
type=SYSCALL msg=audit(04/14/2015 09:46:10.269:235) : arch=x86_64 syscall=chmod success=yes exit=0 a0=0x7fff812c2902 a1=0700 a2=0x6e a3=0x4 items=1 ppid=1 pid=2337 auid=unset uid=redis gid=redis euid=redis suid=redis fsuid=redis egid=redis sgid=redis fsgid=redis tty=(none) ses=unset comm=redis-server exe=/usr/bin/redis-server subj=system_u:system_r:redis_t:s0 key=(null)
type=AVC msg=audit(04/14/2015 09:46:10.269:235) : avc: denied { setattr } for pid=2337 comm=redis-server name=redis.sock dev="tmpfs" ino=97450 scontext=system_u:system_r:redis_t:s0 tcontext=system_u:object_r:redis_var_run_t:s0 tclass=sock_file
----
type=PATH msg=audit(04/14/2015 09:46:16.279:238) : item=1 name=/var/run/redis/redis.sock inode=97450 dev=00:12 mode=socket,700 ouid=redis ogid=redis rdev=00:00 obj=system_u:object_r:redis_var_run_t:s0 objtype=DELETE
type=PATH msg=audit(04/14/2015 09:46:16.279:238) : item=0 name=/var/run/redis/ inode=19611 dev=00:12 mode=dir,755 ouid=redis ogid=redis rdev=00:00 obj=system_u:object_r:redis_var_run_t:s0 objtype=PARENT
type=CWD msg=audit(04/14/2015 09:46:16.279:238) : cwd=/var/lib/redis
type=SYSCALL msg=audit(04/14/2015 09:46:16.279:238) : arch=x86_64 syscall=unlink success=yes exit=0 a0=0x7f3f90858ce0 a1=0x7f3f920fd090 a2=0x51 a3=0x4000 items=2 ppid=1 pid=2337 auid=unset uid=redis gid=redis euid=redis suid=redis fsuid=redis egid=redis sgid=redis fsgid=redis tty=(none) ses=unset comm=redis-server exe=/usr/bin/redis-server subj=system_u:system_r:redis_t:s0 key=(null)
type=AVC msg=audit(04/14/2015 09:46:16.279:238) : avc: denied { unlink } for pid=2337 comm=redis-server name=redis.sock dev="tmpfs" ino=97450 scontext=system_u:system_r:redis_t:s0 tcontext=system_u:object_r:redis_var_run_t:s0 tclass=sock_file
----
commit 72793c18baf117b6c5d9fd717d0f4c42e1342423
Author: Miroslav Grepl <mgrepl>
Date: Tue Apr 14 11:05:56 2015 +0200
Allow redis to create /var/run/redis/redis.sock.
commit eb6f33583015868a0f0b3baf53e04b26d709c421
Author: Lukas Vrabec <lvrabec>
Date: Thu Jul 9 14:34:18 2015 +0200
Fix path from /usr/sbin/redis-server to /usr/bin/redis-server.
What about permissive mode? Hi, Could you check if is really neded rule, that redis-server is searching in "/proc/sys/net/core/"? Thank you commit 568513ffa2dbeeb031979f1883f780d7e53b2454
Author: Lukas Vrabec <lvrabec>
Date: Tue Jul 28 16:00:25 2015 +0200
Allow redis to read kernel parameters.
Resolves: #1209518
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2300.html |
Description of problem: Version-Release number of selected component (if applicable): redis-2.8.19-1.el7.x86_64 selinux-policy-3.13.1-24.el7.noarch selinux-policy-devel-3.13.1-24.el7.noarch selinux-policy-doc-3.13.1-24.el7.noarch selinux-policy-minimum-3.13.1-24.el7.noarch selinux-policy-mls-3.13.1-24.el7.noarch selinux-policy-sandbox-3.13.1-24.el7.noarch selinux-policy-targeted-3.13.1-24.el7.noarch How reproducible: always Steps to Reproduce: # rpm -ql redis | grep redis-server /usr/bin/redis-server # matchpathcon /usr/bin/redis-server /usr/bin/redis-server system_u:object_r:bin_t:s0 # matchpathcon /usr/sbin/redis-server /usr/sbin/redis-server system_u:object_r:redis_exec_t:s0 # ls -l /usr/sbin/redis-server ls: cannot access /usr/sbin/redis-server: No such file or directory # service redis start Redirecting to /bin/systemctl start redis.service # service redis status Redirecting to /bin/systemctl status redis.service redis.service - Redis persistent key-value database Loaded: loaded (/usr/lib/systemd/system/redis.service; disabled) Drop-In: /etc/systemd/system/redis.service.d └─limit.conf Active: active (running) since Tue 2015-04-07 16:33:53 CEST; 2s ago Main PID: 23298 (redis-server) CGroup: /system.slice/redis.service └─23298 /usr/bin/redis-server 127.0.0.1:6379 Apr 07 16:33:53 rhel71.localdomain systemd[1]: Starting Redis persistent key-value database... Apr 07 16:33:53 rhel71.localdomain systemd[1]: Started Redis persistent key-value database. # ps -efZ | grep redis system_u:system_r:unconfined_service_t:s0 redis 23298 1 0 16:33 ? 00:00:00 /usr/bin/redis-server 127.0.0.1:6379 unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 23313 21580 0 16:34 pts/0 00:00:00 grep --color=auto redis # Actual results: * /usr/bin/redis-server is labeled bin_t Expected results: * /usr/bin/redis-server is labeled redis_exec_t