Bug 1220763
| Summary: | please add default labels for /var/tmp/kadmin_0 and /var/tmp/kiprop_0 | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Milos Malik <mmalik> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 7.1 | CC: | lvrabec, mgrepl, mmalik, pkis, plautrba, pvrabec, ssekidde |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.13.1-34.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 1210421 | Environment: | |
| Last Closed: | 2015-11-19 10:33:43 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Milos Malik
2015-05-12 11:25:54 UTC
Note: /var/tmp/kiprop_0 system_u:object_r:krb5kdc_tmp_t:s0 is not good label for kiprop_0; it should be kadmind_tmp_t See the details in: https://bugzilla.redhat.com/show_bug.cgi?id=1220691#c4 There are missing policies related to this bug report. My incremental propagation test case was executed in permissive mode and the following AVC denials were logged:
MASTER:
----
type=SYSCALL msg=audit(05/22/2015 15:16:47.279:3214) : arch=x86_64 syscall=fcntl success=yes exit=0 a0=0x3 a1=F_SETLKW a2=0x7fffd6c05640 a3=0x7fffd6c05420 items=0 ppid=16885 pid=16923 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=kprop exe=/usr/sbin/kprop subj=system_u:system_r:kadmind_t:s0 key=(null)
type=AVC msg=audit(05/22/2015 15:16:47.279:3214) : avc: denied { lock } for pid=16923 comm=kprop path=/etc/krb5.keytab dev="dm-0" ino=35329465 scontext=system_u:system_r:kadmind_t:s0 tcontext=unconfined_u:object_r:krb5_keytab_t:s0 tclass=file
----
type=PATH msg=audit(05/22/2015 15:16:47.279:3213) : item=0 name=/etc/krb5.keytab inode=35329465 dev=fd:00 mode=file,600 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:krb5_keytab_t:s0 objtype=NORMAL
type=CWD msg=audit(05/22/2015 15:16:47.279:3213) : cwd=/
type=SYSCALL msg=audit(05/22/2015 15:16:47.279:3213) : arch=x86_64 syscall=open success=yes exit=3 a0=0x7f32869fde40 a1=O_RDONLY a2=0x1b6 a3=0x0 items=1 ppid=16885 pid=16923 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=kprop exe=/usr/sbin/kprop subj=system_u:system_r:kadmind_t:s0 key=KEYTAB
type=AVC msg=audit(05/22/2015 15:16:47.279:3213) : avc: denied { open } for pid=16923 comm=kprop path=/etc/krb5.keytab dev="dm-0" ino=35329465 scontext=system_u:system_r:kadmind_t:s0 tcontext=unconfined_u:object_r:krb5_keytab_t:s0 tclass=file
type=AVC msg=audit(05/22/2015 15:16:47.279:3213) : avc: denied { read } for pid=16923 comm=kprop name=krb5.keytab dev="dm-0" ino=35329465 scontext=system_u:system_r:kadmind_t:s0 tcontext=unconfined_u:object_r:krb5_keytab_t:s0 tclass=file
SLAVE:
----
type=SYSCALL msg=audit(05/22/2015 15:16:47.189:1103) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x4 a1=0x7f4bf90e9070 a2=0x10 a3=0x7fff5292d320 items=0 ppid=1 pid=10252 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=kpropd exe=/usr/sbin/kpropd subj=system_u:system_r:kpropd_t:s0 key=(null)
type=AVC msg=audit(05/22/2015 15:16:47.189:1103) : avc: denied { name_connect } for pid=10252 comm=kpropd dest=272 scontext=system_u:system_r:kpropd_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket
The following module make the test pass in enforcing mode too:
# cat kpropd.te
policy_module(kpropd,1.0)
require {
type kpropd_t;
type reserved_port_t;
type kadmind_t;
type krb5_keytab_t;
class tcp_socket name_connect;
class file { ioctl read getattr lock open };
}
allow kpropd_t reserved_port_t:tcp_socket name_connect;
allow kadmind_t krb5_keytab_t : file { ioctl read getattr lock open } ;
The above policies exists on RHEL-6 too, so please create them here as well.
My test is still failing with
selinux-policy-3.13.1-28.el7.noarch
It passes only in permissive mode. The following AVC denials are still logged:
----
type=SYSCALL msg=audit(06/16/2015 06:00:03.243:538) : arch=ppc64 syscall=open success=yes exit=3 a0=0x1001b3e3750 a1=O_RDONLY a2=0x1b6 a3=0x0 items=0 ppid=18365 pid=18403 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=kprop exe=/usr/sbin/kprop subj=system_u:system_r:kadmind_t:s0 key=(null)
type=AVC msg=audit(06/16/2015 06:00:03.243:538) : avc: denied { open } for pid=18403 comm=kprop path=/etc/krb5.keytab dev="dm-1" ino=136156885 scontext=system_u:system_r:kadmind_t:s0 tcontext=unconfined_u:object_r:krb5_keytab_t:s0 tclass=file
type=AVC msg=audit(06/16/2015 06:00:03.243:538) : avc: denied { read } for pid=18403 comm=kprop name=krb5.keytab dev="dm-1" ino=136156885 scontext=system_u:system_r:kadmind_t:s0 tcontext=unconfined_u:object_r:krb5_keytab_t:s0 tclass=file
----
type=SYSCALL msg=audit(06/16/2015 06:00:03.243:539) : arch=ppc64 syscall=fcntl success=yes exit=0 a0=0x3 a1=F_SETLKW a2=0x3fffc0f6d788 a3=0x0 items=0 ppid=18365 pid=18403 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=kprop exe=/usr/sbin/kprop subj=system_u:system_r:kadmind_t:s0 key=(null)
type=AVC msg=audit(06/16/2015 06:00:03.243:539) : avc: denied { lock } for pid=18403 comm=kprop path=/etc/krb5.keytab dev="dm-1" ino=136156885 scontext=system_u:system_r:kadmind_t:s0 tcontext=unconfined_u:object_r:krb5_keytab_t:s0 tclass=file
----
type=SYSCALL msg=audit(06/16/2015 06:01:03.242:324) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x4 a1=0x7ffe0cf429b0 a2=0x1c a3=0x7ffe0cf5c290 items=0 ppid=1 pid=61091 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=kpropd exe=/usr/sbin/kpropd subj=system_u:system_r:kpropd_t:s0 key=(null)
type=AVC msg=audit(06/16/2015 06:01:03.242:324) : avc: denied { name_connect } for pid=61091 comm=kpropd dest=754 scontext=system_u:system_r:kpropd_t:s0 tcontext=system_u:object_r:kprop_port_t:s0 tclass=tcp_socket
There are still AVC denials there:
MASTER:
type=SYSCALL msg=audit(08/05/2015 08:14:15.350:1267) : arch=ppc64 syscall=open success=yes exit=35 a0=0x100014784c0 a1=O_WRONLY|O_CREAT|O_EXCL|O_TRUNC a2=0600 a3=0x0 items=0 ppid=1 pid=22060 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=kadmind exe=/usr/sbin/kadmind subj=system_u:system_r:kadmind_t:s0 key=(null)
type=AVC msg=audit(08/05/2015 08:14:15.350:1267) : avc: denied { write open } for pid=22060 comm=kadmind path=/var/tmp/kiprop_0 dev="dm-0" ino=205144507 scontext=system_u:system_r:kadmind_t:s0 tcontext=system_u:object_r:krb5kdc_tmp_t:s0 tclass=file
type=AVC msg=audit(08/05/2015 08:14:15.350:1267) : avc: denied { create } for pid=22060 comm=kadmind name=kiprop_0 scontext=system_u:system_r:kadmind_t:s0 tcontext=system_u:object_r:krb5kdc_tmp_t:s0 tclass=file
SLAVE:
type=SYSCALL msg=audit(08/05/2015 08:14:15.351:814) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x4 a1=0x7f341490ae20 a2=0x10 a3=0x7fff55893230 items=0 ppid=1 pid=23605 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=kpropd exe=/usr/sbin/kpropd subj=system_u:system_r:kpropd_t:s0 key=(null)
type=AVC msg=audit(08/05/2015 08:14:15.351:814) : avc: denied { name_connect } for pid=23605 comm=kpropd dest=754 scontext=system_u:system_r:kpropd_t:s0 tcontext=system_u:object_r:kprop_port_t:s0 tclass=tcp_socket
commit 54424ce034d8b8fa57a63663a8193e0b90148511
Author: Lukas Vrabec <lvrabec>
Date: Mon Aug 10 13:51:12 2015 +0200
Allow kpropd to connect to kropd tcp port.
Resolves: #1220763
I think labels are OK (check https://bugzilla.redhat.com/show_bug.cgi?id=1210421) We should add allow rules to kadmind_t could manage krb5kdc_tmp_t. Patrick do you agree? (In reply to Lukas Vrabec from comment #16) > I think labels are OK (check > https://bugzilla.redhat.com/show_bug.cgi?id=1210421) > We should add allow rules to kadmind_t could manage krb5kdc_tmp_t. > Patrick do you agree? I believe the label of /var/tmp/kiprop_0 should be changed to kadmind_tmp_t, like as it is on RHEL-6. The file is used by kadmin and kiprop processes so this label is more suitable than krb5kdc_t, what of for krb5kdc process. To let the test pass I had to add two things: # semanage fcontext -a -t kadmind_tmp_t /var/tmp/kiprop_0 and add policy: allow kpropd_t kprop_port_t:tcp_socket name_connect; These corresponds also what is in bug 1210421 for RHEL-6. Please add them to the the selinux-policy for RHEL-7 too. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2300.html |