Bug 1238061
| Summary: | libStorageMgmt: SELinux is preventing /usr/bin/lsmd check user `libstoragemgmt` | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Gris Ge <fge> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.2 | CC: | bgoncalv, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde, tasleson |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.13.1-39.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-11-19 10:38:29 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
commit 7fb226b0124bcc8a241a4d3f17c0cd0630734d5f
Author: Lukas Vrabec <lvrabec>
Date: Thu Jul 16 15:05:51 2015 +0200
Add lsmd_t to nsswitch_domain. Resolves: #1238061
It seems this problem is still present on 7.2 alpha (selinux-policy-3.13.1-37.el7).
time->Thu Aug 6 04:18:28 2015
type=SYSCALL msg=audit(1438849108.898:62): arch=c000003e syscall=105 success=no exit=-1 a0=3e2 a1=7f6a06478274 a2=0 a3=7ffc6c277d60 items=0 ppid=1 pid=1937 auid=4294967295 uid=0 gid=991 euid=0 suid=0 fsuid=0 egid=991 sgid=991 fsgid=991 tty=(none) ses=4294967295 comm="lsmd" exe="/usr/bin/lsmd" subj=system_u:system_r:lsmd_t:s0 key=(null)
type=AVC msg=audit(1438849108.898:62): avc: denied { setuid } for pid=1937 comm="lsmd" capability=7 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:system_r:lsmd_t:s0 tclass=capability
Fail: AVC messages found.
Checking for errors...
Using stronger AVC checks.
Define empty RHTS_OPTION_STRONGER_AVC parameter if this causes any problems.
Running 'cat /mnt/testarea/tmp.rhts-db-submit-result.FfRgI4 | /sbin/ausearch -m AVC -m SELINUX_ERR'
Fail: AVC messages found.
Running 'cat %s | /sbin/ausearch -m USER_AVC >/mnt/testarea/tmp.rhts-db-submit-result.QXAsM9 2>&1'
Info: No AVC messages found.
/bin/grep 'avc: ' /mnt/testarea/dmesg.log | /bin/grep --invert-match TESTOUT.log
No AVC messages found in dmesg
Running '/usr/sbin/sestatus'
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28
Running 'rpm -q selinux-policy || true'
selinux-policy-3.13.1-37.el7.noarch
The AVC is mentioned in BZ#1247114. But I have to agree with you, the automated TC still triggers the AVC on my VMs. This AVC is fixed in -39.el7.noarch version. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2300.html |
Description of problem: The daemon (lsmd) of libstoragemgmt require to check existence of 'libstoragemgmt' user and group before droping privilege to it. SELinux is preventing this action: =============== SELinux is preventing /usr/bin/lsmd from read access on the file passwd. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that lsmd should be allowed read access on the passwd file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep lsmd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:lsmd_t:s0 Target Context system_u:object_r:passwd_file_t:s0 Target Objects passwd [ file ] Source lsmd Source Path /usr/bin/lsmd Port <Unknown> Host ibm-ls22-01.rhts.eng.nay.redhat.com Source RPM Packages libstoragemgmt-1.2.3-2.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-23.el7.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name ibm-ls22-01.rhts.eng.nay.redhat.com Platform Linux ibm-ls22-01.rhts.eng.nay.redhat.com 3.10.0-229.el7.x86_64 #1 SMP Thu Jan 29 18:37:38 EST 2015 x86_64 x86_64 Alert Count 6 First Seen 2015-07-01 13:58:54 CST Last Seen 2015-07-01 14:15:21 CST Local ID e54cea0c-64d9-487e-bed5-ad86c960abb0 Raw Audit Messages type=AVC msg=audit(1435731321.1:108): avc: denied { read } for pid=1846 comm="lsmd" name="passwd" dev="dm-0" ino=135853418 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file type=SYSCALL msg=audit(1435731321.1:108): arch=x86_64 syscall=open success=no exit=EACCES a0=7ff431caad8a a1=80000 a2=1b6 a3=0 items=0 ppid=1 pid=1846 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=lsmd exe=/usr/bin/lsmd subj=system_u:system_r:lsmd_t:s0 key=(null) Hash: lsmd,lsmd_t,passwd_file_t,file,read =============== If sssd is installed, extra error will be found: =============== SELinux is preventing /usr/bin/lsmd from search access on the directory sss. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that lsmd should be allowed search access on the sss directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep lsmd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:lsmd_t:s0 Target Context system_u:object_r:sssd_var_lib_t:s0 Target Objects sss [ dir ] Source lsmd Source Path /usr/bin/lsmd Port <Unknown> Host ibm-ls22-01.rhts.eng.nay.redhat.com Source RPM Packages libstoragemgmt-1.2.3-2.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-23.el7.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name ibm-ls22-01.rhts.eng.nay.redhat.com Platform Linux ibm-ls22-01.rhts.eng.nay.redhat.com 3.10.0-229.el7.x86_64 #1 SMP Thu Jan 29 18:37:38 EST 2015 x86_64 x86_64 Alert Count 2 First Seen 2015-07-01 14:15:21 CST Last Seen 2015-07-01 14:15:21 CST Local ID 7407bf13-c481-459f-8576-56155ceafe8e Raw Audit Messages type=AVC msg=audit(1435731321.2:110): avc: denied { search } for pid=1846 comm="lsmd" name="sss" dev="dm-0" ino=1486846 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1435731321.2:110): arch=x86_64 syscall=connect success=no exit=EACCES a0=3 a1=7fff43088cf0 a2=6e a3=7fff43088a10 items=0 ppid=1 pid=1846 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=lsmd exe=/usr/bin/lsmd subj=system_u:system_r:lsmd_t:s0 key=(null) Hash: lsmd,lsmd_t,sssd_var_lib_t,dir,search =============== Version-Release number of selected component (if applicable): libstoragemgmt-1.2.3-2.el7.x86_64 selinux-policy-targeted-3.13.1-23.el7.noarch selinux-policy-3.13.1-23.el7.noarch How reproducible: 100% Steps to Reproduce: 1. Install libstoragemgmt-1.2.3-2.el7 2. Start libstoragemgmt daemon via `systemctl start libstoragemgmt.service` 3. Execute this command `lsmcli ls -u sim://` Actual results: Got SELinux error and daemon failed to drop privilege to normal user. Expected results: No SELinux error. Additional info: This also cause TPS of libstoragemgmt failed: https://errata.devel.redhat.com/tps/errata_results/23300