Bug 1248072

Summary: AVC denied for "dir search" by nslookup(1) when called by nagios_services_plugin_t
Product: Red Hat Enterprise Linux 6 Reporter: Robert Scheck <redhat-bugzilla>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.7CC: dwalsh, lvrabec, mgrepl, mmalik, plautrba, pvrabec, redhat-bugzilla, robert.scheck, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-30 21:37:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Robert Scheck 2015-07-29 14:25:08 UTC
Description of problem:
type=AVC msg=audit(1438178677.142:2998359): avc:  denied  { search } for  pid=2070 comm="nslookup" scontext=unconfined_u:system_r:nagios_services_plugin_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=dir
type=SYSCALL msg=audit(1438178677.142:2998359): arch=x86_64 syscall=open success=no exit=EACCES a0=7f9185593d20 a1=80000 a2=72f a3=2b750 items=0 ppid=2069 pid=2070 auid=0 uid=495 gid=495 euid=495 suid=495 fsuid=495 egid=495 sgid=495 fsgid=495 tty=(none) ses=7830 comm=nslookup exe=/usr/bin/nslookup subj=unconfined_u:system_r:nagios_services_plugin_t:s0 key=(null)

$ strings /usr/lib64/nagios/plugins/check_dns | grep /usr/bin/nslookup
/usr/bin/nslookup -sil
$ 

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-279.el6.noarch
nagios-plugins-dns-1.4.16-10.el6.x86_64

How reproducible:
Use check_dns nagios plugin with RHEL 6.7.

Actual results:
AVC denied.

Expected results:
No AVC denied message (no idea if this should be allowed or not).

Additional info:
It feels like a file descriptor leak, but I am not absolutely sure. As of
writing it seems to work with the denied while having it enforced.

Comment 1 Robert Scheck 2015-07-29 14:26:48 UTC
Cross-filed case 01484376 on the Red Hat customer portal.

Comment 3 Milos Malik 2015-07-29 14:36:08 UTC
# rpm -qa selinux\*
selinux-policy-doc-3.7.19-279.el6.noarch
selinux-policy-minimum-3.7.19-279.el6.noarch
selinux-policy-mls-3.7.19-279.el6.noarch
selinux-policy-targeted-3.7.19-279.el6.noarch
selinux-policy-3.7.19-279.el6.noarch
# sesearch -s nagios_services_plugin_t -t sysctl_vm_t -c dir -p search -A -C
Found 1 semantic av rules:
   allow domain sysctl_vm_t : dir { getattr search open } ; 

# 

Did the AVC appear after upgrade of selinux-policy* packages?

Comment 4 Robert Scheck 2015-07-29 14:43:21 UTC
(In reply to Milos Malik from comment #3)
> Did the AVC appear after upgrade of selinux-policy* packages?

Good point. During as it seems only. No occurence before and none after so
far.

Comment 5 Simon Sekidde 2015-07-29 15:29:01 UTC
Robert, 

Most likely during the update of policy either from -231 or -260

$ rpm -q selinux-policy; sesearch -s nagios_services_plugin_t -t sysctl_vm_t -c dir -p search -A -C
selinux-policy-3.7.19-231.el6.noarch
<blank>

$ rpm -q selinux-policy; sesearch -s nagios_services_plugin_t -t sysctl_vm_t -c dir -p search -A -C
selinux-policy-3.7.19-260.el6_6.5.noarch
<blank>

Comment 6 Simon Sekidde 2015-07-29 15:31:05 UTC
Should now be fixed in the latest build as Milos pointed out 

#============= nagios_services_plugin_t ==============

#!!!! This avc is allowed in the current policy
allow nagios_services_plugin_t sysctl_vm_t:dir search;

Comment 7 Robert Scheck 2015-07-29 21:36:01 UTC
Yes, I updated from -260. So sorry for the noise, let's close this.