Bug 1252968
Summary: | AVC denials for ipa trusts | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Scott Poore <spoore> | ||||
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 7.2 | CC: | abokovoy, lvrabec, mgrepl, mmalik, plautrba, pvrabec, spoore, ssekidde | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | selinux-policy-3.13.1-43.el7 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2015-11-19 10:43:40 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Hi Scott, Could you test this scenario in permissive mode? (# setenforce 0) Do you know if "com.redhat.idm" needs some other permissions in /tmp dir? Is this needed to rhel7.2? Could we move it to rhel7.3? block_suspend should be dontaudited. It's a kernel bug. net_admin seems to be legitimate. Then we need to get also AVCs from permissive mode how Lukas wrote above. I believe we can fix it in 7.2 once we have all AVCs. I'm not sure what other permissions com.redhat.idm needs. I've added Alexander to hopefully answer that. Here are the AVCs from a test in permissive mode: time->Sun Aug 16 23:05:15 2015 type=SYSCALL msg=audit(1439780715.180:360): arch=c000003e syscall=233 success=yes exit=0 a0=6 a1=2 a2=7 a3=7ffdbf9e61f0 items=0 ppid=24866 pid=30418 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="com.redhat.idm." exe="/usr/bin/python2.7" subj=system_u:system_r:ipa_helper_t:s0 key=(null) type=AVC msg=audit(1439780715.180:360): avc: denied { block_suspend } for pid=30418 comm="com.redhat.idm." capability=36 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:system_r:ipa_helper_t:s0 tclass=capability2 ---- time->Sun Aug 16 23:05:25 2015 type=PATH msg=audit(1439780725.491:362): item=0 name="/tmp" inode=133 dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 objtype=NORMAL type=CWD msg=audit(1439780725.491:362): cwd="/" type=SYSCALL msg=audit(1439780725.491:362): arch=c000003e syscall=2 success=yes exit=11 a0=7f832a06bae8 a1=0 a2=1b6 a3=24 items=1 ppid=24866 pid=30418 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="com.redhat.idm." exe="/usr/bin/python2.7" subj=system_u:system_r:ipa_helper_t:s0 key=(null) type=AVC msg=audit(1439780725.491:362): avc: denied { read } for pid=30418 comm="com.redhat.idm." name="tmp" dev="dm-0" ino=133 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir ---- time->Sun Aug 16 23:05:25 2015 type=SYSCALL msg=audit(1439780725.464:361): arch=c000003e syscall=54 success=yes exit=0 a0=7 a1=1 a2=20 a3=7ffdbf9e5e28 items=0 ppid=24866 pid=30418 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="com.redhat.idm." exe="/usr/bin/python2.7" subj=system_u:system_r:ipa_helper_t:s0 key=(null) type=AVC msg=audit(1439780725.464:361): avc: denied { net_admin } for pid=30418 comm="com.redhat.idm." capability=12 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:system_r:ipa_helper_t:s0 tclass=capability ---- time->Sun Aug 16 23:05:26 2015 type=PATH msg=audit(1439780726.439:363): item=1 name="/var/lib/rpm/.dbenv.lock" inode=134320268 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:rpm_var_lib_t:s0 objtype=NORMAL type=PATH msg=audit(1439780726.439:363): item=0 name="/var/lib/rpm/" inode=134320267 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:rpm_var_lib_t:s0 objtype=PARENT type=CWD msg=audit(1439780726.439:363): cwd="/" type=SYSCALL msg=audit(1439780726.439:363): arch=c000003e syscall=2 success=yes exit=9 a0=60a9d30 a1=42 a2=1a4 a3=3 items=2 ppid=24866 pid=30418 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="com.redhat.idm." exe="/usr/bin/python2.7" subj=system_u:system_r:ipa_helper_t:s0 key=(null) type=AVC msg=audit(1439780726.439:363): avc: denied { open } for pid=30418 comm="com.redhat.idm." path="/var/lib/rpm/.dbenv.lock" dev="dm-0" ino=134320268 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file And I think these occurred during a trust-del: time->Sun Aug 16 23:09:31 2015 type=SYSCALL msg=audit(1439780971.945:369): arch=c000003e syscall=54 success=yes exit=0 a0=6 a1=1 a2=20 a3=7ffdf0ae9cd8 items=0 ppid=24866 pid=490 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="com.redhat.idm." exe="/usr/bin/python2.7" subj=system_u:system_r:ipa_helper_t:s0 key=(null) type=AVC msg=audit(1439780971.945:369): avc: denied { net_admin } for pid=490 comm="com.redhat.idm." capability=12 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:system_r:ipa_helper_t:s0 tclass=capability ---- time->Sun Aug 16 23:09:32 2015 type=PATH msg=audit(1439780972.221:370): item=0 name="/tmp" inode=133 dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 objtype=NORMAL type=CWD msg=audit(1439780972.221:370): cwd="/" type=SYSCALL msg=audit(1439780972.221:370): arch=c000003e syscall=2 success=yes exit=9 a0=7fe5c9a57ae8 a1=0 a2=1b6 a3=24 items=1 ppid=24866 pid=490 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="com.redhat.idm." exe="/usr/bin/python2.7" subj=system_u:system_r:ipa_helper_t:s0 key=(null) type=AVC msg=audit(1439780972.221:370): avc: denied { read } for pid=490 comm="com.redhat.idm." name="tmp" dev="dm-0" ino=133 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir ---- time->Sun Aug 16 23:09:32 2015 type=PATH msg=audit(1439780972.628:371): item=1 name="/var/lib/rpm/.dbenv.lock" inode=134320268 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:rpm_var_lib_t:s0 objtype=NORMAL type=PATH msg=audit(1439780972.628:371): item=0 name="/var/lib/rpm/" inode=134320267 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:rpm_var_lib_t:s0 objtype=PARENT type=CWD msg=audit(1439780972.628:371): cwd="/" type=SYSCALL msg=audit(1439780972.628:371): arch=c000003e syscall=2 success=yes exit=7 a0=5ced6b0 a1=42 a2=1a4 a3=3 items=2 ppid=24866 pid=490 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="com.redhat.idm." exe="/usr/bin/python2.7" subj=system_u:system_r:ipa_helper_t:s0 key=(null) type=AVC msg=audit(1439780972.628:371): avc: denied { open } for pid=490 comm="com.redhat.idm." path="/var/lib/rpm/.dbenv.lock" dev="dm-0" ino=134320268 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file ---- time->Sun Aug 16 23:12:46 2015 type=PATH msg=audit(1439781166.350:373): item=0 name="/tmp" inode=133 dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 objtype=NORMAL type=CWD msg=audit(1439781166.350:373): cwd="/" type=SYSCALL msg=audit(1439781166.350:373): arch=c000003e syscall=2 success=yes exit=9 a0=7f5142b92ae8 a1=0 a2=1b6 a3=24 items=1 ppid=24866 pid=2265 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="com.redhat.idm." exe="/usr/bin/python2.7" subj=system_u:system_r:ipa_helper_t:s0 key=(null) type=AVC msg=audit(1439781166.350:373): avc: denied { read } for pid=2265 comm="com.redhat.idm." name="tmp" dev="dm-0" ino=133 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir ---- time->Sun Aug 16 23:12:46 2015 type=PATH msg=audit(1439781166.823:374): item=1 name="/var/lib/rpm/.dbenv.lock" inode=134320268 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:rpm_var_lib_t:s0 objtype=NORMAL type=PATH msg=audit(1439781166.823:374): item=0 name="/var/lib/rpm/" inode=134320267 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:rpm_var_lib_t:s0 objtype=PARENT type=CWD msg=audit(1439781166.823:374): cwd="/" type=SYSCALL msg=audit(1439781166.823:374): arch=c000003e syscall=2 success=yes exit=7 a0=5bf34f0 a1=42 a2=1a4 a3=3 items=2 ppid=24866 pid=2265 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="com.redhat.idm." exe="/usr/bin/python2.7" subj=system_u:system_r:ipa_helper_t:s0 key=(null) type=AVC msg=audit(1439781166.823:374): avc: denied { open } for pid=2265 comm="com.redhat.idm." path="/var/lib/rpm/.dbenv.lock" dev="dm-0" ino=134320268 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file ---- time->Sun Aug 16 23:12:46 2015 type=SYSCALL msg=audit(1439781166.150:372): arch=c000003e syscall=54 success=yes exit=0 a0=6 a1=1 a2=20 a3=7ffd7918bf98 items=0 ppid=24866 pid=2265 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="com.redhat.idm." exe="/usr/bin/python2.7" subj=system_u:system_r:ipa_helper_t:s0 key=(null) type=AVC msg=audit(1439781166.150:372): avc: denied { net_admin } for pid=2265 comm="com.redhat.idm." capability=12 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:system_r:ipa_helper_t:s0 tclass=capability Thank you. block_suspend should be dontaudited how I wrote above. Then we need to add allow ipa_helper_t self:capability net_admin; files_list_tmp(ipa_helper_t) optional_policy(` rpm_read_db(ipa_helper_t) ') I think we already had the same rules in Fedora policy so you probably be good at referencing that one. commit fe3e868d06e1d3ed42d35498760eef4f53df47f1 Author: Lukas Vrabec <lvrabec> Date: Wed Aug 19 10:54:43 2015 +0200 Dontaudit block_suspend capability for ipa_helper_t, this is kernel bug. Allow ipa_helper_t capability net_admin. Allow ipa_helper_t to list /tmp. Allow ipa_helper_t to read rpm db. Resolves: #1252968 I believe this is fixed: Version :: selinux-policy-3.13.1-45.el7.noarch Results :: I no longer see AVCs from the tests running trust related commands where I saw them before. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2300.html |
Created attachment 1062064 [details] Full AVC listing that includes some AVCs not listed in description Description of problem: I'm seeing AVC denials during some trust functions. Mostly trust-add I believe: These are the main ones I'm seeing: time->Tue Aug 11 23:30:12 2015 type=SYSCALL msg=audit(1439316012.304:341): arch=c000003e syscall=233 success=yes exit=0 a0=a a1=2 a2=b a3=7fff8c8ff7c0 items=0 ppid=29376 pid=32634 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="com.redhat.idm." exe="/usr/bin/python2.7" subj=system_u:system_r:ipa_helper_t:s0 key=(null) type=AVC msg=audit(1439316012.304:341): avc: denied { block_suspend } for pid=32634 comm="com.redhat.idm." capability=36 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:system_r:ipa_helper_t:s0 tclass=capability2 ---- time->Tue Aug 11 23:30:12 2015 type=SYSCALL msg=audit(1439316012.500:342): arch=c000003e syscall=54 success=no exit=-1 a0=7 a1=1 a2=20 a3=7fff8c8ff548 items=0 ppid=29376 pid=32634 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="com.redhat.idm." exe="/usr/bin/python2.7" subj=system_u:system_r:ipa_helper_t:s0 key=(null) type=AVC msg=audit(1439316012.500:342): avc: denied { net_admin } for pid=32634 comm="com.redhat.idm." capability=12 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:system_r:ipa_helper_t:s0 tclass=capability ---- time->Tue Aug 11 23:30:12 2015 type=PATH msg=audit(1439316012.504:343): item=0 name="/tmp" inode=100663425 dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 objtype=NORMAL type=CWD msg=audit(1439316012.504:343): cwd="/" type=SYSCALL msg=audit(1439316012.504:343): arch=c000003e syscall=2 success=no exit=-13 a0=7f705e28bae8 a1=0 a2=1b6 a3=24 items=1 ppid=29376 pid=32634 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="com.redhat.idm." exe="/usr/bin/python2.7" subj=system_u:system_r:ipa_helper_t:s0 key=(null) type=AVC msg=audit(1439316012.504:343): avc: denied { read } for pid=32634 comm="com.redhat.idm." name="tmp" dev="dm-0" ino=100663425 scontext=system_u:system_r:ipa_helper_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir Version-Release number of selected component (if applicable): selinux-policy-3.13.1-41.el7.noarch ipa-server-4.2.0-4.el7.x86_64 How reproducible: always Steps to Reproduce: 1. Install IPA Server 2. ipa-adtrust-install 3. ipa trust-add Actual results: Sees AVC denials in logs. Expected results: No AVC denials expected. Additional info: more AVC denials included in attachment