Bug 1274987

Summary: Selinux avc denials for abrt-handle-event and abrtd
Product: Red Hat Enterprise Linux 7 Reporter: Steeve Goveas <sgoveas>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CANTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: lvrabec, mgrepl, mmalik, plautrba, pvrabec, sgoveas, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-02 07:53:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Steeve Goveas 2015-10-24 15:15:09 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-60.el7.noarch


Actual results:

Info: Searching AVC errors produced since 1445613862.15 (Fri Oct 23 11:24:22 2015)
Searching logs...
Running '/usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 10/23/2015 11:24:22 < /dev/null >/mnt/testarea/tmp.rhts-db-submit-result.Sihyrb 2>&1'
----
time->Fri Oct 23 12:00:10 2015
type=SYSCALL msg=audit(1445616010.449:141): arch=c0000015 syscall=295 success=no exit=-13 a0=3fffe9a1b908 a1=3 a2=3fff92984bb0 a3=0 items=0 ppid=14054 pid=14055 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="abrt-handle-eve" exe="/usr/libexec/abrt-handle-event" subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1445616010.449:141): avc:  denied  { create } for  pid=14055 comm="abrt-handle-eve" name=".lock" scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=lnk_file
----
time->Fri Oct 23 12:00:10 2015
type=SYSCALL msg=audit(1445616010.449:142): arch=c0000015 syscall=5 success=no exit=-13 a0=3fff929a0be8 a1=0 a2=0 a3=0 items=0 ppid=14054 pid=14055 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="abrt-handle-eve" exe="/usr/libexec/abrt-handle-event" subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1445616010.449:142): avc:  denied  { open } for  pid=14055 comm="abrt-handle-eve" path="/var/spool/abrt/ccpp-2015-10-23-12:00:10-1242/time" dev="dm-1" ino=136071017 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=file
----
time->Fri Oct 23 12:00:10 2015
type=SYSCALL msg=audit(1445616010.469:146): arch=c0000015 syscall=295 success=no exit=-13 a0=3ffffd897b28 a1=5 a2=3fff7ba34bb0 a3=0 items=0 ppid=18412 pid=14054 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="abrt-server" exe="/usr/sbin/abrt-server" subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1445616010.469:146): avc:  denied  { create } for  pid=14054 comm="abrt-server" name=".lock" scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=lnk_file
----
time->Fri Oct 23 12:00:10 2015
type=SYSCALL msg=audit(1445616010.539:148): arch=c0000015 syscall=295 success=no exit=-13 a0=3ffff6627f78 a1=3 a2=3fffa6d94bb0 a3=0 items=0 ppid=14056 pid=14059 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="abrt-handle-eve" exe="/usr/libexec/abrt-handle-event" subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1445616010.539:148): avc:  denied  { create } for  pid=14059 comm="abrt-handle-eve" name=".lock" scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=lnk_file
----
time->Fri Oct 23 12:00:10 2015
type=SYSCALL msg=audit(1445616010.539:149): arch=c0000015 syscall=5 success=no exit=-13 a0=3fffa6db0be8 a1=0 a2=0 a3=0 items=0 ppid=14056 pid=14059 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="abrt-handle-eve" exe="/usr/libexec/abrt-handle-event" subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1445616010.539:149): avc:  denied  { open } for  pid=14059 comm="abrt-handle-eve" path="/var/spool/abrt/ccpp-2015-10-23-12:00:09-462/time" dev="dm-1" ino=67693556 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=file
----
time->Fri Oct 23 12:00:10 2015
type=SYSCALL msg=audit(1445616010.539:150): arch=c0000015 syscall=295 success=no exit=-13 a0=3fffd6cf7b88 a1=5 a2=3fff81f64bb0 a3=0 items=0 ppid=18412 pid=14056 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="abrt-server" exe="/usr/sbin/abrt-server" subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1445616010.539:150): avc:  denied  { create } for  pid=14056 comm="abrt-server" name=".lock" scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=lnk_file
----
time->Fri Oct 23 12:03:51 2015
type=USER_AVC msg=audit(1445616231.454:205): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=2)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Fri Oct 23 12:05:15 2015
type=SYSCALL msg=audit(1445616315.225:237): arch=c0000015 syscall=295 success=no exit=-13 a0=3ffff20c9ad8 a1=6 a2=3fffa31a4bb0 a3=0 items=0 ppid=1 pid=27950 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="abrtd" exe="/usr/sbin/abrtd" subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1445616315.225:237): avc:  denied  { create } for  pid=27950 comm="abrtd" name=".lock" scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=lnk_file
----
time->Fri Oct 23 12:05:15 2015
type=SYSCALL msg=audit(1445616315.225:238): arch=c0000015 syscall=295 success=no exit=-13 a0=3ffff20c9ad8 a1=6 a2=3fffa31a4bb0 a3=0 items=0 ppid=1 pid=27950 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="abrtd" exe="/usr/sbin/abrtd" subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1445616315.225:238): avc:  denied  { create } for  pid=27950 comm="abrtd" name=".lock" scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=lnk_file
----
time->Fri Oct 23 12:08:07 2015
type=SYSCALL msg=audit(1445616487.824:275): arch=c0000015 syscall=295 success=no exit=-13 a0=3fffdefdc778 a1=6 a2=3fffa59e4bb0 a3=0 items=0 ppid=1 pid=30844 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="abrtd" exe="/usr/sbin/abrtd" subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1445616487.824:275): avc:  denied  { create } for  pid=30844 comm="abrtd" name=".lock" scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=lnk_file
----
time->Fri Oct 23 12:08:07 2015
type=SYSCALL msg=audit(1445616487.824:276): arch=c0000015 syscall=295 success=no exit=-13 a0=3fffdefdc778 a1=6 a2=3fffa59e4bb0 a3=0 items=0 ppid=1 pid=30844 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="abrtd" exe="/usr/sbin/abrtd" subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1445616487.824:276): avc:  denied  { create } for  pid=30844 comm="abrtd" name=".lock" scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=lnk_file
Fail: AVC messages found.
Checking for errors...
Using stronger AVC checks.
	Define empty RHTS_OPTION_STRONGER_AVC parameter if this causes any problems.
Running 'cat /mnt/testarea/tmp.rhts-db-submit-result.Sihyrb | /sbin/ausearch -m AVC -m SELINUX_ERR'
Fail: AVC messages found.
Running 'cat %s | /sbin/ausearch -m USER_AVC >/mnt/testarea/tmp.rhts-db-submit-result.ZzG3JV 2>&1'
Info: No AVC messages found.
/bin/grep 'avc: ' /mnt/testarea/dmesg.log | /bin/grep --invert-match TESTOUT.log
No AVC messages found in dmesg
Running '/usr/sbin/sestatus'
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
Running 'rpm -q selinux-policy || true'
selinux-policy-3.13.1-60.el7.noarch

Expected results:
No avc denials

Additional info:
Comment 2 Miroslav Grepl 2015-10-26 07:00:32 UTC 
The problem is with mislabeled /var/spool/abrt.

restorecon -R -v /var/spool/abrt

will fix it. Did it happen be default? I mean I would like to know how to reproduce it.
Comment 3 Steeve Goveas 2015-10-26 10:00:04 UTC 
(In reply to Miroslav Grepl from comment #2)
> The problem is with mislabeled /var/spool/abrt.
> 
> restorecon -R -v /var/spool/abrt
> 
> will fix it. Did it happen be default? I mean I would like to know how to
> reproduce it.

Yes, I think it happened by default when a crash was detected.
Comment 4 Miroslav Grepl 2015-10-27 09:42:11 UTC 
(In reply to Steeve Goveas from comment #3)
> (In reply to Miroslav Grepl from comment #2)
> > The problem is with mislabeled /var/spool/abrt.
> > 
> > restorecon -R -v /var/spool/abrt
> > 
> > will fix it. Did it happen be default? I mean I would like to know how to
> > reproduce it.
> 
> Yes, I think it happened by default when a crash was detected.

Did restorecon command help you?
Comment 5 Steeve Goveas 2015-10-29 15:25:03 UTC 
Restorecon did help, but I had to create the crash dump directory. So, I had to investigate further.

I found these avc errors during an upgrade from rhel7.1 (released version) to rhel7.2. In rhel7.1 released version, abrt crash dump location was /var/tmp/abrt. This was changed to /var/spool/abrt in a z stream release due to security reasons. During the upgrade crash happens before abrt's upgrade has finished. Hence, the directory /var/spool/abrt does not exist with the selinux context set, causing the errors.

I have filed bz1276361 for abrt.
Comment 6 Miroslav Grepl 2015-11-02 07:53:41 UTC 
(In reply to Steeve Goveas from comment #5)
> Restorecon did help, but I had to create the crash dump directory. So, I had
> to investigate further.
> 
> I found these avc errors during an upgrade from rhel7.1 (released version)
> to rhel7.2. In rhel7.1 released version, abrt crash dump location was
> /var/tmp/abrt. This was changed to /var/spool/abrt in a z stream release due
> to security reasons. During the upgrade crash happens before abrt's upgrade
> has finished. Hence, the directory /var/spool/abrt does not exist with the
> selinux context set, causing the errors.
> 
> I have filed bz1276361 for abrt.

Nice catch. RPM should take care about labeling if it is a part of payload. But in this case there was a crash which causes this race condition.