Bug 1283134

Summary: SELinux interferes with a logrotate job which uses su
Product: Red Hat Enterprise Linux 7 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.2CC: asadawar, ebarrera, jkaluza, jorton, lvrabec, mgrepl, mmalik, plautrba, pvrabec, redhat-bugzilla, robert.scheck, simon.fayer05, ssekidde, tcarlin
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-93.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 02:24:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1295396    

Description Milos Malik 2015-11-18 11:06:02 UTC 
Following line appears in the journal:
Nov 18 10:48:03 rhel72.localdomain runuser[6492]: pam_systemd(runuser-l:session): Failed to create session: Access denied

Version-Release number of selected component (if applicable):
kernel-3.10.0-327.el7.x86_64
kernel-devel-3.10.0-327.el7.x86_64
kernel-headers-3.10.0-327.el7.x86_64
kernel-modules-extra-1.0-1.noarch
kernel-tools-3.10.0-327.el7.x86_64
kernel-tools-libs-3.10.0-327.el7.x86_64
logrotate-3.8.6-6.el7.x86_64
selinux-policy-3.13.1-60.el7.noarch
selinux-policy-devel-3.13.1-60.el7.noarch
selinux-policy-doc-3.13.1-60.el7.noarch
selinux-policy-minimum-3.13.1-60.el7.noarch
selinux-policy-mls-3.13.1-60.el7.noarch
selinux-policy-sandbox-3.13.1-60.el7.noarch
selinux-policy-targeted-3.13.1-60.el7.noarch

How reproducible:
 * when crond executes the logrotate job located in /etc/cron.daily directory

Actual results (enforcing mode):
----
type=USER_AVC msg=audit(11/18/2015 10:48:03.618:278) : pid=535 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.login1.Manager member=CreateSession dest=org.freedesktop.login1 spid=6492 tpid=606 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(11/18/2015 10:48:04.034:283) : pid=6562 uid=root auid=root ses=5 subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 msg='avc:  can't open netlink socket: 13 (Permission denied)  exe=/usr/bin/su sauid=root hostname=? addr=? terminal=?' 
----
type=SYSCALL msg=audit(11/18/2015 10:48:04.034:282) : arch=x86_64 syscall=socket success=no exit=-13(Permission denied) a0=netlink a1=SOCK_RAW a2=cbt a3=0x1 items=0 ppid=6551 pid=6562 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=5 comm=su exe=/usr/bin/su subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/18/2015 10:48:04.034:282) : avc:  denied  { create } for  pid=6562 comm=su scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=netlink_selinux_socket 
----

Expected results:
 * no SELinux denials
Comment 1 Miroslav Grepl 2015-12-18 15:01:56 UTC 
We need to back port also crond changes form the latest upstream cron fixes.
Comment 2 Miroslav Grepl 2016-01-18 09:53:41 UTC 
*** Bug 1298523 has been marked as a duplicate of this bug. ***
Comment 3 Thom Carlin 2016-02-14 12:38:47 UTC 
Also seen in RHCI 6.0 TP2 RC9
/etc/cron.daily/logrotate:

su: avc.c:74: avc_context_to_sid_raw: Assertion `avc_running' failed.
/usr/sbin/rabbitmqctl: line 44: 17441 Aborted                 su rabbitmq -s /bin/sh -c "/usr/lib/rabbitmq/bin/${SCRIPT} ${CMDLINE}"
error: error running shared postrotate script for '/var/log/rabbitmq/*.log '

type=SYSCALL msg=audit(1455438965.205:86034): arch=c000003e syscall=41 success=no exit=-13 a0=10 a1=80003 a2=7 a3=1 items=0 ppid=17430 pid=17441 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=48 comm="su" exe="/usr/bin/su" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
Comment 4 Robert Scheck 2016-03-17 12:49:02 UTC 
Can we get this somehow forward, given there is a ticket on the Red Hat
customer portal?
Comment 5 Miroslav Grepl 2016-03-17 13:01:17 UTC 
It is going to be addressed in rhel-7.3.0.
Comment 6 Lukas Vrabec 2016-06-14 13:32:07 UTC 
Hi, 
Do you know why is logrotate trying to communicate with systemd-logind service via dbus? 

Thank you.
Comment 7 Joe Orton 2016-06-14 13:49:21 UTC 
Isn't it the postrotate scriptlet for rabbitmq which is trying to talk to logind?

/usr/sbin/rabbitmqctl: line 44: 17441 Aborted                 su rabbitmq -s /bin/sh -c "/usr/lib/rabbitmq/bin/${SCRIPT} ${CMDLINE}"

... this comes from rabbitmq not logrotate.
Comment 14 Milos Malik 2016-08-04 11:38:30 UTC 
I'm afraid this bug is not completely fixed. Some logrotate scripts run su and then su runs unix_chkpwd. Therefore you can see SELinux denials like:

----
type=USER_AVC msg=audit(08/04/2016 11:45:06.141:735) : pid=31279 uid=root auid=root ses=23 subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 msg='avc:  denied  { passwd } for  scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=passwd  exe=/usr/bin/su sauid=root hostname=? addr=? terminal=?' 
----
type=PATH msg=audit(08/04/2016 11:45:06.143:736) : item=0 name=/etc/shadow inode=17847672 dev=fd:03 mode=file,000 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shadow_t:s0 objtype=NORMAL 
type=CWD msg=audit(08/04/2016 11:45:06.143:736) :  cwd=/var/lib/rabbitmq 
type=SYSCALL msg=audit(08/04/2016 11:45:06.143:736) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x7f7d31b32453 a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x24 items=1 ppid=31279 pid=31280 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=23 comm=unix_chkpwd exe=/usr/sbin/unix_chkpwd subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(08/04/2016 11:45:06.143:736) : avc:  denied  { read } for  pid=31280 comm=unix_chkpwd name=shadow dev="vda3" ino=17847672 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file 
----
Comment 19 errata-xmlrpc 2016-11-04 02:24:40 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html