Bug 1333726

Summary: SELinux prevents xinetd-spawned process from su
Product: Red Hat Enterprise Linux 7 Reporter: Troels Arvin <troels>
Component: selinux-policyAssignee: Simon Sekidde <ssekidde>
Status: CLOSED ERRATA QA Contact: Jan Zarsky <jzarsky>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.2CC: lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-83.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 02:28:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Troels Arvin 2016-05-06 08:49:27 UTC 
Environment: RHEL 7.2 with all the latest fixes.

The server has the Check_MK agent (check-mk-agent-1.2.6p16-3.el7.x86_64 from EPEL) installed, and the mk_postgres module has been activated by symlinking /usr/share/check-mk-agent/available-plugins/mk_postgres to /usr/share/check-mk-agent/plugins/mk_postgres
The agent plugin's code may be viewed here: http://git.mathias-kettner.de/git/?p=check_mk.git;a=blob;f=agents/plugins/ mk_postgres;h=8333eee316a99e634394aee4f3048b6becc56d69;hb=c33010ba2d24c8b81c4e6221f3cd61bade7e7d9e

PostgreSQL version: rh-postgresql94-postgresql 9.4.6-1.el7.x86_64 (from RHEL 7's software collections).

Trouble: The Check_MK agent reponse becomes very slow when the mk_postgres agent plugin is activated -- to the extend that checks time out, causing monitoring alerts and missing monitoring data.

Meanwhile, in /var/log/audit/audit.log: type=USER_AVC msg=audit(1462018794.424:153): pid=704 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0- s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.19 spid=925 tpid=2851 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:inetd_child_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

The AVC denials pop up when the mk_postgres agent plugin performs a "su" from root to "postgres". Changing the script to use "runuser" instead of "su" does not help.


I've found two different ways to fix this; the latter seems best:

1. Stop the dbus.service and dbus.socket services. But this results in a subsequent flood of messages like: Apr 29 21:48:12 hostname su: pam_systemd(su-l:session): Failed to connect to system bus: Connection refused

2. Add the following SELinux module:
---------------------------------------
module inetd_dbus 1.0;
require {
  type systemd_logind_t;
  type inetd_child_t;
  class dbus send_msg;
}
#============= systemd_logind_t ==============
allow systemd_logind_t inetd_child_t:dbus send_msg;
---------------------------------------

I propose that the above SELinux module be part of the general SELinux policy.

See also
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.org/thread/EJMS2PCSKLHEA375GOHPB5F6UJSK47M5/
Comment 6 errata-xmlrpc 2016-11-04 02:28:41 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html