Bug 1389191

Summary: psad fails to start due to SELinux denials
Product: Red Hat Enterprise Linux 7 Reporter: Dominik 'Rathann' Mierzejewski <dominik>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED WONTFIX QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.2CC: frank, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-10-12 12:19:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1281755    
Attachments:
Description Flags
SELinux denials caught in enforcing mode
none
SELinux denials caught in permissive mode none

Description Dominik 'Rathann' Mierzejewski 2016-10-27 07:20:27 UTC 
Description of problem:
psad fails to start due to SELinux denials.

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-60.el7_2.9.noarch

How reproducible:
Always.

Steps to Reproduce:
1. wget -O /etc/yum.repos.d/rathann-psad-epel-7.repo https://copr.fedorainfracloud.org/coprs/rathann/psad/repo/epel-7/rathann-psad-epel-7.repo
2. yum install psad
3. semodule -r psad-rpm # remove policy bits installed by the above package
4. systemctl start psad.service

Actual results:
psad fails to start due to SELinux denials:
type=AVC msg=audit(1477510658.428:28855): avc:  denied  { write } for  pid=27489 comm="sh" path="/var/log/psad/psad_iptout.CVQLM3" dev="dm-0" ino=33621377 scontext=system_u:system_r:psad_t:s0 tcontext=system_u:object_r:psad_var_log_t:s0 tclass=file
type=AVC msg=audit(1477510658.604:28857): avc:  denied  { read } for  pid=27486 comm="psad" name="psad_iptout.CVQLM3" dev="dm-0" ino=33621377 scontext=system_u:system_r:psad_t:s0 tcontext=system_u:object_r:psad_var_log_t:s0 tclass=file
type=AVC msg=audit(1477510658.644:28858): avc:  denied  { unlink } for  pid=27486 comm="psad" name="psad_iptout.CVQLM3" dev="dm-0" ino=33621377 scontext=system_u:system_r:psad_t:s0 tcontext=system_u:object_r:psad_var_log_t:s0 tclass=file
type=AVC msg=audit(1477510658.922:28860): avc:  denied  { execute } for  pid=27522 comm="psad" name="journalctl" dev="dm-0" ino=33584123 scontext=system_u:system_r:psad_t:s0 tcontext=system_u:object_r:journalctl_exec_t:s0 tclass=file
type=AVC msg=audit(1477510658.922:28860): avc:  denied  { read open } for  pid=27522 comm="psad" path="/usr/bin/journalctl" dev="dm-0" ino=33584123 scontext=system_u:system_r:psad_t:s0 tcontext=system_u:object_r:journalctl_exec_t:s0 tclass=file
type=AVC msg=audit(1477510658.922:28860): avc:  denied  { execute_no_trans } for  pid=27522 comm="psad" path="/usr/bin/journalctl" dev="dm-0" ino=33584123 scontext=system_u:system_r:psad_t:s0 tcontext=system_u:object_r:journalctl_exec_t:s0 tclass=file
type=AVC msg=audit(1477510658.985:28862): avc:  denied  { getattr } for  pid=27522 comm="journalctl" path="/proc/1/environ" dev="proc" ino=281127 scontext=system_u:system_r:psad_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file
type=AVC msg=audit(1477510658.985:28863): avc:  denied  { sys_resource } for  pid=27522 comm="journalctl" capability=24  scontext=system_u:system_r:psad_t:s0 tcontext=system_u:system_r:psad_t:s0 tclass=capability
type=AVC msg=audit(1477510658.985:28864): avc:  denied  { read } for  pid=27522 comm="journalctl" name="journal" dev="tmpfs" ino=12340 scontext=system_u:system_r:psad_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=dir
type=AVC msg=audit(1477510658.986:28865): avc:  denied  { read } for  pid=27522 comm="journalctl" name="system.journal" dev="tmpfs" ino=12342 scontext=system_u:system_r:psad_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=file
type=AVC msg=audit(1477510658.986:28865): avc:  denied  { open } for  pid=27522 comm="journalctl" path="/run/log/journal/c86086bcec664c19b7a5f75f9bdf9651/system.journal" dev="tmpfs" ino=12342 scontext=system_u:system_r:psad_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=file
type=AVC msg=audit(1477510658.986:28866): avc:  denied  { getattr } for  pid=27522 comm="journalctl" path="/run/log/journal/c86086bcec664c19b7a5f75f9bdf9651/system.journal" dev="tmpfs" ino=12342 scontext=system_u:system_r:psad_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=file
type=AVC msg=audit(1477510658.987:28867): avc:  denied  { rename } for  pid=27520 comm="psad" name="top_ports.tmp" dev="dm-0" ino=33621384 scontext=system_u:system_r:psad_t:s0 tcontext=system_u:object_r:psad_var_log_t:s0 tclass=file
type=AVC msg=audit(1477510659.511:28898): avc:  denied  { write } for  pid=27520 comm="psad" path="/var/log/psad/top_ports.tmp" dev="dm-0" ino=33621381 scontext=system_u:system_r:psad_t:s0 tcontext=system_u:object_r:psad_var_log_t:s0 tclass=file
type=AVC msg=audit(1477510659.511:28899): avc:  denied  { rename } for  pid=27520 comm="psad" name="top_ports.tmp" dev="dm-0" ino=33621381 scontext=system_u:system_r:psad_t:s0 tcontext=system_u:object_r:psad_var_log_t:s0 tclass=file
type=AVC msg=audit(1477510659.511:28899): avc:  denied  { unlink } for  pid=27520 comm="psad" name="top_ports" dev="dm-0" ino=33621384 scontext=system_u:system_r:psad_t:s0 tcontext=system_u:object_r:psad_var_log_t:s0 tclass=file

Expected results:
psad starts and works.

Additional info:
Here are the missing policy bits (added by my copr package):

module psad-rpm 1.0;

require {
    type psad_t;
    type psad_var_log_t;
    type init_t;
    type journalctl_exec_t;
    type syslogd_var_run_t;
    class file { read execute open execute_no_trans getattr rename unlink write };
    class dir { read };
    class capability { sys_resource };
}
 
#============= psad_t ==============
allow psad_t init_t:file getattr;
allow psad_t journalctl_exec_t:file { read execute open execute_no_trans };
allow psad_t psad_var_log_t:file { write read rename unlink };
allow psad_t self:capability sys_resource;
allow psad_t syslogd_var_run_t:dir read;
allow psad_t syslogd_var_run_t:file { read getattr open };
Comment 2 Milos Malik 2016-10-27 08:34:04 UTC 
Seen in permissive mode:

# ausearch -m avc -m user_avc -i -ts 04:29 | audit2allow
allow psad_t NetworkManager_t:dir { getattr search };
allow psad_t NetworkManager_t:file { open read };
allow psad_t auditd_t:dir { getattr search };
allow psad_t auditd_t:file { open read };
allow psad_t avahi_t:dir { getattr search };
allow psad_t avahi_t:file { open read };
allow psad_t crond_t:dir { getattr search };
allow psad_t crond_t:file { open read };
allow psad_t dhcpc_t:dir { getattr search };
allow psad_t dhcpc_t:file { open read };
allow psad_t getty_t:dir { getattr search };
allow psad_t getty_t:file { open read };
allow psad_t getty_t:lnk_file read;
allow psad_t gssproxy_t:dir { getattr search };
allow psad_t gssproxy_t:file { open read };
allow psad_t init_t:file { getattr open read };
allow psad_t journalctl_exec_t:file { execute execute_no_trans open read };
allow psad_t kernel_t:dir { getattr search };
allow psad_t kernel_t:file { open read };
allow psad_t lvm_t:dir { getattr search };
allow psad_t lvm_t:file { open read };
allow psad_t modemmanager_t:dir { getattr search };
allow psad_t modemmanager_t:file { open read };
allow psad_t nfsd_t:dir { getattr search };
allow psad_t nfsd_t:file { open read };
allow psad_t policykit_t:dir { getattr search };
allow psad_t policykit_t:file { open read };
allow psad_t psad_var_log_t:file { read rename unlink write };
allow psad_t rhnsd_t:dir { getattr search };
allow psad_t rhnsd_t:file { open read };
allow psad_t rhsmcertd_t:dir { getattr search };
allow psad_t rhsmcertd_t:file { open read };
allow psad_t rpcbind_t:dir { getattr search };
allow psad_t rpcbind_t:file { open read };
allow psad_t rpcd_t:dir { getattr search };
allow psad_t rpcd_t:file { open read };
allow psad_t self:capability sys_resource;
allow psad_t self:process setrlimit;
allow psad_t sendmail_t:dir { getattr search };
allow psad_t sendmail_t:file { open read };
allow psad_t sshd_t:dir { getattr search };
allow psad_t sshd_t:file { open read };
allow psad_t syslogd_t:dir { getattr search };
allow psad_t syslogd_t:file { open read };
allow psad_t syslogd_var_run_t:dir read;
allow psad_t syslogd_var_run_t:file { getattr open read };
allow psad_t system_cronjob_t:dir { getattr search };
allow psad_t system_cronjob_t:file { open read };
allow psad_t system_dbusd_t:dbus send_msg;
allow psad_t system_dbusd_t:dir { getattr search };
allow psad_t system_dbusd_t:file { open read };
allow psad_t system_dbusd_t:unix_stream_socket connectto;
allow psad_t system_mail_t:dir { getattr search };
allow psad_t system_mail_t:file { open read };
allow psad_t systemd_logind_t:dir { getattr search };
allow psad_t systemd_logind_t:file { open read };
allow psad_t tuned_t:dir { getattr search };
allow psad_t tuned_t:file { open read };
allow psad_t udev_t:dir { getattr search };
allow psad_t udev_t:file { open read };
allow psad_t unconfined_t:dir { getattr search };
allow psad_t unconfined_t:file { open read };
allow psad_t unconfined_t:lnk_file read;

Raw SELinux denials will be attached soon.
Comment 3 Milos Malik 2016-10-27 08:40:56 UTC 
Created attachment 1214523 [details]
SELinux denials caught in enforcing mode
Comment 4 Milos Malik 2016-10-27 08:41:44 UTC 
Created attachment 1214524 [details]
SELinux denials caught in permissive mode
Comment 5 Frank Crawford 2016-11-27 10:15:19 UTC 
Note, that while this has been reported against RHEL7.2, I've seen similar issues with Fedora 24,

Also, the actual SELinux denials seem to come from searches of /proc, and so will depend on what processes are actually running.
Comment 6 Dominik 'Rathann' Mierzejewski 2016-11-27 17:39:11 UTC 
Fedora issue is fixed already.

I believe the /proc denials are the result of psad trying to find out which process is listening on which port and do not actually prevent it from running.
Comment 7 Frank Crawford 2016-11-28 10:18:26 UTC 
I wasn't sure if the issue was fixed in Fedora yet, as I run in permissive mode, however the denials in /proc are a major issue, as they cause setroubleshoot to run almost continuously, pretty much using an entire CPU.
Comment 8 Dominik 'Rathann' Mierzejewski 2016-11-28 22:41:41 UTC 
(In reply to Frank Crawford from comment #7)
> I wasn't sure if the issue was fixed in Fedora yet,

I meant that only the non-proc denials are fixed in Fedora. They're temporarily fixed in the psad package, selinux update is still pending.

> as I run in permissive
> mode, however the denials in /proc are a major issue, as they cause
> setroubleshoot to run almost continuously, pretty much using an entire CPU.

Ah. I don't run setroubleshoot, so I'm not seeing this. In your case it looks like a real issue, then.
Comment 10 Lukas Vrabec 2017-10-12 12:19:32 UTC 
We're going to close this bug as WONTFIX because

 * of limited capacity of selinux-policy developers
 * the bug is related to EPEL component or 3rd party SW only
 * the bug appears in unsupported configuration 

We believe this bug can be fixed via a local policy module.
For more information please see: 

 * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow

If you disagree, please re-open the bug.
Comment 11 Lukas Vrabec 2017-10-12 12:21:26 UTC 
We're going to close this bug as WONTFIX because

 * of limited capacity of selinux-policy developers
 * the bug is related to EPEL component or 3rd party SW only
 * the bug appears in unsupported configuration 

We believe this bug can be fixed via a local policy module.
For more information please see: 

 * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow

If you disagree, please re-open the bug.