Bug 1397744

Summary: SELinux is preventing /usr/bin/systemctl from 'write' accesses on the chr_file kmsg.
Product: Red Hat Enterprise Linux 7 Reporter: Supreet <srandhaw>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.3CC: brian, dominick.grift, dwalsh, extras-qa, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde, yasir.elsharif
Target Milestone: rc   
Target Release: 7.4   
Hardware: x86_64   
OS: Linux   
Whiteboard: abrt_hash:32c48965af05234a05c970c5926eb9e6d21d0605ae0bd98e291e6d36209c49ae;
Fixed In Version: selinux-policy-3.13.1-174.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1295508 Environment:
Last Closed: 2018-04-10 12:25:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1295508    
Bug Blocks: 1420851    

Description Supreet 2016-11-23 10:00:41 UTC 
+++ This bug was initially created as a clone of Bug #1295508 +++

SELinux is preventing /usr/bin/systemctl from write access on the chr_file kmsg.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemctl should be allowed write access on the kmsg chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemctl' --raw | audit2allow -M my-systemctl
# semodule -i my-systemctl.pp


Additional Information:
Source Context                system_u:system_r:logrotate_t:s0-s0:c0.c1023
Target Context                system_u:object_r:kmsg_device_t:s0
Target Objects                kmsg [ chr_file ]
Source                        systemctl
Source Path                   /usr/bin/systemctl
Port                          <Unknown>
Host                          satellite2.point.local
Source RPM Packages           systemd-219-30.el7_3.6.x86_64
Target RPM Packages
Policy RPM                    selinux-policy-3.13.1-102.el7_3.4.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     satellite2.point.local
Platform                      Linux satellite2.point.local 3.10.0-514.el7.x86_64
                              #1 SMP Wed Oct 19 11:24:13 EDT 2016 x86_64 x86_64
Alert Count                   3
First Seen                    2016-11-09 03:45:06 EET
Last Seen                     2016-11-21 03:21:04 EET
Local ID                      a020456c-e7f8-4db6-9c99-bb3aacf7811e

Raw Audit Messages
type=AVC msg=audit(1479691264.861:26091): avc:  denied  { write } for  pid=22935 comm="systemctl" name="kmsg" dev="devtmpfs" ino=1034 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file


type=SYSCALL msg=audit(1479691264.861:26091): arch=x86_64 syscall=open success=no exit=EACCES a0=7f5bfde8117f a1=80101 a2=ffffffff a3=7f5bfceda7b8 items=0 ppid=22934 pid=22935 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3671 comm=systemctl exe=/usr/bin/systemctl subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)

Hash: systemctl,logrotate_t,kmsg_device_t,chr_file,write
Comment 1 Supreet 2016-11-23 10:02:35 UTC 
Additional info :

[root@supreet sosreport-MarkoMki.01744697-20161122110509]# grep selinux installed-rpms 
candlepin-selinux-0.9.49.16-1.el7.noarch                    Mon Nov  7 11:56:04 2016
foreman-selinux-1.7.2.16-1.el7sat.noarch                    Mon Nov 23 15:27:14 2015
libselinux-2.5-6.el7.x86_64                                 Mon Nov  7 11:54:53 2016
libselinux-python-2.5-6.el7.x86_64                          Mon Nov  7 11:55:14 2016
libselinux-ruby-2.5-6.el7.x86_64                            Mon Nov  7 11:58:45 2016
libselinux-utils-2.5-6.el7.x86_64                           Mon Nov  7 11:55:51 2016
pulp-selinux-2.6.0.21-1.el7sat.noarch                       Tue Aug  2 13:32:30 2016
selinux-policy-3.13.1-102.el7_3.4.noarch                    Mon Nov  7 11:55:52 2016
selinux-policy-targeted-3.13.1-102.el7_3.4.noarch           Mon Nov  7 11:56:35 2016
[root@supreet sosreport-MarkoMki.01744697-20161122110509]#
Comment 3 Daniel Walsh 2016-11-23 16:21:18 UTC 
Looks like a logrotate script is executing a kmesg command.  Not sure why it is doing this rather then write to syslog.  Allowing this is probably ok, but I am not sure if there is any potential problems allowing processes to write to /dev/kmsg.
Comment 4 Milos Malik 2016-11-24 08:56:10 UTC 
Please provide the output of following command:

# grep kmsg /proc/cmdline

I already saw similar AVCs on machines where following parameters were given to the kernel at boot time:

systemd.debug systemd.log_level=debug systemd.log_target=kmsg
Comment 5 Supreet 2016-11-25 05:52:09 UTC 
Hello Milos,

Please find the below requested information from sosreport :

[root@supreet sosreport-MarkoMki.01744697-20161122110509]# grep kmsg proc/cmdline 
BOOT_IMAGE=/vmlinuz-3.10.0-514.el7.x86_64 root=/dev/mapper/rhel-root ro rd.lvm.lv=rhel/swap crashkernel=auto rd.lvm.lv=rhel/root rhgb quiet LANG=en_GB.UTF-8 systemd.debug systemd.log_level=debug systemd.log_target=kmsg
Comment 11 errata-xmlrpc 2018-04-10 12:25:40 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0763