Bug 1477542
| Summary: | Regression: AVC denied related to keepalived 1.3.x, /proc and sysctl_net_t | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Robert Scheck <redhat-bugzilla> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.4 | CC: | adam.winberg, ajawarka, bperkins, cww, jreznik, lvrabec, mgrepl, mmalik, mthacker, plautrba, pvrabec, robert.scheck, ssekidde |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.13.1-188.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-04-10 12:34:36 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Cross-filed ticket 01903060 on the Red Hat customer portal. I assume that the AVC in comment#0 talks about /proc/sys/net directory. There is a lot of files and directories under /proc/sys/net, all of them are labeled sysctl_net_t except for: # ls -Z /proc/sys/net/unix -rw-r--r--. root root system_u:object_r:sysctl_net_unix_t:s0 max_dgram_qlen # $ sealert -l f56525a2-36a4-48ef-a9d8-61adbc0f3e1d
[…]
Source Context system_u:system_r:keepalived_t:s0
Target Context system_u:object_r:sysctl_net_t:s0
Target Objects net [ dir ]
Source keepalived
Source Path /usr/sbin/keepalived
[…]
Policy RPM selinux-policy-3.13.1-166.el7.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
[…]
Raw Audit Messages
type=AVC msg=audit(1502994621.228:112561): avc: denied { search } for pid=2198 comm="keepalived" name="net" dev="proc" ino=9716 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir
[…]
$
$ find /proc/ -inum 9716
/proc/sys/net
$
So the issue seems to be that keepalived is not allowed to search in the
/proc/sys/net directory in general?
comment#0 mentions that keepalived triggers SELinux denials which are related to /proc and sysctl_net_t. Here is the /proc related one: ---- type=PROCTITLE msg=audit(01/30/2018 10:55:44.274:633) : proctitle=/usr/sbin/keepalived -D --snmp type=SYSCALL msg=audit(01/30/2018 10:55:44.274:633) : arch=x86_64 syscall=statfs success=no exit=EACCES(Permission denied) a0=0x5566d189c854 a1=0x7ffc459bb9f0 a2=0x8000 a3=0x46 items=0 ppid=11234 pid=11236 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) type=AVC msg=audit(01/30/2018 10:55:44.274:633) : avc: denied { getattr } for pid=11236 comm=keepalived name=/ dev="proc" ino=1 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem ---- The AVC is reproducible even if the latest selinux-policy build is installed. # rpm -qa selinux\* keepalived\* | sort keepalived-1.3.5-5.el7.x86_64 selinux-policy-3.13.1-186.el7.noarch selinux-policy-devel-3.13.1-186.el7.noarch selinux-policy-targeted-3.13.1-186.el7.noarch # Based on SELinux denials from comment#0 and comment#4, keepalived wants to search something under /proc/sys/net. Even if keepalived found the right file, it would not be able to read it, because the policy does not allow keepalived to read any files under /proc/sys/net. Therefore I believe that following rule should be also added to the policy: allow keepalived_t sysctl_net_t : file { getattr open read } ; The same SELinux denial as mentioned in comment#8 appeared again: ---- type=PROCTITLE msg=audit(02/06/2018 09:04:22.470:361) : proctitle=/usr/sbin/keepalived -D --snmp type=SYSCALL msg=audit(02/06/2018 09:04:22.470:361) : arch=x86_64 syscall=statfs success=no exit=EACCES(Permission denied) a0=0x558e1d0c6854 a1=0x7fff30aec800 a2=0x8000 a3=0x46 items=0 ppid=20591 pid=20593 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) type=AVC msg=audit(02/06/2018 09:04:22.470:361) : avc: denied { getattr } for pid=20593 comm=keepalived name=/ dev="proc" ino=1 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0 ---- # rpm -qa selinux\* selinux-policy-targeted-3.13.1-187.el7.noarch selinux-policy-3.13.1-187.el7.noarch selinux-policy-devel-3.13.1-187.el7.noarch # Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0763 |
Description of problem: Since updating to RHEL 7.4 which contains a keepalived update from 1.2.x to 1.3.x, the following SELinux related message shows up: type=AVC msg=audit(1501671861.845:45): avc: denied { search } for pid=2154 comm="keepalived" name="net" dev="proc" ino=9992 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir type=SYSCALL msg=audit(1501671861.845:45): arch=c000003e syscall=2 success=no exit=-13 a0=5623b7fa8330 a1=0 a2=5623b7fa834c a3=63 items=0 ppid=2152 pid=2154 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="keepalived" exe="/usr/sbin/keepalived" subj=system_u:system_r:keepalived_t:s0 key=(null) type=PROCTITLE msg=audit(1501671861.845:45): proctitle=2F7573722F7362696E2F6B656570616C69766564002D44 Version-Release number of selected component (if applicable): selinux-policy-3.13.1-166.el7.noarch selinux-policy-targeted-3.13.1-166.el7.noarch keepalived-1.3.5-1.el7.x86_64 How reproducible: Everytime during boot when keepalived gets started. Actual results: AVC denied related to keepalived 1.3.x, /proc and sysctl_net_t. Expected results: No AVC denied related to keepalived 1.3.x, /proc and sysctl_net_t, but I am not sure if this should be allowed or not (currently not allowed).