Bug 1534182

Summary:	aide requires "map" privilege
Product:	[Fedora] Fedora	Reporter:	Alan Hamilton <alanh>
Component:	selinux-policy	Assignee:	Lukas Vrabec <lvrabec>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	27	CC:	dwalsh, john.horne, lvrabec, mgrepl, plautrba, pmoore
Target Milestone:	---	Keywords:	Reopened
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:	selinux-policy-3.13.1-283.24.fc27 selinux-policy-3.13.1-284.37.fc27	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2018-08-08 15:34:16 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Alan Hamilton 2018-01-13 21:42:11 UTC

Description of problem:
When running from cron/anacron, all aide checks fail with avc violations:
type=AVC msg=audit(1515754088.650:51467): avc:  denied  { map } for  pid=10774 comm="aide" path="/usr/share/doc/kbd/ANSI-dvorak.gif" dev="xvda1" ino=402604 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0

This occurs for every file checked.

Version-Release number of selected component (if applicable):
aide-0.16-4.fc27.x86_64
selinux-policy-3.13.1-283.21.fc27.noarch

How reproducible:
Whenever aide is run confined. Unconfined runs and runs with setenforce 0 succeeed.

Steps to Reproduce:
1. Set up aide to scan the filesystem for changes.
2. Schedule aide to run in anacron

Actual results:
The run returns access denied for all files, and the above AVC message for each file checked.

Expected results:
A summary of changed files.

Additional info:
This appears releated to the upstream selinux change https://github.com/SELinuxProject/selinux-kernel/commit/6941857e82ae3da11373c9d80d75cdc10a5caafc which broke out the "map" privilege from the "read" privilege. Since aide mmaps the files it checks, it needs "map all files" in addition to "read all files".

Comment 1 Fedora Update System 2018-01-30 16:40:25 UTC

selinux-policy-3.13.1-283.24.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a144eca5a8

Comment 2 Fedora Update System 2018-01-31 22:44:30 UTC

selinux-policy-3.13.1-283.24.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a144eca5a8

Comment 3 John Horne 2018-02-02 12:20:04 UTC

I'm still seeing a lot of AVC denials for aide. This is just a short copy/paste taken from the audit log file:

==================
type=AVC msg=audit(1517573596.990:90842): avc:  denied  { map } for  pid=20120 comm="aide" path="/usr/sbin/grub2-set-default" dev="sda5" ino=3408710 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bootloader_exec_t:s0 tclass=file permissive=0
type=AVC msg=audit(1517573596.990:90843): avc:  denied  { map } for  pid=20120 comm="aide" path="/usr/sbin/rtcwake" dev="sda5" ino=3414137 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0
type=AVC msg=audit(1517573596.990:90844): avc:  denied  { map } for  pid=20120 comm="aide" path="/usr/sbin/selinuxenabled" dev="sda5" ino=3420379 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0
type=AVC msg=audit(1517573596.990:90845): avc:  denied  { map } for  pid=20120 comm="aide" path="/usr/sbin/btrfs-map-logical" dev="sda5" ino=3409700 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0
type=AVC msg=audit(1517573596.990:90846): avc:  denied  { map } for  pid=20120 comm="aide" path="/usr/sbin/smartctl" dev="sda5" ino=3460902 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fsadm_exec_t:s0 tclass=file permissive=0
type=AVC msg=audit(1517573596.990:90847): avc:  denied  { map } for  pid=20120 comm="aide" path="/usr/sbin/chcpu" dev="sda5" ino=3431555 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0
type=AVC msg=audit(1517573596.993:90848): avc:  denied  { map } for  pid=20120 comm="aide" path="/var/spool/at/.SEQ" dev="sda5" ino=5638750 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_cron_spool_t:s0 tclass=file permissive=0
type=AVC msg=audit(1517573596.993:90849): avc:  denied  { map } for  pid=20120 comm="aide" path="/var/spool/cron/root" dev="sda5" ino=5767495 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_cron_spool_t:s0 tclass=file permissive=0
type=AVC msg=audit(1517573596.993:90850): avc:  denied  { map } for  pid=20120 comm="aide" path="/var/spool/cron/exim" dev="sda5" ino=5767452 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_cron_spool_t:s0 tclass=file permissive=0
type=AVC msg=audit(1517573596.993:90851): avc:  denied  { map } for  pid=20120 comm="aide" path="/var/spool/cron/john" dev="sda5" ino=5768173 scontext=system_u:system_r:aide_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_cron_spool_t:s0 tclass=file permissive=0
==================


rpm -q selinux-policy
selinux-policy-3.13.1-283.24.fc27.noarch
rpm -q selinux-policy-targeted
selinux-policy-targeted-3.13.1-283.24.fc27.noarch

Comment 4 Alan Hamilton 2018-02-02 16:34:32 UTC

I'm still seeing the aide "map" avcs too.

Comment 5 Fedora Update System 2018-02-06 15:30:59 UTC

selinux-policy-3.13.1-283.24.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 6 John Horne 2018-02-06 16:08:29 UTC

A little bit confused why this has been marked as CLOSED when it still has problems. I included a comment on bodhi as well, but notice that the -1 karma I set has been omitted.
As per comments #2 and #5, problems still persist and I have made a note of them in this bug report. Can it be reopened?

Comment 7 Alan Hamilton 2018-02-06 16:15:00 UTC

Yes, it's still an issue. Reopening.

Comment 8 Alan Hamilton 2018-05-27 23:07:30 UTC

The bugfix added files_mmap_usr_files(aide_t) to aide's rights, but that only allows mmaping files labeled usr_t. Anything else will still fail.

Comment 9 Fedora Update System 2018-07-27 09:23:15 UTC

selinux-policy-3.13.1-284.37.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-4bb4de2d86

Comment 10 Fedora Update System 2018-07-27 15:39:21 UTC

selinux-policy-3.13.1-284.37.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-4bb4de2d86

Comment 11 Fedora Update System 2018-08-08 15:34:16 UTC

selinux-policy-3.13.1-284.37.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.