Bug 1534924

Summary: selinux denies audisp-remote to write to its queue file
Product: Red Hat Enterprise Linux 7 Reporter: Ondrej Moriš <omoris>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Ondrej Moriš <omoris>
Severity: high Docs Contact:
Priority: high    
Version: 7.5CC: jjaburek, lmiksik, lvrabec, mgrepl, mmalik, plautrba, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-186.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-10 12:49:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1256920    

Description Ondrej Moriš 2018-01-16 10:07:06 UTC 
Description of problem:

Selinux policy denies audisp-remote (audispd plugin for remote logging) to write to its queue file /var/spool/audit/remote.log:

time->Tue Jan 16 10:10:10 2018
node=REMOTE_LOGGING_CLIENT type=PROCTITLE msg=audit(1516093810.889:5569629): proctitle="/sbin/audisp-remote"
node=REMOTE_LOGGING_CLIENT type=SYSCALL msg=audit(1516093810.889:5569629): arch=c000003e syscall=2 success=no exit=-13 a0=5571a4578bd5 a1=42 a2=180 a3=49 items=0 ppid=22611 pid=22634 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="audisp-remote" exe="/usr/sbin/audisp-remote" subj=system_u:system_r:audisp_remote_t:s15:c0.c1023 key=(null)
node=REMOTE_LOGGING_CLIENT type=AVC msg=audit(1516093810.889:5569629): avc:  denied  { write } for  pid=22634 comm="audisp-remote" name="remote.log" dev="dm-4" ino=4230169 scontext=system_u:system_r:audisp_remote_t:s15:c0.c1023 tcontext=staff_u:object_r:audit_spool_t:s0 tclass=file

Tool audit2allow suggest to add the following rule:

allow audisp_remote_t audit_spool_t:file write;

Loading a module containing aforementioned rule resolves the issue. Without it, remote logging with forwarding does not work. 

Version-Release number of selected component (if applicable):

audit-2.8.1-3.el7
kernel-3.10.0-823.el7
selinux-policy-3.13.1-183.el7
selinux-policy-mls-3.13.1-183.el7

How reproducible:

100%

Steps to Reproduce:

1. Setup audit-remote logging using client forwarding mode.
2. Start auditd.

Actual results:

From journalctl:

audisp-remote[22659]: Error initializing audit record queue: Permission denied
audisp-remote[22659]: Connected to A.B.C.D

And AVC mentioned in description.

Expected results:

audisp-remote[25338]: Audisp-remote started with queue_size: 1
audisp-remote[25338]: Connected to A.B.C.D

Additional info:

This problem was discovered on MLS system but it should be reproducible on a system with targeted policy.
Comment 8 errata-xmlrpc 2018-04-10 12:49:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0763