Bug 1544923

Summary: SElinux errors after fix of Bug #1486803 by tuned-2.8.0-5.el7_4.2.noarch
Product: Red Hat Enterprise Linux 7 Reporter: R P Herrold <herrold>
Component: tunedAssignee: Jaroslav Škarvada <jskarvad>
Status: CLOSED DUPLICATE QA Contact: qe-baseos-daemons
Severity: high Docs Contact:
Priority: high    
Version: 7.4CC: ajb, atragler, baumanmo, dwd, egarver, fs-qe, herrold, igkioka, infiniband-qe, iptables-maint-list, jarod, jeder, jskarvad, kajtzu, mmalik, myllynen, olysonek, pasik, psutter, rdma-dev-team, redhat-bugzilla, riehecky, steved, thozza, tis, todoleza, toracat
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1544922 Environment:
Last Closed: 2018-02-19 00:04:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1438937, 1486803, 1544921, 1544922    
Bug Blocks: 1477413, 1481207, 1486871, 1491963, 1504647    

Description R P Herrold 2018-02-13 18:48:46 UTC 
+++ This bug was initially created as a clone of Bug #1544922 +++

+++ This bug was initially created as a clone of Bug #1544921 +++

+++ This bug was initially created as a clone of Bug #1486803 +++


--- Additional comment from R P Herrold on 2018-02-13 13:36:27 EST ---

I applied the manual fix of changing the comma to a space, and then did a relabel of the parent file

this removed the logfile error

BUT

when using the second test, 

I now get AVG errors:

[root@router ~]# restorecon -Rv /usr/lib/systemd/system/ip6tables.service
[root@router ~]# systemctl daemon-reload
[root@router ~]# systemctl restart iptables ip6tables
[root@router ~]#

the last yields (newly)

Feb 13 13:25:49 router dbus[794]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)
Feb 13 13:25:49 router systemd: Started IPv6 firewall with ip6tables.
Feb 13 13:25:50 router dbus-daemon: dbus[794]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Feb 13 13:25:50 router dbus[794]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Feb 13 13:25:50 router kernel: Ebtables v2.0 unregistered
Feb 13 13:25:50 router kernel: [ 8910.020673] Ebtables v2.0 unregistered
Feb 13 13:25:50 router libvirtd: 2018-02-13 18:25:50.699+0000: 1428: info : libvirt version: 3.2.0, package: 14.el7_4.7 (CentOS BuildSystem <http://bugs.centos.org>, 2018-01-04-19:31:34, c1bm.rdu2.centos.org)
Feb 13 13:25:50 router libvirtd: 2018-02-13 18:25:50.699+0000: 1428: info : hostname: router.owlriver.net
Feb 13 13:25:50 router libvirtd: 2018-02-13 18:25:50.699+0000: 1428: error : virFirewallApplyRuleFirewallD:790 : The name org.fedoraproject.FirewallD1 was not provided by any .service files

**** from something down in libvirt it seems -- noted here, but proceeding

Feb 13 13:25:50 router systemd: Stopped firewalld - dynamic firewall daemon.
Feb 13 13:25:53 router setroubleshoot: SELinux is preventing /usr/bin/grep from read access on the file /etc/modprobe.d/lockd.conf. For complete SELinux messages run: sealert -l 8f8426fb-329d-4786-872c-69ef36e9020d

Feb 13 13:25:53 router python: SELinux is preventing /usr/bin/grep from read access on the file /etc/modprobe.d/lockd.conf.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that grep should be allowed read access on the lockd.conf file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'grep' --raw | audit2allow -M my-grep#012# semodule -i my-grep.pp#012

Feb 13 13:25:53 router setroubleshoot: SELinux is preventing /usr/bin/grep from read access on the file /etc/modprobe.d/mlx4.conf. For complete SELinux messages run: sealert -l 8f8426fb-329d-4786-872c-69ef36e9020d

Feb 13 13:25:53 router python: SELinux is preventing /usr/bin/grep from read access on the file /etc/modprobe.d/mlx4.conf.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that grep should be allowed read access on the mlx4.conf file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'grep' --raw | audit2allow -M my-grep#012# semodule -i my-grep.pp#012

Feb 13 13:25:53 router setroubleshoot: SELinux is preventing /usr/bin/grep from read access on the file /etc/modprobe.d/truescale.conf. For complete SELinux messages run: sealert -l 8f8426fb-329d-4786-872c-69ef36e9020d

Feb 13 13:25:53 router python: SELinux is preventing /usr/bin/grep from read access on the file /etc/modprobe.d/truescale.conf.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that grep should be allowed read access on the truescale.conf file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'grep' --raw | audit2allow -M my-grep#012# semodule -i my-grep.pp#012

Feb 13 13:25:53 router setroubleshoot: SELinux is preventing /usr/bin/grep from read access on the file /etc/modprobe.d/tuned.conf. For complete SELinux messages run: sealert -l 8f8426fb-329d-4786-872c-69ef36e9020d
Feb 13 13:25:53 router python: SELinux is preventing /usr/bin/grep from read access on the file /etc/modprobe.d/tuned.conf.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that grep should be allowed read access on the tuned.conf file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'grep' --raw | audit2allow -M my-grep#012# semodule -i my-grep.pp#012



The 'owning packages' for those files are:

[root@router ~]# rpm -qf /etc/modprobe.d/lockd.conf /etc/modprobe.d/mlx4.conf /etc/modprobe.d/truescale.conf /etc/modprobe.d/tuned.conf 
nfs-utils-1.3.0-0.48.el7_4.1.x86_64
rdma-core-13-7.el7.x86_64
rdma-core-13-7.el7.x86_64
tuned-2.8.0-5.el7_4.2.noarch
[root@router ~]# 

each parent is unaltered:

[root@router ~]# rpm -V nfs-utils rdma-core tuned
[root@router ~]# 

I suggest that your testing be expanded to:
   . install the three packages
   . run: systemctl daemon-reload
(expected to run without execception)
   . systemctl restart iptables ip6tables
( demonstrate SELinux AVC's )


I will clone this comment on this bug into needed SELinux rules requests on the parent packages

--- Additional comment from R P Herrold on 2018-02-13 13:44:05 EST ---

Proposed rule is:

[root@router ~]# cat my-grep.te

module my-grep 1.0;

require {
        type iptables_t;
        type modules_conf_t;
        class file read;
}

#============= iptables_t ==============
allow iptables_t modules_conf_t:file read;
[root@router ~]# 

This single rule covers the nfs-utils, rdma-core, and tuned cases
Comment 1 R P Herrold 2018-02-13 19:19:22 UTC 
The needed additional permissions for SELinux turn out to have had some hidden additional parts needed, and I believe a better rule is:


[root@router ~]# cat my-grep.te

module my-grep 1.0;

require {
        type iptables_t;
        type modules_conf_t;
        class file { getattr ioctl open read };
}

#============= iptables_t ==============

#!!!! This avc is allowed in the current policy
allow iptables_t modules_conf_t:file { getattr ioctl open read };
[root@router ~]#
Comment 2 Milos Malik 2018-02-14 06:06:48 UTC 
This is a SELinux policy bug which is already addressed in:
 * https://bugzilla.redhat.com/show_bug.cgi?id=1438937
Comment 3 Jaroslav Škarvada 2018-02-19 00:04:39 UTC 

*** This bug has been marked as a duplicate of bug 1438937 ***