Bug 1596141
| Summary: | Selinux cause lsmcli list --type PLUGINS leads to TRANSPORT_COMMUNICATION(400) | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Jakub Krysl <jkrysl> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.6 | CC: | fge, lvrabec, mgrepl, mmalik, plautrba, ssekidde |
| Target Milestone: | rc | Keywords: | Regression |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.13.1-207.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-10-30 10:05:54 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Jakub Krysl
2018-06-28 10:04:48 UTC
It should be a bug of selinux policy.
Problem gone after `setenforce 1`.
The output of `ausearch -m AVC,USER_AVC -ts recent` is:
```
time->Thu Jun 28 09:10:28 2018
type=PROCTITLE msg=audit(1530191428.057:231): proctitle="(null)"
type=SYSCALL msg=audit(1530191428.057:231): arch=c000003e syscall=59 success=no exit=-13 a0=5616f84f4310 a1=7ffeffa4c830 a2=7ffeffa4cb10 a3=2 items=0 ppid=11268 pid=11316 auid=4294967295 uid=996 gid=995 euid=996 suid=996 fsuid=996 egid=995 sgid=995 fsgid=995 tty=(none) ses=4294967295 comm="simc_lsmplugin" exe="/usr/bin/simc_lsmplugin" subj=system_u:system_r:lsmd_t:s0 key=(null)
type=AVC msg=audit(1530191428.057:231): avc: denied { map } for pid=11316 comm="simc_lsmplugin" path="/usr/bin/simc_lsmplugin" dev="dm-0" ino=732599 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:lsmd_plugin_exec_t:s0 tclass=file permissive=0
```
Issue reproduced on RHEL-7.6-20180626.0: selinux-policy-3.13.1-204.el7.noarch libstoragemgmt-1.6.2-2.el7.x86_64 ----
type=PROCTITLE msg=audit(06/28/2018 09:55:48.209:169) : proctitle=(null)
type=PATH msg=audit(06/28/2018 09:55:48.209:169) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=313037 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(06/28/2018 09:55:48.209:169) : item=0 name=/usr/bin/simc_lsmplugin inode=13752735 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:lsmd_plugin_exec_t:s0 objtype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(06/28/2018 09:55:48.209:169) : cwd=/
type=SYSCALL msg=audit(06/28/2018 09:55:48.209:169) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x55fb36b07830 a1=0x7ffe16326b00 a2=0x7ffe16326de0 a3=0x2 items=2 ppid=29634 pid=32463 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=simc_lsmplugin exe=/usr/bin/simc_lsmplugin subj=system_u:system_r:lsmd_t:s0 key=(null)
type=AVC msg=audit(06/28/2018 09:55:48.209:169) : avc: denied { map } for pid=32463 comm=simc_lsmplugin path=/usr/bin/simc_lsmplugin dev="dm-0" ino=13752735 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:lsmd_plugin_exec_t:s0 tclass=file permissive=0
----
There are no additional SELinux denials visible in permissive mode:
----
type=PROCTITLE msg=audit(06/28/2018 09:59:45.987:190) : proctitle=simc_lsmplugin 3
type=PATH msg=audit(06/28/2018 09:59:45.987:190) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=313037 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(06/28/2018 09:59:45.987:190) : item=0 name=/usr/bin/simc_lsmplugin inode=13752735 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:lsmd_plugin_exec_t:s0 objtype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(06/28/2018 09:59:45.987:190) : cwd=/
type=EXECVE msg=audit(06/28/2018 09:59:45.987:190) : argc=2 a0=simc_lsmplugin a1=3
type=SYSCALL msg=audit(06/28/2018 09:59:45.987:190) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x558ee18e8830 a1=0x7ffebeea9000 a2=0x7ffebeea92e0 a3=0x2 items=2 ppid=30466 pid=30574 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=simc_lsmplugin exe=/usr/bin/simc_lsmplugin subj=system_u:system_r:lsmd_plugin_t:s0 key=(null)
type=AVC msg=audit(06/28/2018 09:59:45.987:190) : avc: denied { map } for pid=30574 comm=simc_lsmplugin path=/usr/bin/simc_lsmplugin dev="dm-0" ino=13752735 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:lsmd_plugin_exec_t:s0 tclass=file permissive=1
----
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3111 |