Bug 1692564

Summary: SELinux is preventing dogtag-submit from getattr access on the filesystem /
Product: Red Hat Enterprise Linux 7 Reporter: Lukas Slebodnik <lslebodn>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: medium    
Version: 7.7CC: lvrabec, mmalik, mpitt, mvarun, ndehadra, plautrba, rcritten, ssekidde, vmojzis, zpytela
Target Milestone: rcKeywords: AutoVerified, Regression
Target Release: 7.8   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-253.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-31 19:10:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lukas Slebodnik 2019-03-25 21:36:51 UTC 
SELinux is preventing dogtag-submit from getattr access on the filesystem /.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that dogtag-submit should be allowed getattr access on the  filesystem by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'dogtag-submit' --raw | audit2allow -M my-dogtagsubmit
# semodule -i my-dogtagsubmit.pp


Additional Information:
Source Context                system_u:system_r:certmonger_t:s0
Target Context                system_u:object_r:fs_t:s0
Target Objects                / [ filesystem ]
Source                        dogtag-submit
Source Path                   dogtag-submit
Port                          <Unknown>
Host                          host.example.com
Source RPM Packages           
Target RPM Packages           filesystem-3.2-25.el7.x86_64
Policy RPM                    selinux-policy-3.13.1-241.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     host.example.com
Platform                      Linux host.example.com
                              3.10.0-1030.el7.x86_64 #1 SMP Fri Mar 22 00:50:47
                              UTC 2019 x86_64 x86_64
Alert Count                   4
First Seen                    2019-03-25 17:17:54 EDT
Last Seen                     2019-03-25 17:20:27 EDT
Local ID                      2d25daaf-d625-497f-b7e8-f295746aa33b

Raw Audit Messages
type=AVC msg=audit(1553548827.8:499): avc:  denied  { getattr } for  pid=24344 comm="dogtag-submit" name="/" dev="dm-0" ino=64 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1


Hash: dogtag-submit,certmonger_t,fs_t,filesystem,getattr
Comment 2 Lukas Slebodnik 2019-03-25 21:40:41 UTC 
time->Mon Mar 25 17:17:41 2019
type=PROCTITLE msg=audit(1553548661.087:463): proctitle=2F7573722F6C6962657865632F636572746D6F6E6765722F646F677461672D7375626D6974002D2D636166696C65002F7661722F6C69622F6970612F746D7059634B677867002D2D65652D75726C00687474703A2F2F6B766D2D30342D677565737431302E7465737472656C6D2E746573743A383038302F63612F65652F6361
type=PATH msg=audit(1553548661.087:463): item=0 name="/etc/pki/nssdb/cert9.db" inode=359033 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cert_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1553548661.087:463):  cwd="/"
type=SYSCALL msg=audit(1553548661.087:463): arch=c000003e syscall=137 success=no exit=-13 a0=56080f6e5c88 a1=7ffc90dc7250 a2=0 a3=7fe539c017b8 items=1 ppid=21366 pid=21674 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dogtag-submit" exe="/usr/libexec/certmonger/dogtag-submit" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1553548661.087:463): avc:  denied  { getattr } for  pid=21674 comm="dogtag-submit" name="/" dev="dm-0" ino=64 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=0
----
time->Mon Mar 25 17:17:41 2019
type=PROCTITLE msg=audit(1553548661.186:464): proctitle=2F7573722F6C6962657865632F636572746D6F6E6765722F646F677461672D7375626D6974002D2D636166696C65002F7661722F6C69622F6970612F746D7059634B677867002D2D65652D75726C00687474703A2F2F6B766D2D30342D677565737431302E7465737472656C6D2E746573743A383038302F63612F65652F6361
type=PATH msg=audit(1553548661.186:464): item=0 name="/etc/pki/nssdb/key4.db" inode=359035 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cert_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1553548661.186:464):  cwd="/"
type=SYSCALL msg=audit(1553548661.186:464): arch=c000003e syscall=137 success=no exit=-13 a0=56080f726628 a1=7ffc90dc7250 a2=0 a3=0 items=1 ppid=21366 pid=21674 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dogtag-submit" exe="/usr/libexec/certmonger/dogtag-submit" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1553548661.186:464): avc:  denied  { getattr } for  pid=21674 comm="dogtag-submit" name="/" dev="dm-0" ino=64 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=0
Comment 3 Lukas Slebodnik 2019-03-25 21:41:08 UTC 
And permissive mode:

time->Mon Mar 25 17:17:54 2019
type=PROCTITLE msg=audit(1553548674.460:462): proctitle=2F7573722F6C6962657865632F636572746D6F6E6765722F646F677461672D7375626D6974002D2D636166696C65002F7661722F6C69622F6970612F746D704148495F3178002D2D65652D75726C00687474703A2F2F6B766D2D30322D677565737432302E7465737472656C6D2E746573743A383038302F63612F65652F6361
type=PATH msg=audit(1553548674.460:462): item=0 name="/etc/pki/nssdb/cert9.db" inode=403001 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cert_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1553548674.460:462):  cwd="/"
type=SYSCALL msg=audit(1553548674.460:462): arch=c000003e syscall=137 success=yes exit=0 a0=562a93ac2c88 a1=7ffe37f645b0 a2=0 a3=7fc1ea41c7b8 items=1 ppid=21419 pid=21730 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dogtag-submit" exe="/usr/libexec/certmonger/dogtag-submit" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1553548674.460:462): avc:  denied  { getattr } for  pid=21730 comm="dogtag-submit" name="/" dev="dm-0" ino=64 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1
----
time->Mon Mar 25 17:19:22 2019
type=PROCTITLE msg=audit(1553548762.549:468): proctitle=2F7573722F6C6962657865632F636572746D6F6E6765722F646F677461672D7375626D6974002D2D65652D75726C0068747470733A2F2F6B766D2D30322D677565737432302E7465737472656C6D2E746573743A383434332F63612F65652F6361002D2D6365727466696C65002F7661722F6C69622F6970612F72612D616765
type=PATH msg=audit(1553548762.549:468): item=0 name="/etc/pki/nssdb/cert9.db" inode=403001 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cert_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1553548762.549:468):  cwd="/"
type=SYSCALL msg=audit(1553548762.549:468): arch=c000003e syscall=137 success=yes exit=0 a0=56503dc269b8 a1=7ffe924fdd20 a2=0 a3=7f40b14617b8 items=1 ppid=21419 pid=23090 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dogtag-submit" exe="/usr/libexec/certmonger/dogtag-submit" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1553548762.549:468): avc:  denied  { getattr } for  pid=23090 comm="dogtag-submit" name="/" dev="dm-0" ino=64 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1
----
time->Mon Mar 25 17:20:12 2019
type=PROCTITLE msg=audit(1553548812.394:490): proctitle=2F7573722F6C6962657865632F636572746D6F6E6765722F646F677461672D7375626D6974002D2D65652D75726C0068747470733A2F2F6B766D2D30322D677565737432302E7465737472656C6D2E746573743A383434332F63612F65652F6361002D2D6365727466696C65002F7661722F6C69622F6970612F72612D616765
type=PATH msg=audit(1553548812.394:490): item=0 name="/etc/pki/nssdb/cert9.db" inode=403001 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cert_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1553548812.394:490):  cwd="/"
type=SYSCALL msg=audit(1553548812.394:490): arch=c000003e syscall=137 success=yes exit=0 a0=5639cc043338 a1=7ffe5a1615f0 a2=0 a3=7f15c643e7b8 items=1 ppid=21419 pid=24030 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dogtag-submit" exe="/usr/libexec/certmonger/dogtag-submit" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1553548812.394:490): avc:  denied  { getattr } for  pid=24030 comm="dogtag-submit" name="/" dev="dm-0" ino=64 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1
Comment 4 Zdenek Pytela 2019-03-27 13:17:17 UTC 
*** Bug 1693280 has been marked as a duplicate of this bug. ***
Comment 6 Zdenek Pytela 2019-04-03 07:01:37 UTC 
*** Bug 1695444 has been marked as a duplicate of this bug. ***
Comment 15 Varun Mylaraiah 2019-04-09 07:37:47 UTC 
I have noticed below AVC denied while running the test on Rhel 7.7


SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31
selinux-policy-3.13.1-242.el7.noarch
----
time->Mon Apr  8 06:26:46 2019
type=USER_AVC msg=audit(1554719206.475:538): pid=985 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.30 spid=23521 tpid=23520 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Comment 16 Lukas Slebodnik 2019-04-09 08:29:45 UTC 
(In reply to Varun Mylaraiah from comment #15)
> I have noticed below AVC denied while running the test on Rhel 7.7
> 
> 
> SELinux status:                 enabled
> SELinuxfs mount:                /sys/fs/selinux
> SELinux root directory:         /etc/selinux
> Loaded policy name:             targeted
> Current mode:                   enforcing
> Mode from config file:          enforcing
> Policy MLS status:              enabled
> Policy deny_unknown status:     allowed
> Max kernel policy version:      31
> selinux-policy-3.13.1-242.el7.noarch
> ----
> time->Mon Apr  8 06:26:46 2019
> type=USER_AVC msg=audit(1554719206.475:538): pid=985 uid=81 auid=4294967295
> ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.30
> spid=23521 tpid=23520 scontext=system_u:system_r:systemd_hostnamed_t:s0
> tcontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023 tclass=dbus 
> exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

This one is unrelated to certmonger.

Please fine a new BZ and ideally provide deterministic reproducer.
And IIRC systemd_hostnamed is not supported in rhel7
Comment 17 Lukas Slebodnik 2019-04-09 09:23:49 UTC 
(In reply to Lukas Slebodnik from comment #16)
> (In reply to Varun Mylaraiah from comment #15)
> > I have noticed below AVC denied while running the test on Rhel 7.7
> > 
> > 
> > SELinux status:                 enabled
> > SELinuxfs mount:                /sys/fs/selinux
> > SELinux root directory:         /etc/selinux
> > Loaded policy name:             targeted
> > Current mode:                   enforcing
> > Mode from config file:          enforcing
> > Policy MLS status:              enabled
> > Policy deny_unknown status:     allowed
> > Max kernel policy version:      31
> > selinux-policy-3.13.1-242.el7.noarch
> > ----
> > time->Mon Apr  8 06:26:46 2019
> > type=USER_AVC msg=audit(1554719206.475:538): pid=985 uid=81 auid=4294967295
> > ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> > msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.30
> > spid=23521 tpid=23520 scontext=system_u:system_r:systemd_hostnamed_t:s0
> > tcontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023 tclass=dbus 
> > exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
> 
> This one is unrelated to certmonger.
> 
> Please fine a new BZ and ideally provide deterministic reproducer.
> And IIRC systemd_hostnamed is not supported in rhel7

Sorry for confusion, systemd-resolvd and systemd-networkd are not supported on el7.
Comment 18 Lukas Vrabec 2019-04-23 08:49:49 UTC 
*** Bug 1702170 has been marked as a duplicate of this bug. ***
Comment 29 errata-xmlrpc 2020-03-31 19:10:44 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1007