Bug 1701158
| Summary: | SELinux prevents rotatelogs (httpd_rotatelogs_t) from executing and mmap()-ing the gzip command | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Branislav Náter <bnater> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 8.0 | CC: | lvrabec, mmalik, plautrba, ssekidde, zpytela |
| Target Milestone: | rc | ||
| Target Release: | 8.1 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.14.3-3.el8 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-11-05 22:11:10 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1673107 | ||
| Bug Blocks: | |||
Hi, Thank you for reporting the issue. Could you please make the domain permissive: semanage permissive -a httpd_rotatelogs_t reproduce the scenario and gather all audit logs? ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts recent # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts recent
----
type=USER_AVC msg=audit(04/18/2019 05:30:52.658:471) : pid=578 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received policyload notice (seqno=6) exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?'
----
type=USER_AVC msg=audit(04/18/2019 05:31:21.498:473) : pid=578 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received policyload notice (seqno=7) exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?'
----
type=USER_AVC msg=audit(04/18/2019 05:31:21.656:476) : pid=578 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received policyload notice (seqno=8) exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?'
----
type=USER_AVC msg=audit(04/18/2019 05:31:21.805:477) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=4) exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?'
----
type=USER_AVC msg=audit(04/18/2019 05:31:21.805:478) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=5) exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?'
----
type=USER_AVC msg=audit(04/18/2019 05:31:21.805:479) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=6) exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?'
----
type=USER_AVC msg=audit(04/18/2019 05:31:21.805:480) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=7) exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?'
----
type=USER_AVC msg=audit(04/18/2019 05:31:21.805:481) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=8) exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?'
----
type=PROCTITLE msg=audit(04/18/2019 05:31:22.035:484) : proctitle=/bin/gzip /var/log/httpd/errorX.1555565482
type=PATH msg=audit(04/18/2019 05:31:22.035:484) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=4215935 dev=fd:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(04/18/2019 05:31:22.035:484) : item=0 name=/bin/gzip inode=2290401 dev=fd:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(04/18/2019 05:31:22.035:484) : cwd=/etc/httpd
type=EXECVE msg=audit(04/18/2019 05:31:22.035:484) : argc=2 a0=/bin/gzip a1=/var/log/httpd/errorX.1555565482
type=SYSCALL msg=audit(04/18/2019 05:31:22.035:484) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x7ffc8a3bbef9 a1=0x7ffc8a3a9cd0 a2=0x7ffc8a3bb028 a3=0x8 items=2 ppid=26713 pid=26714 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gzip exe=/usr/bin/gzip subj=system_u:system_r:httpd_rotatelogs_t:s0 key=(null)
type=AVC msg=audit(04/18/2019 05:31:22.035:484) : avc: denied { map } for pid=26714 comm=gzip path=/usr/bin/gzip dev="vda1" ino=2290401 scontext=system_u:system_r:httpd_rotatelogs_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
----
type=USER_AVC msg=audit(04/18/2019 05:31:53.382:487) : pid=578 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received policyload notice (seqno=9) exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?'
----
type=USER_AVC msg=audit(04/18/2019 05:31:53.516:490) : pid=578 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received policyload notice (seqno=10) exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?'
# matchpathcon /usr/sbin/rotatelogs
/usr/sbin/rotatelogs system_u:object_r:httpd_rotatelogs_exec_t:s0
#
Because SELinux policy defines only following process transitions related to rotatelogs:
# sesearch -t httpd_rotatelogs_exec_t -T
type_transition cluster_t httpd_rotatelogs_exec_t:process httpd_rotatelogs_t;
type_transition condor_startd_t httpd_rotatelogs_exec_t:process httpd_rotatelogs_t;
type_transition glusterd_t httpd_rotatelogs_exec_t:process httpd_rotatelogs_t;
type_transition httpd_sys_script_t httpd_rotatelogs_exec_t:process httpd_rotatelogs_t;
type_transition httpd_t httpd_rotatelogs_exec_t:process httpd_rotatelogs_t;
type_transition init_t httpd_rotatelogs_exec_t:process httpd_rotatelogs_t;
type_transition initrc_t httpd_rotatelogs_exec_t:process httpd_rotatelogs_t;
type_transition kdumpctl_t httpd_rotatelogs_exec_t:process httpd_rotatelogs_t;
type_transition openshift_initrc_t httpd_rotatelogs_exec_t:process httpd_rotatelogs_t;
type_transition piranha_pulse_t httpd_rotatelogs_exec_t:process httpd_rotatelogs_t;
#
I used the following reproducer instead of the automated TC:
# runcon system_u:system_r:initrc_t:s0 bash -c "/usr/sbin/rotatelogs -l -p /bin/gzip -f -L /var/log/httpd/error_log /var/log/httpd/errorX 100B"
Following SELinux denials appeared in permissive mode:
----
type=PROCTITLE msg=audit(04/18/2019 11:38:14.946:209) : proctitle=/usr/sbin/rotatelogs -l -p /bin/gzip -f -L /var/log/httpd/error_log /var/log/httpd/errorX 100B
type=PATH msg=audit(04/18/2019 11:38:14.946:209) : item=0 name=/bin/gzip inode=356193 dev=08:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(04/18/2019 11:38:14.946:209) : cwd=/root
type=SYSCALL msg=audit(04/18/2019 11:38:14.946:209) : arch=x86_64 syscall=access success=yes exit=0 a0=0x7ffc88e48ca7 a1=X_OK a2=0x7ffc88e35a50 a3=0x0 items=1 ppid=3452 pid=3592 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=rotatelogs exe=/usr/sbin/rotatelogs subj=system_u:system_r:httpd_rotatelogs_t:s0 key=(null)
type=AVC msg=audit(04/18/2019 11:38:14.946:209) : avc: denied { execute } for pid=3592 comm=rotatelogs name=gzip dev="sda2" ino=356193 scontext=system_u:system_r:httpd_rotatelogs_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
----
type=PROCTITLE msg=audit(04/18/2019 11:38:14.946:210) : proctitle=/bin/gzip /var/log/httpd/errorX.1555587494
type=PATH msg=audit(04/18/2019 11:38:14.946:210) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=8409478 dev=08:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(04/18/2019 11:38:14.946:210) : item=0 name=/bin/gzip inode=356193 dev=08:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(04/18/2019 11:38:14.946:210) : cwd=/root
type=EXECVE msg=audit(04/18/2019 11:38:14.946:210) : argc=2 a0=/bin/gzip a1=/var/log/httpd/errorX.1555587494
type=SYSCALL msg=audit(04/18/2019 11:38:14.946:210) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x7ffc88e48ca7 a1=0x7ffc88e35a50 a2=0x7ffc88e46da8 a3=0x8 items=2 ppid=3592 pid=3599 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=gzip exe=/usr/bin/gzip subj=system_u:system_r:httpd_rotatelogs_t:s0 key=(null)
type=AVC msg=audit(04/18/2019 11:38:14.946:210) : avc: denied { map } for pid=3599 comm=gzip path=/usr/bin/gzip dev="sda2" ino=356193 scontext=system_u:system_r:httpd_rotatelogs_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
type=AVC msg=audit(04/18/2019 11:38:14.946:210) : avc: denied { execute_no_trans } for pid=3599 comm=rotatelogs path=/usr/bin/gzip dev="sda2" ino=356193 scontext=system_u:system_r:httpd_rotatelogs_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
----
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:3547 |
Description of problem: SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 31 selinux-policy-3.14.1-61.el8.noarch ---- time->Tue Apr 16 18:51:32 2019 type=PROCTITLE msg=audit(1555433492.147:748): proctitle="(null)" type=PATH msg=audit(1555433492.147:748): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=3911 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(1555433492.147:748): item=0 name="/bin/gzip" inode=100918752 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=CWD msg=audit(1555433492.147:748): cwd="/etc/httpd" type=SYSCALL msg=audit(1555433492.147:748): arch=c000003e syscall=59 success=no exit=-13 a0=7fffcef24ef8 a1=7fffcef11bc0 a2=7fffcef22f18 a3=8 items=2 ppid=27731 pid=27732 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gzip" exe="/usr/bin/gzip" subj=system_u:system_r:httpd_rotatelogs_t:s0 key=(null) type=AVC msg=audit(1555433492.147:748): avc: denied { map } for pid=27732 comm="gzip" path="/usr/bin/gzip" dev="dm-0" ino=100918752 scontext=system_u:system_r:httpd_rotatelogs_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0 Version-Release number of selected component (if applicable): selinux-policy-3.14.1-61.el8.noarch selinux-policy-targeted-3.14.1-61.el8.noarch How reproducible: Using automated test /CoreOS/httpd/Regression/bz1401694-rotatelogs-creation-of-zombie-processes-when-p