Bug 1703573

Summary: selinux denial against "rhsmcertd-worke"r for "/var/log/yum.log" and "syspurpose.json"
Product: Red Hat Enterprise Linux 7 Reporter: John Sefler <jsefler>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: high    
Version: 7.7CC: amarecek, csnyder, jhnidek, jpazdziora, lvrabec, mmalik, plautrba, qianzhan, ssekidde, vmojzis, wpoteat, zpytela
Target Milestone: rcKeywords: AutoVerified, Regression
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-06 12:53:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description John Sefler 2019-04-26 17:58:07 UTC 
Description of problem:
The rhsmcertd-worker is causing three AVC denials...


Version-Release number of selected component (if applicable):
[root@kvm-01-guest10 ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.7 Beta (Maipo)

[root@kvm-01-guest10 ~]# rpm -q subscription-manager selinux-policy
subscription-manager-1.24.4-1.el7.x86_64
selinux-policy-3.13.1-244.el7.noarch


How reproducible:


Steps to Reproduce:

[root@kvm-01-guest10 ~]# systemctl stop rhsmcertd.service
[root@kvm-01-guest10 ~]# 
[root@kvm-01-guest10 ~]# subscription-manager config --rhsmcertd.splay=0 --logging=DEBUG

FOLLOWING INSTRUCTIONS FROM https://wiki.test.redhat.com/BaseOs/Security/SelinuxTestOnlyBugs#SELinuxHowToTestInstructions

[root@kvm-01-guest10 ~]# service auditd restart
Stopping logging:                                          [  OK  ]
Redirecting start to /bin/systemctl start auditd.service
[root@kvm-01-guest10 ~]# 
[root@kvm-01-guest10 ~]# setenforce 1
[root@kvm-01-guest10 ~]# 
[root@kvm-01-guest10 ~]# restorecon -Rv /etc /run /var
restorecon reset /etc/sysconfig/anaconda context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /etc/chrony.conf.orig context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /etc/beah_beaker.conf.default context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /etc/beah.conf.default context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon:  Warning no default label for /run/lvmetad.pid
restorecon:  Warning no default label for /run/lock/subsys
restorecon:  Warning no default label for /run/lock/subsys/anamon
restorecon:  Warning no default label for /run/lock/subsys/rhnsd
restorecon:  Warning no default label for /run/lock/subsys/network
restorecon:  Warning no default label for /run/initramfs
restorecon:  Warning no default label for /run/initramfs/rwtab
restorecon:  Warning no default label for /run/initramfs/state
restorecon:  Warning no default label for /run/initramfs/state/var
restorecon:  Warning no default label for /run/initramfs/state/var/lib
restorecon:  Warning no default label for /run/initramfs/state/var/lib/dhclient
restorecon:  Warning no default label for /run/initramfs/state/etc
restorecon:  Warning no default label for /run/initramfs/state/etc/sysconfig
restorecon:  Warning no default label for /run/initramfs/state/etc/sysconfig/network-scripts
restorecon:  Warning no default label for /run/initramfs/.need_shutdown
restorecon:  Warning no default label for /run/initramfs/log
restorecon:  Warning no default label for /var/tmp/systemd-private-498828a95c1d46d0817645193868b377-chronyd.service-swDZQe
restorecon:  Warning no default label for /var/tmp/systemd-private-498828a95c1d46d0817645193868b377-chronyd.service-swDZQe/tmp
[root@kvm-01-guest10 ~]# 
[root@kvm-01-guest10 ~]# START_DATE_TIME=`date "+%m/%d/%Y %T"`
[root@kvm-01-guest10 ~]# 
[root@kvm-01-guest10 ~]# 
[root@kvm-01-guest10 ~]# subscription-manager register --serverurl=subscription.rhsm.stage.redhat.com --username=stage_auto_testuser --servicelevel=Production --auto-attach
Registering to: subscription.rhsm.stage.redhat.com:443/subscription
Password: 
The system has been registered with ID: 8756d15d-fc79-443f-a72e-c6b2c24767bd
The registered system name is: kvm-01-guest10.rhts.eng.tlv.redhat.com
Service level set to: Production
Installed Product Current Status:
Product Name: Red Hat Enterprise Linux Server
Status:       Subscribed

[root@kvm-01-guest10 ~]# systemctl start rhsmcertd.service
[root@kvm-01-guest10 ~]# 
[root@kvm-01-guest10 ~]# sleep 120
[root@kvm-01-guest10 ~]# 
[root@kvm-01-guest10 ~]# ausearch -m AVC -m USER_AVC -m SELINUX_ERR -i -ts ${START_DATE_TIME}
----
type=PROCTITLE msg=audit(04/26/2019 20:46:23.127:147) : proctitle=/usr/bin/python /usr/libexec/rhsmcertd-worker 
type=SYSCALL msg=audit(04/26/2019 20:46:23.127:147) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x26fa070 a1=O_WRONLY|O_CREAT|O_APPEND a2=0666 a3=0x24 items=0 ppid=22674 pid=22676 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmcertd-worke exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0 key=(null) 
type=AVC msg=audit(04/26/2019 20:46:23.127:147) : avc:  denied  { open } for  pid=22676 comm=rhsmcertd-worke path=/var/log/yum.log dev="dm-0" ino=58656 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:rpm_log_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(04/26/2019 20:46:27.182:148) : proctitle=/usr/bin/python /usr/libexec/rhsmcertd-worker 
type=SYSCALL msg=audit(04/26/2019 20:46:27.182:148) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x7f6c004efa54 a1=O_RDWR|O_CREAT|O_TRUNC a2=0666 a3=0xfffffff8 items=0 ppid=22674 pid=22676 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmcertd-worke exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0 key=(null) 
type=AVC msg=audit(04/26/2019 20:46:27.182:148) : avc:  denied  { write } for  pid=22676 comm=rhsmcertd-worke name=syspurpose.json dev="dm-0" ino=100667887 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(04/26/2019 20:46:30.912:149) : proctitle=/usr/bin/python /usr/libexec/rhsmcertd-worker --autoheal 
type=SYSCALL msg=audit(04/26/2019 20:46:30.912:149) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x7fde19454aa4 a1=O_RDWR|O_CREAT|O_TRUNC a2=0666 a3=0xfffffff8 items=0 ppid=22674 pid=22729 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmcertd-worke exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0 key=(null) 
type=AVC msg=audit(04/26/2019 20:46:30.912:149) : avc:  denied  { write } for  pid=22729 comm=rhsmcertd-worke name=syspurpose.json dev="dm-0" ino=100667887 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file permissive=0 
[root@kvm-01-guest10 ~]# 


Actual results:
  shown above
  Once the rhsmcertd.service triggers the rhsmcertd-worker to run, AVC denials are logged to /var/log/audit/audit.log

Expected results:
  no AVC denials from "rhsmcertd-worke"r

Additional info:

[root@kvm-01-guest10 ~]# tail -f /var/log/audit/audit.log | grep denied
type=AVC msg=audit(1556300783.127:147): avc:  denied  { open } for  pid=22676 comm="rhsmcertd-worke" path="/var/log/yum.log" dev="dm-0" ino=58656 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:rpm_log_t:s0 tclass=file permissive=0
type=AVC msg=audit(1556300787.182:148): avc:  denied  { write } for  pid=22676 comm="rhsmcertd-worke" name="syspurpose.json" dev="dm-0" ino=100667887 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file permissive=0
type=AVC msg=audit(1556300790.912:149): avc:  denied  { write } for  pid=22729 comm="rhsmcertd-worke" name="syspurpose.json" dev="dm-0" ino=100667887 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file permissive=0
Comment 8 Chris Snyder 2019-05-02 15:54:52 UTC 
*** Bug 1703920 has been marked as a duplicate of this bug. ***
Comment 11 William Poteat 2019-05-15 18:37:18 UTC 
https://github.com/fedora-selinux/selinux-policy-contrib/commit/897a71f46a4b921d4ea73f3892f3bff3a941d793

This is what fixed the issue in Fedora for the syspurpose part. Apply to selinux policy.
Comment 22 John Sefler 2019-05-31 13:26:50 UTC 
*** Bug 1715661 has been marked as a duplicate of this bug. ***
Comment 24 errata-xmlrpc 2019-08-06 12:53:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2127