Bug 1715844
| Summary: | [dhcpd] execute /lib64/libnss_sss.so.2 AVC denial | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Patrik Hagara <phagara> | |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | |
| Status: | CLOSED NOTABUG | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | |
| Severity: | low | Docs Contact: | ||
| Priority: | low | |||
| Version: | 7.7 | CC: | lvrabec, mmalik, plautrba, ssekidde, vmojzis, zpytela | |
| Target Milestone: | rc | |||
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1716418 (view as bug list) | Environment: | ||
| Last Closed: | 2019-06-03 13:12:43 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
The /lib64/libnss_sss.so.2 is mislabeled. Correct label is: # matchpathcon /lib64/libnss_sss.so.2 /lib64/libnss_sss.so.2 system_u:object_r:lib_t:s0 # Following command will repair the problem: # restorecon -Rv /lib64 Patrick, Could you please confirm that solution from comment#2 is working for you? Thanks, Lukas. Actually, the bug appears to be on the cluster resource agent side -- I'm running this in as a pacemaker cluster resource, sorry for not mentioning that in the description. The resource agent defaults to running dhcpd in a chroot and copies config files and required libraries (libnss_sss.so.2 among them) into the chroot [1]. The "-p/--preserve" option of `cp` does not appear to preserve selinux context of the copied files (unless it's explicitly requested) and so the AVCs occur. IIUC, this should be fixed in the resource agent itself and not selinux-policy. Is that correct? [1] https://github.com/ClusterLabs/resource-agents/blob/master/heartbeat/dhcpd#L331 I'd suggest including xattr into the preserved set or use all, see cp(1):
-p same as --preserve=mode,ownership,timestamps
--preserve[=ATTR_LIST]
preserve the specified attributes (default: mode,ownership,timestamps), if possiā
ble additional attributes: context, links, xattr, all
or alternatively use restorecon after the cp command finishes.
Note -a has "all":
-a, --archive
same as -dR --preserve=all
Thank you. I've cloned this bug for the resource-agents component: bz#1716418. Feel free to close this one. |
Description of problem: dhcpd daemon start produces the following AVC denial: time->Fri May 31 13:57:32 2019 type=PROCTITLE msg=audit(1559303852.249:413): proctitle=6468637064002D6366002F746D702F646863702E636F6E66002D6368726F6F74002F7661722F6C69622F6468637064002D6C66002F64622F64686370642E6C6561736573002D75736572006468637064002D67726F7570006468637064002D7066002F7661722F72756E2F64686370642E7069640064756D6D7930 type=SYSCALL msg=audit(1559303852.249:413): arch=c000003e syscall=9 success=yes exit=140067871424512 a0=0 a1=208490 a2=5 a3=802 items=0 ppid=5987 pid=5988 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dhcpd" exe="/usr/sbin/dhcpd" subj=system_u:system_r:dhcpd_t:s0 key=(null) type=AVC msg=audit(1559303852.249:413): avc: denied { execute } for pid=5988 comm="dhcpd" path="/lib64/libnss_sss.so.2" dev="dm-0" ino=5752596 scontext=system_u:system_r:dhcpd_t:s0 tcontext=system_u:object_r:dhcpd_state_t:s0 tclass=file permissive=1 the dhcpd service appears to work, but might be missing some features do to the above when selinux is in enforcing mode (default). Version-Release number of selected component (if applicable): selinux-policy-3.13.1-249.el7.noarch How reproducible: always Steps to Reproduce: 1. install, configure and start dhcpd 2. 3. Actual results: daemon starts, AVC denial logged Expected results: no AVC denials Additional info: