Bug 1765077

Summary:	init.d scripts not allowed to create files in /var/log/
Product:	Red Hat Enterprise Linux 8	Reporter:	Tomas Hofman <thofman>
Component:	selinux-policy	Assignee:	Zdenek Pytela <zpytela>
Status:	CLOSED NOTABUG	QA Contact:	BaseOS QE Security Team <qe-baseos-security>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	8.0	CC:	lvrabec, mmalik, plautrba, ssekidde, zpytela
Target Milestone:	rc	Keywords:	Reopened
Target Release:	8.0
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2019-12-11 15:12:09 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Tomas Hofman 2019-10-24 10:04:36 UTC

Description of problem:

The init.d script that we provide with JBoss EAP fails, because it's denied permission to create log file /var/log/jboss-eap/console.log:

https://github.com/jbossas/jboss-eap7/blob/EAP_7.2.5.CR1-dev/feature-pack/src/main/resources/content/bin/init.d/jboss-eap-rhel.sh#L104

The directory /var/log/jboss-eap is however created successfully.


The init script starts to work after installing following selinux policy:

#---
module my-jbosseaprhel 1.0;

require {
	type var_log_t;
	type init_t;
	class file create;
}

allow init_t var_log_t:file create;
#---

Now the question which I'm not sure about is should this be allowed by default, or is it intentional that init process can't create files in /var/log ?


How reproducible:

Always.

Steps to Reproduce:

* On clean RHEL 8 installation, download jboss-eap: http://download.eng.brq.redhat.com/released/JBoss-middleware/eap7/7.2.4/jboss-eap-7.2.4.zip
* unzip and copy to /opt/jboss-eap
* copy /opt/jboss-eap/bin/init.d/jboss-eap-rhel.sh to /etc/init.d/
* copy /opt/jboss-eap/bin/init.d/jboss-eap.conf to /etc/default/
* run `chkconfig --add jboss-eap-rhel.sh`
* run `service jboss-eap-rhel start`

Actual results:

Service fails with:

"
Job for jboss-eap-rhel.service failed because the service did not take the steps required by its unit configuration.
See "systemctl status jboss-eap-rhel.service" and "journalctl -xe" for details.
"

Expected results:

Service is started successfully.

Additional info:

[root@ibm-p8-kvm-03-guest-02 ~]# systemctl status jboss-eap-rhel.service
● jboss-eap-rhel.service - SYSV: JBoss EAP startup script
   Loaded: loaded (/etc/rc.d/init.d/jboss-eap-rhel.sh; generated)
   Active: failed (Result: protocol) since Thu 2019-10-24 05:56:42 EDT; 8s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 27142 ExecStart=/etc/rc.d/init.d/jboss-eap-rhel.sh start (code=exited, status=0/SUCCESS)

Oct 24 05:56:10 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: Starting SYSV: JBoss EAP startup script...
Oct 24 05:56:11 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com jboss-eap-rhel.sh[27142]: Starting jboss-eap: /etc/rc.d/init.d/jboss-eap-rhel.sh: line 104: /var/log/jboss-eap/console.log: Permission den>
Oct 24 05:56:11 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com jboss-eap-rhel.sh[27142]: /etc/rc.d/init.d/jboss-eap-rhel.sh: line 113: /var/log/jboss-eap/console.log: Permission denied
Oct 24 05:56:11 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com jboss-eap-rhel.sh[27142]: /
Oct 24 05:56:42 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com jboss-eap-rhel.sh[27142]: jboss-eap started with errors, please see server log for details
Oct 24 05:56:42 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com jboss-eap-rhel.sh[27142]: [  OK  ]
Oct 24 05:56:42 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: jboss-eap-rhel.service: Can't open PID file /var/run/jboss-eap/jboss-eap.pid (yet?) after start: No such file or directory
Oct 24 05:56:42 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: jboss-eap-rhel.service: Failed with result 'protocol'.
Oct 24 05:56:42 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: Failed to start SYSV: JBoss EAP startup script.



[root@ibm-p8-kvm-03-guest-02 ~]# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts recent
----
type=PROCTITLE msg=audit(24/10/19 05:56:10.999:327) : proctitle=/bin/sh /etc/rc.d/init.d/jboss-eap-rhel.sh start 
type=SYSCALL msg=audit(24/10/19 05:56:10.999:327) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x563a645c2f40 a2=O_WRONLY|O_CREAT|O_TRUNC a3=0x1b6 items=0 ppid=27142 pid=27152 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=jboss-eap-rhel. exe=/usr/bin/bash subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(24/10/19 05:56:10.999:327) : avc:  denied  { create } for  pid=27152 comm=jboss-eap-rhel. name=console.log scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(24/10/19 05:56:11.007:328) : proctitle=/bin/sh /etc/rc.d/init.d/jboss-eap-rhel.sh start 
type=SYSCALL msg=audit(24/10/19 05:56:11.007:328) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x563a645c64a0 a2=O_WRONLY|O_CREAT|O_APPEND a3=0x1b6 items=0 ppid=1 pid=27142 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=jboss-eap-rhel. exe=/usr/bin/bash subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(24/10/19 05:56:11.007:328) : avc:  denied  { create } for  pid=27142 comm=jboss-eap-rhel. name=console.log scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0 



[root@ibm-p8-kvm-03-guest-02 ~]# matchpathcon /var/log/jboss-eap /var/log/jboss-eap/console.log
/var/log/jboss-eap	system_u:object_r:var_log_t:s0
/var/log/jboss-eap/console.log	system_u:object_r:var_log_t:s0



[root@ibm-p8-kvm-03-guest-02 ~]# ls -ldZ /var/log/jboss-eap
drwxr-xr-x. 2 root root system_u:object_r:var_log_t:s0 6 Oct 24 05:56 /var/log/jboss-eap

Comment 1 Tomas Hofman 2019-10-24 10:12:44 UTC

Related JBoss EAP issue is https://issues.jboss.org/browse/JBEAP-17752

Comment 2 Lukas Vrabec 2019-10-24 14:27:55 UTC

Tomas, 

What is SELinux context of /etc/init.d/jboss-eap-rhel.sh ? 

# ls -Z /etc/init.d/jboss-eap-rhel.sh

If it's not bin_t, please run:

# chcon -t bin_t /etc/init.d/jboss-eap-rhel.sh

and try to restart the service.

Comment 3 Tomas Hofman 2019-10-24 17:19:07 UTC

Yes, that did the trick. It was etc_t, not bin_t. The service starts after fixing this. I will suggest updating EAP docs.

[root@ibm-p8-kvm-03-guest-02 ~]# ls -Z /etc/init.d/jboss-eap-rhel.sh 
unconfined_u:object_r:etc_t:s0 /etc/init.d/jboss-eap-rhel.sh
[root@ibm-p8-kvm-03-guest-02 ~]# chcon -t bin_t /etc/init.d/jboss-eap-rhel.sh
[root@ibm-p8-kvm-03-guest-02 ~]# ls -Z /etc/init.d/jboss-eap-rhel.sh 
unconfined_u:object_r:bin_t:s0 /etc/init.d/jboss-eap-rhel.sh

Thank you!

Comment 4 Lukas Vrabec 2019-10-25 08:12:28 UTC

Tomas, 

What I proposed is just temporary change. If you would like to update EAP docs, 

Please propose following (permanent) solution:

# semanage fcontext -a -t bin_t /etc/init.d/jboss-eap-rhel.sh
# restorecon -v /etc/init.d/jboss-eap-rhel.sh

Thanks,
Lukas.

Comment 5 Tomas Hofman 2019-10-25 09:24:07 UTC

I see, it would be lost during relabeling...

So I'm experimenting bit more and I noticed that after copying the init script to /etc/init.d/ it has type etc_t, but when I run restorecon on it, without setting fcontext at all, the type changes to initrc_exec_t, and with this type the script runs correctly too.


[root@rama init.d]# cp /opt/jboss-eap/bin/init.d/jboss-eap-rhel.sh ./

[root@rama init.d]# ls -Z -1
        system_u:object_r:bin_t:s0 functions
    unconfined_u:object_r:etc_t:s0 jboss-eap-rhel.sh
system_u:object_r:initrc_exec_t:s0 network
system_u:object_r:initrc_exec_t:s0 README

[root@rama init.d]# restorecon -v jboss-eap-rhel.sh 
Relabeled /etc/rc.d/init.d/jboss-eap-rhel.sh from unconfined_u:object_r:etc_t:s0 to unconfined_u:object_r:initrc_exec_t:s0

[root@rama init.d]# ls -Z -1
            system_u:object_r:bin_t:s0 functions
unconfined_u:object_r:initrc_exec_t:s0 jboss-eap-rhel.sh
    system_u:object_r:initrc_exec_t:s0 network
    system_u:object_r:initrc_exec_t:s0 README


Technically, is initrc_exec_t "more correct" file type than bin_t?

In that case the only command we would need to add after copying the init script is

# restorecon /etc/init.d/jboss-eap-rhel.sh

Is that all right, or is it better to set fcontext explicitly?

Comment 6 Lukas Vrabec 2019-10-25 11:00:13 UTC

Hi Tomas, 

Well, initrc_t somes from RHEL-6. We're trying to keep all services for which we don't have SELinux policy in unconfined_service_t. 

The difference is, when systemd labeled as init_t will execute binary labeled as initrc_exec_t, the newly created process (service process) has initrc_t label. 

Here is a record from SELinux policy:
# sesearch -T -s init_t -t initrc_exec_t -c process
type_transition init_t initrc_exec_t:process initrc_t;

But, when you label binary as bin_t, the situation si different. When systemd labeled as init_t will execute binary labeled as bin_t, the newly created process (service process) has unconfined_service_t label. 

Similar record from policy:
# sesearch -T -s init_t -t bin_t -c process
type_transition init_t bin_t:process unconfined_service_t;

I prefer to keeps it as unconfined_service_t. 

Thanks,
Lukas.

Comment 7 Tomas Hofman 2019-12-11 16:11:12 UTC

Thanks for replies Lukas!