Bug 1895322
Summary: | rhsmcertd_t needs to execute kpatch (kpatch_exec_t) | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Renaud Métrich <rmetrich> |
Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 8.3 | CC: | arpandey, byodlows, filbar, hajek, hartsjc, joerg.kastning, jpasqual, lvrabec, marinzrncic, mmalik, mmatsuya, mmilgram, peter.vreman, petr, plautrba, shawnlunny, snejoshi, ssekidde, tscherf, zpytela |
Target Milestone: | rc | Keywords: | Triaged |
Target Release: | 8.4 | Flags: | arpandey:
needinfo-
|
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
Cause:
A new "kpatch fact" feature in subscription-manager in RHEL 8.3 requires to execute the kpatch command. As this is a newly requested permission, it was not presnet in the policy.
Consequence:
Subscription manager fails to execute kpatch and keeps reporting a problem.
Fix:
Add the permission to execute kpatch with a transition.
Result:
The kpatch fact in the subscription manager works as expected.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-05-18 14:58:17 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1122832 |
Description
Renaud Métrich
2020-11-06 10:39:38 UTC
It seems that following bug contains the reproducer: * https://bugzilla.redhat.com/show_bug.cgi?id=1894527 The reproducer triggers the following SELinux denial enforcing mode: ---- type=PROCTITLE msg=audit(11/11/2020 09:10:12.218:3095) : proctitle=/usr/libexec/platform-python /usr/libexec/rhsmcertd-worker type=PATH msg=audit(11/11/2020 09:10:12.218:3095) : item=0 name=/usr/sbin/kpatch inode=8727282 dev=08:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:kpatch_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(11/11/2020 09:10:12.218:3095) : cwd=/ type=SYSCALL msg=audit(11/11/2020 09:10:12.218:3095) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x7fb7e7e576e0 a1=0x7ffc5aa003b0 a2=0x7ffc5aa003b0 a3=0x1 items=1 ppid=311622 pid=312331 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmcertd-worke exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:rhsmcertd_t:s0 key=(null) type=AVC msg=audit(11/11/2020 09:10:12.218:3095) : avc: denied { getattr } for pid=312331 comm=rhsmcertd-worke path=/usr/sbin/kpatch dev="sda2" ino=8727282 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:kpatch_exec_t:s0 tclass=file permissive=0 ---- The reproducer triggers following SELinux denials in permissive mode: ---- type=PROCTITLE msg=audit(11/11/2020 09:11:35.820:3100) : proctitle=/usr/libexec/platform-python /usr/libexec/rhsmcertd-worker type=PATH msg=audit(11/11/2020 09:11:35.820:3100) : item=0 name=/usr/sbin/kpatch inode=8727282 dev=08:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:kpatch_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(11/11/2020 09:11:35.820:3100) : cwd=/ type=SYSCALL msg=audit(11/11/2020 09:11:35.820:3100) : arch=x86_64 syscall=stat success=yes exit=0 a0=0x7fd25b224718 a1=0x7fff8c3f35c0 a2=0x7fff8c3f35c0 a3=0x1 items=1 ppid=311622 pid=312790 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmcertd-worke exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:rhsmcertd_t:s0 key=(null) type=AVC msg=audit(11/11/2020 09:11:35.820:3100) : avc: denied { getattr } for pid=312790 comm=rhsmcertd-worke path=/usr/sbin/kpatch dev="sda2" ino=8727282 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:kpatch_exec_t:s0 tclass=file permissive=1 ---- type=PROCTITLE msg=audit(11/11/2020 09:11:35.827:3101) : proctitle=/usr/libexec/platform-python /usr/libexec/rhsmcertd-worker type=PATH msg=audit(11/11/2020 09:11:35.827:3101) : item=0 name=/usr/sbin/kpatch inode=8727282 dev=08:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:kpatch_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(11/11/2020 09:11:35.827:3101) : cwd=/ type=SYSCALL msg=audit(11/11/2020 09:11:35.827:3101) : arch=x86_64 syscall=access success=yes exit=0 a0=0x7fd25b224718 a1=X_OK a2=0x0 a3=0x2 items=1 ppid=311622 pid=312790 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmcertd-worke exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:rhsmcertd_t:s0 key=(null) type=AVC msg=audit(11/11/2020 09:11:35.827:3101) : avc: denied { execute } for pid=312790 comm=rhsmcertd-worke name=kpatch dev="sda2" ino=8727282 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:kpatch_exec_t:s0 tclass=file permissive=1 ---- type=PROCTITLE msg=audit(11/11/2020 09:11:35.827:3102) : proctitle=/usr/libexec/platform-python /usr/libexec/rhsmcertd-worker type=PATH msg=audit(11/11/2020 09:11:35.827:3102) : item=0 name=/var/lib/kpatch inode=6415 dev=08:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:kpatch_var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(11/11/2020 09:11:35.827:3102) : cwd=/ type=SYSCALL msg=audit(11/11/2020 09:11:35.827:3102) : arch=x86_64 syscall=openat success=yes exit=8 a0=0xffffff9c a1=0x7fd259d31b30 a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=1 ppid=311622 pid=312790 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmcertd-worke exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:rhsmcertd_t:s0 key=(null) type=AVC msg=audit(11/11/2020 09:11:35.827:3102) : avc: denied { read } for pid=312790 comm=rhsmcertd-worke name=kpatch dev="sda2" ino=6415 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:kpatch_var_lib_t:s0 tclass=dir permissive=1 ---- *** Bug 1894527 has been marked as a duplicate of this bug. *** I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/529 Milosi, kpatch is used to gather information only, so I went the can_exec way, i. e. no test change is required. Archana Pandey, will you be able to verify the fix is sufficient once we have a RHEL build? *** Bug 1925643 has been marked as a duplicate of this bug. *** *** Bug 1927844 has been marked as a duplicate of this bug. *** *** Bug 1925811 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:1639 |