Bug 1895322
| Summary: | rhsmcertd_t needs to execute kpatch (kpatch_exec_t) | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Renaud Métrich <rmetrich> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 8.3 | CC: | arpandey, byodlows, filbar, hajek, hartsjc, joerg.kastning, jpasqual, lvrabec, marinzrncic, mmalik, mmatsuya, mmilgram, peter.vreman, petr, plautrba, shawnlunny, snejoshi, ssekidde, tscherf, zpytela |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | 8.4 | Flags: | arpandey:
needinfo-
|
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
Cause:
A new "kpatch fact" feature in subscription-manager in RHEL 8.3 requires to execute the kpatch command. As this is a newly requested permission, it was not presnet in the policy.
Consequence:
Subscription manager fails to execute kpatch and keeps reporting a problem.
Fix:
Add the permission to execute kpatch with a transition.
Result:
The kpatch fact in the subscription manager works as expected.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-05-18 14:58:17 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1122832 | ||
It seems that following bug contains the reproducer: * https://bugzilla.redhat.com/show_bug.cgi?id=1894527 The reproducer triggers the following SELinux denial enforcing mode:
----
type=PROCTITLE msg=audit(11/11/2020 09:10:12.218:3095) : proctitle=/usr/libexec/platform-python /usr/libexec/rhsmcertd-worker
type=PATH msg=audit(11/11/2020 09:10:12.218:3095) : item=0 name=/usr/sbin/kpatch inode=8727282 dev=08:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:kpatch_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(11/11/2020 09:10:12.218:3095) : cwd=/
type=SYSCALL msg=audit(11/11/2020 09:10:12.218:3095) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x7fb7e7e576e0 a1=0x7ffc5aa003b0 a2=0x7ffc5aa003b0 a3=0x1 items=1 ppid=311622 pid=312331 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmcertd-worke exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:rhsmcertd_t:s0 key=(null)
type=AVC msg=audit(11/11/2020 09:10:12.218:3095) : avc: denied { getattr } for pid=312331 comm=rhsmcertd-worke path=/usr/sbin/kpatch dev="sda2" ino=8727282 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:kpatch_exec_t:s0 tclass=file permissive=0
----
The reproducer triggers following SELinux denials in permissive mode:
----
type=PROCTITLE msg=audit(11/11/2020 09:11:35.820:3100) : proctitle=/usr/libexec/platform-python /usr/libexec/rhsmcertd-worker
type=PATH msg=audit(11/11/2020 09:11:35.820:3100) : item=0 name=/usr/sbin/kpatch inode=8727282 dev=08:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:kpatch_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(11/11/2020 09:11:35.820:3100) : cwd=/
type=SYSCALL msg=audit(11/11/2020 09:11:35.820:3100) : arch=x86_64 syscall=stat success=yes exit=0 a0=0x7fd25b224718 a1=0x7fff8c3f35c0 a2=0x7fff8c3f35c0 a3=0x1 items=1 ppid=311622 pid=312790 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmcertd-worke exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:rhsmcertd_t:s0 key=(null)
type=AVC msg=audit(11/11/2020 09:11:35.820:3100) : avc: denied { getattr } for pid=312790 comm=rhsmcertd-worke path=/usr/sbin/kpatch dev="sda2" ino=8727282 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:kpatch_exec_t:s0 tclass=file permissive=1
----
type=PROCTITLE msg=audit(11/11/2020 09:11:35.827:3101) : proctitle=/usr/libexec/platform-python /usr/libexec/rhsmcertd-worker
type=PATH msg=audit(11/11/2020 09:11:35.827:3101) : item=0 name=/usr/sbin/kpatch inode=8727282 dev=08:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:kpatch_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(11/11/2020 09:11:35.827:3101) : cwd=/
type=SYSCALL msg=audit(11/11/2020 09:11:35.827:3101) : arch=x86_64 syscall=access success=yes exit=0 a0=0x7fd25b224718 a1=X_OK a2=0x0 a3=0x2 items=1 ppid=311622 pid=312790 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmcertd-worke exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:rhsmcertd_t:s0 key=(null)
type=AVC msg=audit(11/11/2020 09:11:35.827:3101) : avc: denied { execute } for pid=312790 comm=rhsmcertd-worke name=kpatch dev="sda2" ino=8727282 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:kpatch_exec_t:s0 tclass=file permissive=1
----
type=PROCTITLE msg=audit(11/11/2020 09:11:35.827:3102) : proctitle=/usr/libexec/platform-python /usr/libexec/rhsmcertd-worker
type=PATH msg=audit(11/11/2020 09:11:35.827:3102) : item=0 name=/var/lib/kpatch inode=6415 dev=08:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:kpatch_var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(11/11/2020 09:11:35.827:3102) : cwd=/
type=SYSCALL msg=audit(11/11/2020 09:11:35.827:3102) : arch=x86_64 syscall=openat success=yes exit=8 a0=0xffffff9c a1=0x7fd259d31b30 a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=1 ppid=311622 pid=312790 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmcertd-worke exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:rhsmcertd_t:s0 key=(null)
type=AVC msg=audit(11/11/2020 09:11:35.827:3102) : avc: denied { read } for pid=312790 comm=rhsmcertd-worke name=kpatch dev="sda2" ino=6415 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:kpatch_var_lib_t:s0 tclass=dir permissive=1
----
*** Bug 1894527 has been marked as a duplicate of this bug. *** I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/529 Milosi, kpatch is used to gather information only, so I went the can_exec way, i. e. no test change is required. Archana Pandey, will you be able to verify the fix is sufficient once we have a RHEL build? *** Bug 1925643 has been marked as a duplicate of this bug. *** *** Bug 1927844 has been marked as a duplicate of this bug. *** *** Bug 1925811 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:1639 |
Description of problem: With RHEL 8.3, subscription-manager comes with a "kpatch" fact /usr/lib64/python3.6/site-packages/rhsmlib/facts/kpatch.py which internally checks if /usr/sbin/kpatch exists (requires "getattr") and then executes it later (requires "execute"). This requires a policy update: AVCs: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- avc: denied { getattr } for pid=192521 comm=rhsmcertd-worke path=/usr/sbin/kpatch dev="dm-0" ino=2185345 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:kpatch_exec_t:s0 tclass=file permissive=1 avc: denied { execute } for pid=192521 comm=rhsmcertd-worke name=kpatch dev="dm-0" ino=2185345 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:kpatch_exec_t:s0 tclass=file permissive=1 -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- Missing CIL rule: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- (allow rhsmcertd_t kpatch_exec_t (file (getattr execute))) -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- Version-Release number of selected component (if applicable): selinux-policy-3.14.3-54.el8.noarch subscription-manager-1.27.16-1.el8.x86_64 How reproducible: No idea, 100% by the customer. Additional info: I requested SysMgmt to explain when this fact is triggered.