Bug 1926756
| Summary: | selinux issue with pcp-pmda-sockets | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Jan Kurik <jkurik> |
| Component: | pcp | Assignee: | Mark Goodwin <mgoodwin> |
| Status: | CLOSED ERRATA | QA Contact: | Jan Kurik <jkurik> |
| Severity: | medium | Docs Contact: | Apurva Bhide <abhide> |
| Priority: | medium | ||
| Version: | 8.4 | CC: | agerstmayr, jkurik, mgoodwin, nathans, patrickm |
| Target Milestone: | rc | Keywords: | Bugfix, Triaged |
| Target Release: | 8.4 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | pcp-5.2.5-3 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-05-18 15:19:49 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Jan, were there any other AVCs (other than the four listed /usr/sbin/ss operations on netlink_tcpdiag_socket) in the audit log on your RHEL84 test system? On my f33 test system I'm also seeing AVCs denying execute and execute_no_trans like the following:
type=AVC msg=audit(1613000440.144:54204): avc: denied { execute } for pid=3891551 comm="pmcd" name="bash" dev="dm-1" ino=137448978 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
type=AVC msg=audit(1613000440.144:54205): avc: denied { execute_no_trans } for pid=3891551 comm="pmcd" path="/usr/bin/bash" dev="dm-1" ino=137448978 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
Thanks
Hi Mark,
I tried to kept the sockets pmda running for a while and run the upstream testsuite with '-g pmda.sockets' on it several times.
This has generated one more AVC beside of those already reported (nlmsg_read). Here is the full list of AVCs I can see on RHEL-8.4:
#============= pcp_pmcd_t ==============
allow pcp_pmcd_t self:netlink_tcpdiag_socket { bind create getattr nlmsg_read setopt };
However I do not see any of those AVCs you reported above.
I do not observe any AVC issues on the pcp-5.2.5-3 build. This BZ has been verified on x86_64, ppc64le, aarch64 platforms. Due to lack of s390x systems, the verification on s390x platform has been done only on a shared system with limited testing capabilities -> setting SanityOnly flag. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (pcp bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:1754 |
Description of problem: Registration of "sockets" pmda generates AVC records Version-Release number of selected component (if applicable): * RHEL-8.4.0-20210202.n.0 compose * pcp-5.2.5-2.el8 * selinux-policy-3.14.3-62.el8 How reproducible: Always Steps to Reproduce: 1. Install pcp-pmda-sockets and pcp-zeroconf packages # yum install -y pcp-pmda-sockets pcp-zeroconf 2. Register the socket PMDA # cd /var/lib/pcp/pmdas/sockets && ./Install Actual results: The following selinux record is generated during the registration process # audit2allow -a #============= pcp_pmcd_t ============== allow pcp_pmcd_t self:netlink_tcpdiag_socket create; allow pcp_pmcd_t self:netlink_tcpdiag_socket setopt; allow pcp_pmcd_t self:netlink_tcpdiag_socket bind; allow pcp_pmcd_t self:netlink_tcpdiag_socket getattr; # ausearch -m AVC ---- time->Tue Feb 9 06:27:04 2021 type=PROCTITLE msg=audit(1612870024.868:1204): proctitle=2F7573722F7362696E2F7373002D6E6F656D697461754F4800737461746500636F6E6E6563746564 type=SYSCALL msg=audit(1612870024.868:1204): arch=c000003e syscall=41 success=no exit=-13 a0=10 a1=80003 a2=4 a3=404 items=0 ppid=26358 pid=27288 auid=4294967295 uid=993 gid=990 euid=993 suid=993 fsuid=993 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="ss" exe="/usr/sbin/ss" subj=system_u:system_r:pcp_pmcd_t:s0 key=(null) type=AVC msg=audit(1612870024.868:1204): avc: denied { create } for pid=27288 comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=0 ---- time->Tue Feb 9 06:35:56 2021 type=PROCTITLE msg=audit(1612870556.944:1229): proctitle=2F7573722F7362696E2F7373002D6E6F656D697461754F4800737461746500636F6E6E6563746564 type=SYSCALL msg=audit(1612870556.944:1229): arch=c000003e syscall=54 success=no exit=-13 a0=6 a1=1 a2=7 a3=7ffc1340d3d0 items=0 ppid=29077 pid=29097 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ss" exe="/usr/sbin/ss" subj=system_u:system_r:pcp_pmcd_t:s0 key=(null) type=AVC msg=audit(1612870556.944:1229): avc: denied { setopt } for pid=29097 comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=0 ---- time->Tue Feb 9 06:41:15 2021 type=PROCTITLE msg=audit(1612870875.033:2031): proctitle=2F7573722F7362696E2F7373002D6E6F656D697461754F4800737461746500636F6E6E6563746564 type=SYSCALL msg=audit(1612870875.033:2031): arch=c000003e syscall=49 success=no exit=-13 a0=1e a1=7fffe44b1774 a2=c a3=7fffe44b16b4 items=0 ppid=44368 pid=46332 auid=4294967295 uid=993 gid=990 euid=993 suid=993 fsuid=993 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="ss" exe="/usr/sbin/ss" subj=system_u:system_r:pcp_pmcd_t:s0 key=(null) type=AVC msg=audit(1612870875.033:2031): avc: denied { bind } for pid=46332 comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=0 ---- time->Tue Feb 9 06:51:33 2021 type=PROCTITLE msg=audit(1612871493.134:2909): proctitle=2F7573722F7362696E2F7373002D6E6F656D697461754F4800737461746500636F6E6E6563746564 type=SYSCALL msg=audit(1612871493.134:2909): arch=c000003e syscall=51 success=no exit=-13 a0=1e a1=7ffc94fba304 a2=7ffc94fba23c a3=7ffc94fba244 items=0 ppid=53873 pid=54868 auid=4294967295 uid=993 gid=990 euid=993 suid=993 fsuid=993 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="ss" exe="/usr/sbin/ss" subj=system_u:system_r:pcp_pmcd_t:s0 key=(null) type=AVC msg=audit(1612871493.134:2909): avc: denied { getattr } for pid=54868 comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=0 There is also the folloving error message in /var/log/pcp/pmcd/pmcd.log file: Cannot open netlink socket: Permission denied Expected results: No AVC issues, no error messages in /var/log/pcp/pmcd/pmcd.log file. Additional info: