Bug 1949871

Summary: SELinux is preventing /usr/libexec/platform-python3.6 from add_name access on the directory /var/log/hawkey.log
Product: Red Hat Enterprise Linux 8 Reporter: dbodnarc
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.5CC: abjoshi, fadamo, john.sincock, lvrabec, mmalik, plautrba, rmetrich, ssekidde, tscherf
Target Milestone: rcKeywords: AutoVerified, Triaged
Target Release: 8.6   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-90.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-10 15:14:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description dbodnarc 2021-04-15 09:47:14 UTC 
AVC denial:
SELinux is preventing /usr/libexec/platform-python3.6 from add_name access on the directory /var/log/hawkey.log

Environment:
> RHEL8.3 (kernel-4.18.0-240.22.1.el8_3)
> selinux-policy-3.14.3-54.el8_3.3

Raw Audit Messages
----------------8<----------------8<----------------8<----------------8<----------------8<----------------8<----------------8<----------------
type=AVC msg=audit(1617833922.827:918): avc:  denied  { add_name } for  pid=33456 comm="rhsmcertd-worke" name="hawkey.log" scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1617833922.827:918): avc:  denied  { create } for  pid=33456 comm="rhsmcertd-worke" name="hawkey.log" scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1617833922.827:918): arch=c000003e syscall=257 success=yes exit=9 a0=ffffff9c a1=55fc374a6df0 a2=441 a3=1b6 items=2 ppid=1431 pid=33456 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rhsmcertd-worke" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:rhsmcertd_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=openat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=CWD msg=audit(1617833922.827:918): cwd="/"
type=PATH msg=audit(1617833922.827:918): item=0 name="/var/log/" inode=2 dev=fd:03 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_log_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0^]OUID="root" OGID="root"
type=PATH msg=audit(1617833922.827:918): item=1 name="/var/log/hawkey.log" inode=73 dev=fd:03 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:rpm_log_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0^]OUID="root" OGID="root"
type=PROCTITLE msg=audit(1617833922.827:918): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002F7573722F6C6962657865632F7268736D63657274642D776F726B6572
----------------8<----------------8<----------------8<----------------8<----------------8<----------------8<----------------8<----------------

# rpm -q selinux-policy
selinux-policy-3.14.3-54.el8_3.3.noarch

# sesearch --allow --source rhsmcertd_t --target var_log_t
allow application_domain_type logfile:file { append getattr ioctl lock };
allow daemon logfile:file { append getattr ioctl lock };
allow domain file_type:blk_file map; [ domain_can_mmap_files ]:True
allow domain file_type:chr_file map; [ domain_can_mmap_files ]:True
allow domain file_type:file map; [ domain_can_mmap_files ]:True
allow domain file_type:lnk_file map; [ domain_can_mmap_files ]:True
allow domain var_log_t:dir { getattr open search };
allow systemprocess logfile:file { append getattr ioctl lock };

There was a BZ#1720639 covering open access for the /var/log/hawkey.log file, but it didn't cover cases when the file needs to be created (add_name + create).
Comment 6 Zdenek Pytela 2022-02-04 08:47:04 UTC 
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/1045
Comment 18 errata-xmlrpc 2022-05-10 15:14:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1995
Comment 19 John 2022-07-28 06:00:35 UTC 
OH, it's fixed in 3.14.3-95 is it?

Jul 28 03:28:34 audccfots809 setroubleshoot[57764]: SELinux is preventing /usr/libexec/platform-python3.6 from read access on the file /var/log/hawkey.log.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that platform-python3.6 should be allowed read access on the hawkey.log file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'yum' --raw | audit2allow -M my-yum#012# semodule -X 300 -i my-yum.pp#012

[root@audccfots809 07-28 15:55:24 ~]# rpm -q selinux-policy
selinux-policy-3.14.3-95.el8.noarch

Hopeless.
Hopeless.
Hopeless.
Hopeless.
Hopeless.
Hopeless.
Hopeless.

Maybe you want to have another try?
Maybe get it properly fixed by the time RHEL 860 comes out, the year 6000 AD or so?
Comment 20 John 2022-07-28 06:09:29 UTC 
Oh, and error on open access too:

Jul 28 03:28:34 audccfots809 setroubleshoot[57764]: SELinux is preventing /usr/libexec/platform-python3.6 from open access on the file /var/log/hawkey.log.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that platform-python3.6 should be allowed open access on the hawkey.log file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'yum' --raw | audit2allow -M my-yum#012# semodule -X 300 -i my-yum.pp#012

Pitiful.
Comment 21 Milos Malik 2022-07-28 09:15:09 UTC 
Please run the following commands and let us know if the problem still persists:

# ls -lZ /var/log/hawkey.log
# restorecon -v /var/log/hawkey.log

I assume that the /var/log/hawkey.log file is mislabeled (my guess is var_log_t). The restorecon command should correct the label to rpm_log_t.
Comment 22 Milos Malik 2022-07-28 09:22:38 UTC 
The important questions are which process created the incorrectly labeled /var/log/hawkey.log file and how the file was created.
Was it created directly in /var/log directory or was it created elsewhere and then renamed?
Comment 23 John 2022-07-29 00:44:35 UTC 
Nope.

The file is labelled rpm_log_t

Jul 29 02:22:01 audccfots809 setroubleshoot[121363]: SELinux is preventing /usr/libexec/platform-python3.6 from read access on the file /var/log/hawkey.log.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that platform-python3.6 should be allowed read access on the hawkey.log file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'yum' --raw | audit2allow -M my-yum#012# semodule -X 300 -i my-yum.pp#012

[root@audccfots809 07-29 10:43:29 ~]# ls -lZ /var/log/hawkey.log
-rw-------. 1 root root system_u:object_r:rpm_log_t:s0 5940 Jul 29 10:03 /var/log/hawkey.log

[root@audccfots809 07-29 10:43:34 ~]# restorecon -v /var/log/hawkey.log
[root@audccfots809 07-29 10:43:46 ~]#
Comment 24 John 2022-07-29 00:48:15 UTC 
Also, there are multiple hawkey logs, so they are being created via the normal process, and rotating like normal:

-rw-------. 1 root      root            system_u:object_r:rpm_log_t:s0                         5940 Jul 29 10:03 hawkey.log
-rw-------. 1 root      root            system_u:object_r:rpm_log_t:s0                         6360 Jul  3 02:39 hawkey.log-20220703
-rw-------. 1 root      root            system_u:object_r:rpm_log_t:s0                         6420 Jul 10 02:22 hawkey.log-20220710
-rw-------. 1 root      root            system_u:object_r:rpm_log_t:s0                         6780 Jul 17 01:49 hawkey.log-20220717
-rw-------. 1 root      root            system_u:object_r:rpm_log_t:s0                         6540 Jul 24 02:47 hawkey.log-20220724

And yet i still have these nonsense warnings spamming my logs.
Comment 25 John 2022-07-29 01:29:09 UTC 
Fully updated vm(s), with:

[root@audccfots809 07-29 11:27:52 ~]# rpm -q selinux-policy
selinux-policy-3.14.3-95.el8.noarch