Bug 2075810

Summary: sblim-sfcbd daemon cannot connect to reposd unix socket
Product: Red Hat Enterprise Linux 8 Reporter: Renaud Métrich <rmetrich>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.5CC: lvrabec, mmalik, ssekidde, vcrhonek
Target Milestone: rcKeywords: AutoVerified, Triaged
Target Release: 8.7Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-98.el8 Doc Type: Bug Fix
Doc Text:
Cause: The sblim-sfcbd service requires permissions to connect to the sblim-reposd stream which are not present in current selinux-policy Consequence: sblim-sfcbd fails to connect to sblim-reposd stream and report it not active. Fix: Permissions were added to selinux-policy. Result: The sblim-sfcbd service runs without reporting errors.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-08 10:44:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Renaud Métrich 2022-04-15 12:59:47 UTC 
Description of problem:

The sblim-sfcbd needs to connect toe reposd daemon (part of sblim-gather package) in order to retrieve the data.
For now there is an AVC popping up:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
time->Fri Apr 15 08:58:40 2022
type=PROCTITLE msg=audit(1650027520.269:114): proctitle="/usr/sbin/sfcbd"
type=SYSCALL msg=audit(1650027520.269:114): arch=80000016 syscall=102 success=no exit=-13 a0=3 a1=3ffb987dd60 a2=3ffb987f910 a3=2 items=0 ppid=6774 pid=6841 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sfcbd" exe="/usr/sbin/sfcbd" subj=system_u:system_r:sblim_sfcbd_t:s0 key=(null)
type=AVC msg=audit(1650027520.269:114): avc:  denied  { connectto } for  pid=6841 comm="sfcbd" path="/run/gather/.repos-socket" scontext=system_u:system_r:sblim_sfcbd_t:s0 tcontext=system_u:system_r:sblim_reposd_t:s0 tclass=unix_stream_socket permissive=0
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Please allow this in the policy, it's perfectly legit.
There is a boolean to allow this, but it's overkill (it's for cluster environments):
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# sesearch -A -s sblim_sfcbd_t -t sblim_reposd_t -c unix_stream_socket
allow daemon daemon:unix_stream_socket connectto; [ daemons_enable_cluster_mode ]:True
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------


Version-Release number of selected component (if applicable):

selinux-policy-3.14.3-80.el8_5.2
sblim-sfcb-1.4.9-17.el8
sblim-gather-2.2.9-24.el8


How reproducible:

Always

Steps to Reproduce:
1. Install sblim packages

  # yum -y install sblim-gather sblim-sfcb sblim-wbemcli

2. Start the services

  # systemctl start sblim-sfcb reposd

3. Execute the wbemcli command

  # /usr/bin/wbemcli ei -nl 'http://localhost/root/cimv2:Linux_IPProtocolEndpointMetricValue'

Actual results:

AVC (see above) + error message:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
*
* /usr/bin/wbemcli: Cim: (1) CIM_ERR_FAILED: Gatherer Service not active
*
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Expected results:

No AVC and connection initiated

Additional info:
Comment 1 Milos Malik 2022-04-19 07:59:07 UTC 
Encountered in permissive mode:
----
type=PROCTITLE msg=audit(04/19/2022 03:55:06.660:427) : proctitle=/usr/sbin/sfcbd 
type=SYSCALL msg=audit(04/19/2022 03:55:06.660:427) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x8b a1=0x7f7be6cd4fd0 a2=0x6e a3=0x0 items=0 ppid=10445 pid=10598 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sfcbd exe=/usr/sbin/sfcbd subj=system_u:system_r:sblim_sfcbd_t:s0 key=(null) 
type=AVC msg=audit(04/19/2022 03:55:06.660:427) : avc:  denied  { connectto } for  pid=10598 comm=sfcbd path=/run/gather/.repos-socket scontext=system_u:system_r:sblim_sfcbd_t:s0 tcontext=system_u:system_r:sblim_reposd_t:s0 tclass=unix_stream_socket permissive=1 
----

# rpm -qa selinux\* \*sblim\* | sort
sblim-cmpi-base-1.6.4-14.el8.x86_64
sblim-gather-2.2.9-24.el8.x86_64
sblim-gather-provider-2.2.9-24.el8.x86_64
sblim-indication_helper-0.5.0-2.el8.x86_64
sblim-sfcb-1.4.9-17.el8.x86_64
sblim-sfcc-2.2.8-9.el8.x86_64
sblim-sfcCommon-1.0.1-13.el8.x86_64
sblim-wbemcli-1.6.3-15.el8.x86_64
selinux-policy-3.14.3-95.el8.noarch
selinux-policy-targeted-3.14.3-95.el8.noarch
#
Comment 4 Zdenek Pytela 2022-05-04 06:44:16 UTC 
Commit to backport:

commit ebe49dc5f4262dd44d2ab51fb8830f0a588bfa6f
Author: Zdenek Pytela <zpytela>
Date:   Mon May 2 12:01:02 2022 +0200

    Allow sblim-sfcbd connect to sblim-reposd stream
Comment 13 errata-xmlrpc 2022-11-08 10:44:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7691