Bug 2118784
| Summary: | AVC denied read init_t var_lib_t:lnk_file prevent using systemd StateDirectory | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | François Rigault <frigo> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 8.4 | CC: | lvrabec, mmalik |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | 8.8 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.14.3-111.el8 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-05-16 09:03:52 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
François Rigault
2022-08-16 18:39:42 UTC
The following SELinux denials appeared in enforcing mode:
----
type=PROCTITLE msg=audit(08/17/2022 09:05:46.511:383) : proctitle=(touch)
type=PATH msg=audit(08/17/2022 09:05:46.511:383) : item=3 name=/var/lib/private/myservice0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(08/17/2022 09:05:46.511:383) : item=2 name=/var/lib/myservice0 inode=26165988 dev=fd:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:var_lib_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(08/17/2022 09:05:46.511:383) : item=1 name=/var/lib/private/ inode=162767 dev=fd:02 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(08/17/2022 09:05:46.511:383) : item=0 name=/var/lib/ inode=101 dev=fd:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(08/17/2022 09:05:46.511:383) : cwd=/
type=SYSCALL msg=audit(08/17/2022 09:05:46.511:383) : arch=x86_64 syscall=rename success=no exit=EACCES(Permission denied) a0=0x556175c95790 a1=0x556175c95880 a2=0xfffffffffffffdc8 a3=0x100 items=4 ppid=1 pid=4995 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(touch) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(08/17/2022 09:05:46.511:383) : avc: denied { rename } for pid=4995 comm=(touch) name=myservice0 dev="vda2" ino=26165988 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir permissive=0
----
type=PROCTITLE msg=audit(08/17/2022 09:05:55.264:387) : proctitle=(wc)
type=PATH msg=audit(08/17/2022 09:05:55.264:387) : item=3 name=/var/lib/private/myservice0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(08/17/2022 09:05:55.264:387) : item=2 name=/var/lib/myservice0 inode=26165988 dev=fd:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:var_lib_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(08/17/2022 09:05:55.264:387) : item=1 name=/var/lib/private/ inode=162767 dev=fd:02 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(08/17/2022 09:05:55.264:387) : item=0 name=/var/lib/ inode=101 dev=fd:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(08/17/2022 09:05:55.264:387) : cwd=/
type=SYSCALL msg=audit(08/17/2022 09:05:55.264:387) : arch=x86_64 syscall=rename success=no exit=EACCES(Permission denied) a0=0x556175b88b70 a1=0x556175ca9510 a2=0xfffffffffffffdc8 a3=0x100 items=4 ppid=1 pid=5018 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(wc) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(08/17/2022 09:05:55.264:387) : avc: denied { rename } for pid=5018 comm=(wc) name=myservice0 dev="vda2" ino=26165988 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir permissive=0
----
# ls -ldZ /var/lib/myservice0
drwxr-xr-x. 2 root root unconfined_u:object_r:var_lib_t:s0 6 Aug 17 09:05 /var/lib/myservice0
# ls -laZ /var/lib/myservice0
total 8
drwxr-xr-x. 2 root root unconfined_u:object_r:var_lib_t:s0 6 Aug 17 09:05 .
drwxr-xr-x. 143 root root system_u:object_r:var_lib_t:s0 4096 Aug 17 09:05 ..
#
The following SELinux denials appeared in permissive mode:
----
type=PROCTITLE msg=audit(08/17/2022 09:08:57.396:397) : proctitle=(touch)
type=PATH msg=audit(08/17/2022 09:08:57.396:397) : item=3 name=/var/lib/private/myservice0 inode=26165988 dev=fd:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:var_lib_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(08/17/2022 09:08:57.396:397) : item=2 name=/var/lib/myservice0 inode=26165988 dev=fd:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:var_lib_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(08/17/2022 09:08:57.396:397) : item=1 name=/var/lib/private/ inode=162767 dev=fd:02 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(08/17/2022 09:08:57.396:397) : item=0 name=/var/lib/ inode=101 dev=fd:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(08/17/2022 09:08:57.396:397) : cwd=/
type=SYSCALL msg=audit(08/17/2022 09:08:57.396:397) : arch=x86_64 syscall=rename success=yes exit=0 a0=0x556175bd2880 a1=0x556175c87820 a2=0xfffffffffffffdc8 a3=0x100 items=4 ppid=1 pid=5708 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(touch) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(08/17/2022 09:08:57.396:397) : avc: denied { reparent } for pid=5708 comm=(touch) name=myservice0 dev="vda2" ino=26165988 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir permissive=1
type=AVC msg=audit(08/17/2022 09:08:57.396:397) : avc: denied { rename } for pid=5708 comm=(touch) name=myservice0 dev="vda2" ino=26165988 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir permissive=1
----
type=PROCTITLE msg=audit(08/17/2022 09:09:06.012:401) : proctitle=(wc)
type=PATH msg=audit(08/17/2022 09:09:06.012:401) : item=0 name=/var/lib/myservice0 inode=40925 dev=fd:02 mode=link,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(08/17/2022 09:09:06.012:401) : cwd=/
type=SYSCALL msg=audit(08/17/2022 09:09:06.012:401) : arch=x86_64 syscall=readlinkat success=yes exit=18 a0=AT_FDCWD a1=0x556175d4ac10 a2=0x556175df25d0 a3=0x63 items=1 ppid=1 pid=5740 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(wc) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(08/17/2022 09:09:06.012:401) : avc: denied { read } for pid=5740 comm=(wc) name=myservice0 dev="vda2" ino=40925 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=1
----
# rpm -qa selinux\* systemd\* | sort
selinux-policy-3.14.3-106.el8.noarch
selinux-policy-devel-3.14.3-106.el8.noarch
selinux-policy-doc-3.14.3-106.el8.noarch
selinux-policy-minimum-3.14.3-106.el8.noarch
selinux-policy-mls-3.14.3-106.el8.noarch
selinux-policy-sandbox-3.14.3-106.el8.noarch
selinux-policy-targeted-3.14.3-106.el8.noarch
#
note I do not have problems with the touch: $ sudo systemd-run -p DynamicUser=yes -p StateDirectory=myservice0 touch /var/lib/myservice0/foo Running as unit: run-r08702a47b7d74f5094231f76d97462c8.service $ sudo ls -l /var/lib/private/myservice0 total 0 -rw-r--r--. 1 63103 63103 0 17 août 07:25 foo only the read permissions is missing. Thanks Thanks for the information. I misunderstood the location (/var/lib/myservice0 vs. /var/lib/private/myservice0). This commit is needed to backport:
commit 90b328406aea1168714563924a291d4673be58c0
Author: Lukas Vrabec <lvrabec>
Date: Wed Nov 27 20:21:33 2019 +0100
Allow systemd to read symlinks in /var/lib
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:2965 |