Bug 2149633

Summary:	SELinux prevents the rsyslogd from dropping capabilities (syscall=prctl)
Product:	[Fedora] Fedora	Reporter:	Bruno Goncalves <bgoncalv>
Component:	selinux-policy	Assignee:	Zdenek Pytela <zpytela>
Status:	CLOSED RAWHIDE	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	rawhide	CC:	dwalsh, lvrabec, mmalik, omosnacek, pkoncity, vmojzis, zpytela
Target Milestone:	---	Keywords:	Triaged
Target Release:	---
Hardware:	Unspecified
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:
Clones:	2151841 (view as bug list)		Environment:
Last Closed:	2023-01-16 10:55:40 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	2151841

Description Bruno Goncalves 2022-11-30 13:21:23 UTC

Description of problem:

The following avc denial seems to happen during boot:

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
selinux-policy-38.1-1.fc38.noarch
----
time->Wed Nov 30 04:19:25 2022
type=AVC msg=audit(1669778365.950:146): avc:  denied  { setpcap } for  pid=654 comm="rsyslogd" capability=8  scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=capability permissive=1

Version-Release number of selected component (if applicable):
selinux-policy-38.1-1.fc38.noarch

How reproducible:
Not sure yet

Comment 2 Bruno Goncalves 2022-11-30 13:52:31 UTC

it seems easily reproducible by rebooting the system after installing rsyslog (rsyslog-8.2210.0-1.fc38)

time->Wed Nov 30 08:47:36 2022
type=PROCTITLE msg=audit(1669816056.379:137): proctitle=2F7573722F7362696E2F727379736C6F6764002D6E
type=SYSCALL msg=audit(1669816056.379:137): arch=c000003e syscall=157 success=yes exit=0 a0=18 a1=0 a2=0 a3=0 items=0 ppid=1 pid=507 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rsyslogd" exe="/usr/sbin/rsyslogd" subj=system_u:system_r:syslogd_t:s0 key=(null)
type=AVC msg=audit(1669816056.379:137): avc:  denied  { setpcap } for  pid=507 comm="rsyslogd" capability=8  scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=capability permissive=1

Comment 4 Milos Malik 2022-11-30 15:34:12 UTC

# rpm -qa selinux\* rsyslog\* | sort
rsyslog-8.2210.0-1.fc38.x86_64
rsyslog-logrotate-8.2210.0-1.fc38.x86_64
selinux-policy-38.1-1.fc38.noarch
selinux-policy-targeted-38.1-1.fc38.noarch
#

Easy to reproduce:

# service rsyslog start
----
type=PROCTITLE msg=audit(11/30/2022 10:30:21.280:571) : proctitle=/usr/sbin/rsyslogd -n 
type=SYSCALL msg=audit(11/30/2022 10:30:21.280:571) : arch=x86_64 syscall=prctl success=no exit=EPERM(Operation not permitted) a0=PR_CAPBSET_DROP a1=chown a2=0x0 a3=0x0 items=0 ppid=1 pid=1866 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rsyslogd exe=/usr/sbin/rsyslogd subj=system_u:system_r:syslogd_t:s0 key=(null) 
type=AVC msg=audit(11/30/2022 10:30:21.280:571) : avc:  denied  { setpcap } for  pid=1866 comm=rsyslogd capability=setpcap  scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=capability permissive=0 
----

# journalctl -l -u rsyslog
Nov 30 10:30:21 removed systemd[1]: Starting rsyslog.service - System Logging Service...
Nov 30 10:30:21 removed rsyslogd[1866]: libcap-ng used by "/usr/sbin/rsyslogd" failed dropping bounding set in capng_apply
Nov 30 10:30:21 removed systemd[1]: Started rsyslog.service - System Logging Service.
Nov 30 10:30:21 removed rsyslogd[1866]: [origin software="rsyslogd" swVersion="8.2210.0-1.fc38" x-pid="1866" x-info="https://www.rsyslog.com"] start
Nov 30 10:30:21 removed rsyslogd[1866]: imjournal: No statefile exists, /var/lib/rsyslog/imjournal.state will be created (ignore if this is first run): No such file or directory [v8.2210.0-1.fc38 try https://www.rsyslog.com/e/2040 ]
Nov 30 10:30:21 removed rsyslogd[1866]: imjournal: journal files changed, reloading...  [v8.2210.0-1.fc38 try https://www.rsyslog.com/e/0 ]
#

Comment 5 Milos Malik 2022-11-30 15:35:23 UTC

The only SELinux denial triggered in permissive mode:
----
type=PROCTITLE msg=audit(11/30/2022 10:34:32.797:579) : proctitle=/usr/sbin/rsyslogd -n 
type=SYSCALL msg=audit(11/30/2022 10:34:32.797:579) : arch=x86_64 syscall=prctl success=yes exit=0 a0=PR_CAPBSET_DROP a1=chown a2=0x0 a3=0x0 items=0 ppid=1 pid=1917 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rsyslogd exe=/usr/sbin/rsyslogd subj=system_u:system_r:syslogd_t:s0 key=(null) 
type=AVC msg=audit(11/30/2022 10:34:32.797:579) : avc:  denied  { setpcap } for  pid=1917 comm=rsyslogd capability=setpcap  scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=capability permissive=1 
----

Comment 7 Zdenek Pytela 2022-11-30 16:00:29 UTC

Not reproducible in F37

f37# rpm -q rsyslog
rsyslog-8.2204.0-3.fc37.x86_64
 
rawhide# rpm -q rsyslog
rsyslog-8.2210.0-1.fc38.x86_64
rawhide# rpm -q rsyslog --changelog |more
* Wed Nov 09 2022 Attila Lakatos <alakatos> - 8.2210.0-1
- rebase to 8.2210.0
  resolves: rhbz#2097173
- Drop capabilities to the necessary set via libcap-ng
  resolves: rhbz#2127403