Bug 2156204
| Summary: | [RHEL8.6/Insights/SELinux/Bug] SELinux AVC with Oracle and SAPHostAgent | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Rajesh Dulhani <rdulhani> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | low | Docs Contact: | Mirek Jahoda <mjahoda> |
| Priority: | medium | ||
| Version: | 8.7 | CC: | jafiala, lvrabec, mmalik, nknazeko |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | 8.8 | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-05-16 09:04:19 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Deadline: | 2023-01-10 | ||
One of the permissions is still missing: rhel88# rpm -q selinux-policy selinux-policy-3.14.3-113.el8.noarch rhel88# sesearch -A -s insights_client_t -t insights_client_t -c capability -p ipc_owner rhel88# sesearch -A -s insights_client_t -t unconfined_service_t -c sem -p unix_read allow insights_client_t domain:sem unix_read; Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:2965 |
Description of problem: 2 or more AVCs not caught by the latest SELinux policy in RHEL8.6. As RHEL8.7 is non-EUS I am not able to test it with Oracle and SAP. But I accept it if it is only fixed in RHEL8.7+ ~~~ [Azure] vrempet-admin@li-lc-2766 ~ $ rpm -q selinux-policy selinux-policy-3.14.3-95.el8_6.5.noarch [Azure] vrempet-admin@li-lc-2766 ~ $ sudo audit2allow -t insights_client_t -a #============= insights_client_t ============== allow insights_client_t self:capability ipc_owner; allow insights_client_t unconfined_service_t:sem unix_read; [Azure] vrempet-admin@li-lc-2766 ~ $ sudo ausearch -i -m avc,user_avc -se insights_client_t ---- type=PROCTITLE msg=audit(11/24/2022 01:48:10.780:1319892) : proctitle=/usr/bin/ipcs -s -i 32801 type=IPC msg=audit(11/24/2022 01:48:10.780:1319892) : ouid=oracle ogid=asmadmin mode=000,600 obj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 type=SYSCALL msg=audit(11/24/2022 01:48:10.780:1319892) : arch=x86_64 syscall=semctl success=no exit=EACCES(Permission denied) a0=0x8021 a1=0x0 a2=0xc a3=0x0 items=0 ppid=27556 pid=27557 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ipcs exe=/usr/bin/ipcs subj=system_u:system_r:insights_client_t:s0 key=(null) type=AVC msg=audit(11/24/2022 01:48:10.780:1319892) : avc: denied { ipc_owner } for pid=27557 comm=ipcs capability=ipc_owner scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:insights_client_t:s0 tclass=capability permissive=0 ---- type=PROCTITLE msg=audit(11/25/2022 01:14:16.276:1353604) : proctitle=/usr/bin/ipcs -s -i 32793 type=IPC msg=audit(11/25/2022 01:14:16.276:1353604) : ouid=oracle ogid=asmadmin mode=000,600 obj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 type=SYSCALL msg=audit(11/25/2022 01:14:16.276:1353604) : arch=x86_64 syscall=semctl success=no exit=EACCES(Permission denied) a0=0x8019 a1=0x0 a2=0xc a3=0x0 items=0 ppid=34252 pid=34253 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ipcs exe=/usr/bin/ipcs subj=system_u:system_r:insights_client_t:s0 key=(null) type=AVC msg=audit(11/25/2022 01:14:16.276:1353604) : avc: denied { ipc_owner } for pid=34253 comm=ipcs capability=ipc_owner scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:insights_client_t:s0 tclass=capability permissive=0 ---- type=PROCTITLE msg=audit(11/26/2022 01:43:08.786:1388968) : proctitle=/usr/bin/ipcs -s -i 3 type=IPC msg=audit(11/26/2022 01:43:08.786:1388968) : ouid=sapadm ogid=sapsys mode=000,777 obj=system_u:system_r:unconfined_service_t:s0 type=SYSCALL msg=audit(11/26/2022 01:43:08.786:1388968) : arch=x86_64 syscall=semctl success=no exit=EACCES(Permission denied) a0=0x3 a1=0x0 a2=0xc a3=0x0 items=0 ppid=51746 pid=51747 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ipcs exe=/usr/bin/ipcs subj=system_u:system_r:insights_client_t:s0 key=(null) type=AVC msg=audit(11/26/2022 01:43:08.786:1388968) : avc: denied { unix_read } for pid=51747 comm=ipcs key=)▒▒ scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=sem permissive=0 [Azure] vrempet-admin@li-lc-2766 ~ $ ~~~