Bug 2158779
| Summary: | [RHEL8.6/Insights/SELinux/Bug] SELinux AVC with SAPHostAgent with selinux-policy-3.14.3-95.el8_6.5 | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Rajesh Dulhani <rdulhani> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | Mirek Jahoda <mjahoda> |
| Priority: | high | ||
| Version: | 8.6 | CC: | jafiala, lvrabec, mmalik, nknazeko, peter.vreman, thomas.rumbaut |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | 8.8 | Flags: | pm-rhel:
mirror+
|
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.14.3-114.el8 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-05-16 09:04:49 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:2965 |
Description of problem: AVCs not caught by the latest SELinux policy in RHEL8.6 related to SAP Version-Release number of selected component (if applicable): selinux-policy-3.14.3-95.el8_6.5.noarch How reproducible: ~~~ + sudo ausearch -i -m avc,user_avc -ts today ---- type=PROCTITLE msg=audit(12/30/2022 10:44:00.558:46859) : proctitle=/usr/sap/hostctrl/exe/saphostctrl -function GetCIMObject -enuminstances SAPInstance type=PATH msg=audit(12/30/2022 10:44:00.558:46859) : item=0 name=/tmp/.sapstream1128 inode=153 dev=fd:01 mode=socket,700 ouid=sapadm ogid=sapsys rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(12/30/2022 10:44:00.558:46859) : cwd=/ type=SOCKADDR msg=audit(12/30/2022 10:44:00.558:46859) : saddr={ saddr_fam=local path=/tmp/.sapstream1128 } type=SYSCALL msg=audit(12/30/2022 10:44:00.558:46859) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x3 a1=0x7ffc91daf370 a2=0x15 a3=0xf items=1 ppid=90343 pid=90344 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=saphostctrl exe=/usr/sap/hostctrl/exe/saphostctrl subj=system_u:system_r:insights_client_t:s0 key=(null) type=AVC msg=audit(12/30/2022 10:44:00.558:46859) : avc: denied { write } for pid=90344 comm=saphostctrl name=.sapstream1128 dev="dm-1" ino=153 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=1 ---- type=PROCTITLE msg=audit(12/30/2022 10:45:38.650:46891) : proctitle=/usr/sap/hostctrl/exe/saphostexec -status type=OBJ_PID msg=audit(12/30/2022 10:45:38.650:46891) : opid=3406 oauid=unset ouid=sapadm oses=-1 obj=system_u:system_r:unconfined_service_t:s0 ocomm=sapstartsrv type=SYSCALL msg=audit(12/30/2022 10:45:38.650:46891) : arch=x86_64 syscall=kill success=yes exit=0 a0=0xd4e a1=SIG0 a2=0x0 a3=0xf items=0 ppid=91486 pid=91487 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=saphostexec exe=/usr/sap/hostctrl/exe/saphostexec subj=system_u:system_r:insights_client_t:s0 key=(null) type=AVC msg=audit(12/30/2022 10:45:38.650:46891) : avc: denied { kill } for pid=91487 comm=saphostexec capability=kill scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:insights_client_t:s0 tclass=capability permissive=1 ---- type=PROCTITLE msg=audit(12/30/2022 10:45:38.753:46892) : proctitle=/usr/sap/hostctrl/exe/saposcol -s pf=/usr/sap/hostctrl/exe/host_profile type=PATH msg=audit(12/30/2022 10:45:38.753:46892) : item=1 name=/usr/sap/tmp/88410676 inode=149 dev=fd:07 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:usr_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(12/30/2022 10:45:38.753:46892) : item=0 name=/usr/sap/tmp/ inode=146 dev=fd:07 mode=dir,775 ouid=root ogid=sapsys rdev=00:00 obj=system_u:object_r:usr_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(12/30/2022 10:45:38.753:46892) : cwd=/ type=SYSCALL msg=audit(12/30/2022 10:45:38.753:46892) : arch=x86_64 syscall=openat success=yes exit=3 a0=AT_FDCWD a1=0x1d46d00 a2=O_RDWR|O_CREAT|O_EXCL|O_TRUNC a3=0x1ff items=2 ppid=91487 pid=91490 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=saposcol exe=/usr/sap/hostctrl/exe/saposcol subj=system_u:system_r:insights_client_t:s0 key=(null) type=AVC msg=audit(12/30/2022 10:45:38.753:46892) : avc: denied { write } for pid=91490 comm=saposcol path=/usr/sap/tmp/88410676 dev="dm-7" ino=149 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 type=AVC msg=audit(12/30/2022 10:45:38.753:46892) : avc: denied { create } for pid=91490 comm=saposcol name=88410676 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 type=AVC msg=audit(12/30/2022 10:45:38.753:46892) : avc: denied { add_name } for pid=91490 comm=saposcol name=88410676 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=1 type=AVC msg=audit(12/30/2022 10:45:38.753:46892) : avc: denied { write } for pid=91490 comm=saposcol name=tmp dev="dm-7" ino=146 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=1 ---- type=PROCTITLE msg=audit(12/30/2022 10:45:38.753:46893) : proctitle=/usr/sap/hostctrl/exe/saposcol -s pf=/usr/sap/hostctrl/exe/host_profile type=PATH msg=audit(12/30/2022 10:45:38.753:46893) : item=1 name=/usr/sap/tmp/88410676 inode=149 dev=fd:07 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:usr_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(12/30/2022 10:45:38.753:46893) : item=0 name=/usr/sap/tmp/ inode=146 dev=fd:07 mode=dir,775 ouid=root ogid=sapsys rdev=00:00 obj=system_u:object_r:usr_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(12/30/2022 10:45:38.753:46893) : cwd=/ type=SYSCALL msg=audit(12/30/2022 10:45:38.753:46893) : arch=x86_64 syscall=unlink success=yes exit=0 a0=0x1d46d00 a1=0x1d46d00 a2=0x2c2 a3=0x9 items=2 ppid=91487 pid=91490 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=saposcol exe=/usr/sap/hostctrl/exe/saposcol subj=system_u:system_r:insights_client_t:s0 key=(null) type=AVC msg=audit(12/30/2022 10:45:38.753:46893) : avc: denied { unlink } for pid=91490 comm=saposcol name=88410676 dev="dm-7" ino=149 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 type=AVC msg=audit(12/30/2022 10:45:38.753:46893) : avc: denied { remove_name } for pid=91490 comm=saposcol name=88410676 dev="dm-7" ino=149 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=1 ---- type=PROCTITLE msg=audit(12/30/2022 10:45:38.753:46894) : proctitle=/usr/sap/hostctrl/exe/saposcol -s pf=/usr/sap/hostctrl/exe/host_profile type=IPC msg=audit(12/30/2022 10:45:38.753:46894) : ouid=root ogid=sapsys mode=000,770 obj=system_u:system_r:unconfined_service_t:s0 type=SYSCALL msg=audit(12/30/2022 10:45:38.753:46894) : arch=x86_64 syscall=shmget success=yes exit=8 a0=0x4dbe a1=0x0 a2=0770 a3=0x0 items=0 ppid=91487 pid=91490 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=saposcol exe=/usr/sap/hostctrl/exe/saposcol subj=system_u:system_r:insights_client_t:s0 key=(null) type=AVC msg=audit(12/30/2022 10:45:38.753:46894) : avc: denied { associate } for pid=91490 comm=saposcol key=\031▒ scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=shm permissive=1 type=AVC msg=audit(12/30/2022 10:45:38.753:46894) : avc: denied { unix_read unix_write } for pid=91490 comm=saposcol key=\031▒ scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=shm permissive=1 ---- type=PROCTITLE msg=audit(12/30/2022 10:45:38.754:46895) : proctitle=/usr/sap/hostctrl/exe/saposcol -s pf=/usr/sap/hostctrl/exe/host_profile type=IPC msg=audit(12/30/2022 10:45:38.754:46895) : ouid=root ogid=sapsys mode=000,770 obj=system_u:system_r:unconfined_service_t:s0 type=SYSCALL msg=audit(12/30/2022 10:45:38.754:46895) : arch=x86_64 syscall=shmat success=yes exit=140317372096512 a0=0x8 a1=0x0 a2=0x2000 a3=0x9 items=0 ppid=91487 pid=91490 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=saposcol exe=/usr/sap/hostctrl/exe/saposcol subj=system_u:system_r:insights_client_t:s0 key=(null) type=AVC msg=audit(12/30/2022 10:45:38.754:46895) : avc: denied { read write } for pid=91490 comm=saposcol key=\031▒ scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=shm permissive=1 ---- type=PROCTITLE msg=audit(12/30/2022 10:45:38.754:46896) : proctitle=/usr/sap/hostctrl/exe/saposcol -s pf=/usr/sap/hostctrl/exe/host_profile type=IPC msg=audit(12/30/2022 10:45:38.754:46896) : ouid=root ogid=sapsys mode=000,770 obj=system_u:system_r:unconfined_service_t:s0 type=SYSCALL msg=audit(12/30/2022 10:45:38.754:46896) : arch=x86_64 syscall=shmctl success=yes exit=0 a0=0x8 a1=0x2 a2=0x7fffcbcd16e0 a3=0x9 items=0 ppid=91487 pid=91490 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=saposcol exe=/usr/sap/hostctrl/exe/saposcol subj=system_u:system_r:insights_client_t:s0 key=(null) type=AVC msg=audit(12/30/2022 10:45:38.754:46896) : avc: denied { getattr } for pid=91490 comm=saposcol key=\031▒ scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=shm permissive=1 + sudo audit2allow -a #============= insights_client_t ============== allow insights_client_t tmp_t:sock_file write; allow insights_client_t unconfined_service_t:shm { associate getattr read unix_read unix_write write }; allow insights_client_t usr_t:dir { add_name remove_name write }; allow insights_client_t usr_t:file { create unlink write }; ~~~ A quick check using sesearch on RHEL8.7 shows that also the RHEL8.7 (selinux-policy-3.14.3-108) still is lacking these rules. But as SAP requires a EUS release, a fix can wait for RHEL8.8(-EUS)