Bug 2167731

Summary:	sos command running under wrong context
Product:	Red Hat Enterprise Linux 8	Reporter:	Martin Kyral <mkyral>
Component:	selinux-policy	Assignee:	Zdenek Pytela <zpytela>
Status:	VERIFIED ---	QA Contact:	Milos Malik <mmalik>
Severity:	unspecified	Docs Contact:
Priority:	low
Version:	8.8	CC:	lvrabec, mmalik, nknazeko
Target Milestone:	rc	Keywords:	Triaged
Target Release:	8.9
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	selinux-policy-3.14.3-124.el8	Doc Type:	No Doc Update
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Martin Kyral 2023-02-07 12:11:21 UTC

Description of problem:

The sosreport binary, which has been deprecated by sos:

# sosreport 
Please note the 'sosreport' command has been deprecated in favor of the new 'sos' command, E.G. 'sos report'.
Redirecting to 'sos report '


is running under sosreport_exec_t while the sos binary has just the bin_t context:

system_u:object_r:bin_t:s0 /usr/sbin/sos            system_u:object_r:sosreport_exec_t:s0 /usr/sbin/sosreport
system_u:object_r:bin_t:s0 /usr/sbin/sos-collector

That causes a ton of avc denials when the 'sos report' command is invoked instead of 'sosreport' as advised:

----
time->Mon Feb  6 10:18:45 2023
type=PROCTITLE msg=audit(1675696725.124:36119): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002D73002F7573722F7362696E2F736F73007265706F7274002D2D746D702D646972002F7661722F73706F6F6C2F616272742F6C69627265706F72742D323032332D30322D30362D31303A31383A34342E3130343133362D3731353037002D2D62617463
type=PATH msg=audit(1675696725.124:36119): item=0 name="/etc/audit/plugins.d/" inode=342578 dev=fd:00 mode=040750 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:auditd_etc_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1675696725.124:36119): cwd="/var/spool/abrt/libreport-2023-02-06-10:18:44.104136-71507"
type=SYSCALL msg=audit(1675696725.124:36119): arch=80000016 syscall=288 success=no exit=-13 a0=ffffffffffffff9c a1=3ffab4a29b8 a2=90800 a3=0 items=1 ppid=361344 pid=361345 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sos" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1675696725.124:36119): avc:  denied  { read } for  pid=361345 comm="sos" name="plugins.d" dev="dm-0" ino=342578 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:auditd_etc_t:s0 tclass=dir permissive=0
----
time->Mon Feb  6 10:18:45 2023
type=PROCTITLE msg=audit(1675696725.124:36120): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002D73002F7573722F7362696E2F736F73007265706F7274002D2D746D702D646972002F7661722F73706F6F6C2F616272742F6C69627265706F72742D323032332D30322D30362D31303A31383A34342E3130343133362D3731353037002D2D62617463
type=PATH msg=audit(1675696725.124:36120): item=0 name="/etc/audit/auditd.conf" inode=202049031 dev=fd:00 mode=0100640 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:auditd_etc_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1675696725.124:36120): cwd="/var/spool/abrt/libreport-2023-02-06-10:18:44.104136-71507"
type=SYSCALL msg=audit(1675696725.124:36120): arch=80000016 syscall=288 success=no exit=-13 a0=ffffffffffffff9c a1=3ffac34cfd8 a2=80000 a3=0 items=1 ppid=361344 pid=361345 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sos" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1675696725.124:36120): avc:  denied  { read } for  pid=361345 comm="sos" name="auditd.conf" dev="dm-0" ino=202049031 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:auditd_etc_t:s0 tclass=file permissive=0
----

https://beaker-archive.hosts.prod.psi.bos.redhat.com/beaker-logs/2023/02/75042/7504242/13345479/155853991/726493506/avc.log


Version-Release number of selected component (if applicable):
selinux-policy-3.14.3-115.el8


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Milos Malik 2023-02-07 13:51:29 UTC

# rpm -qa sos\* | sort
sos-4.4-4.el8.noarch
sos-audit-4.4-4.el8.noarch
# rpm -qla sos\* | grep bin | xargs matchpathcon
/usr/sbin/sos-audit.sh	system_u:object_r:bin_t:s0
/usr/sbin/sos	system_u:object_r:bin_t:s0
/usr/sbin/sos-collector	system_u:object_r:bin_t:s0
/usr/sbin/sosreport	system_u:object_r:sosreport_exec_t:s0
#

Comment 2 Milos Malik 2023-02-07 13:55:46 UTC

# ls -lZ /usr/sbin/sos*
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0             611 Nov  3 16:59 /usr/sbin/sos
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0            2727 Oct 19  2018 /usr/sbin/sos-audit.sh
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0            1080 Nov  3 16:59 /usr/sbin/sos-collector
-rwxr-xr-x. 1 root root system_u:object_r:sosreport_exec_t:s0 1072 Nov  3 16:59 /usr/sbin/sosreport
# file /usr/sbin/sos*
/usr/sbin/sos:           Python script, ASCII text executable
/usr/sbin/sos-audit.sh:  Bourne-Again shell script, ASCII text executable
/usr/sbin/sos-collector: Python script, ASCII text executable
/usr/sbin/sosreport:     Python script, ASCII text executable
#

Comment 3 Milos Malik 2023-02-07 14:02:16 UTC

Based on the information stored in the attached SELinux denials, the sos command was running under the abrt_t context. The transition defined in SELinux policy did NOT happen:

# rpm -qa selinux\*
selinux-policy-targeted-3.14.3-115.el8.noarch
selinux-policy-3.14.3-115.el8.noarch
# sesearch -s abrt_t -t sosreport_exec_t -c file -p execute -A
allow abrt_t exec_type:file { execute execute_no_trans getattr ioctl lock map open read };
allow abrt_t sosreport_exec_t:file { execute execute_no_trans getattr ioctl map open read };
# sesearch -s abrt_t -t sosreport_exec_t -c process -T
type_transition abrt_t sosreport_exec_t:process sosreport_t;
# sesearch -s abrt_t -t sosreport_t -c process -p transition -A
allow abrt_t sosreport_t:process transition;
#

because the /usr/sbin/sos file is labeled bin_t.

Comment 4 Zdenek Pytela 2023-02-07 19:19:37 UTC

Martine,

I cannot reproduce any problem with sos. Given the denials are for the abrt_t domain I suppose there was abrt running after some of the plugins failed - can you confirm it? Perhaps there was a coredump:

  # coredumpctl
  # abrt-cli list

If you need abrt to t execute its handlers and be able to troubleshoot further, the following boolean needs to be turned on:

  # setsebool -P abrt_handle_event on

Refer to abrt_handle_event_selinux(8) for more information.

Comment 5 Martin Kyral 2023-02-16 10:13:36 UTC

Zdenku,

I am not sure if I understand your question correctly. Anyways, abrt gets spawned upon a crash so there is a coredump.

Because the issue is quite a serious one but has a simple fix on abrt side, we're going to revert the change in abrt (sosreport -> sos report) for 8.8.

Comment 7 Zdenek Pytela 2023-07-20 15:12:00 UTC

I probably just misunderstood the request, going to assign the same label for sos.