Bug 965140
| Summary: | amandad runs as init_t when amanda.socket is active | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Milos Malik <mmalik> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.0 | CC: | mgrepl, mmalik |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-06-13 12:27:36 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1004161 | ||
We need more fixes to add systemd support for amanda. Added.
commit a8eedc8fa948f3e6d58c688a99b34fe3bf57c516
Author: Miroslav Grepl <mgrepl>
Date: Mon May 20 17:04:04 2013 +0200
Add systemd support for amandad
Following AVC appears on my machine when prelink cronjob is running:
----
type=PATH msg=audit(06/05/2013 03:46:46.113:456973) : item=0 name=chg-lib.sh inode=2764901 dev=08:04 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:amanda_exec_t:s0
type=CWD msg=audit(06/05/2013 03:46:46.113:456973) : cwd=/
type=SYSCALL msg=audit(06/05/2013 03:46:46.113:456973) : arch=x86_64 syscall=newfstatat success=no exit=-13(Permission denied) a0=4 a1=0x1ddad8b a2=0x7fff14bd9b60 a3=0x100 items=1 ppid=18628 pid=18637 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=3484 tty=(none) comm=prelink exe=/usr/sbin/prelink subj=system_u:system_r:prelink_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(06/05/2013 03:46:46.113:456973) : avc: denied { getattr } for pid=18637 comm=prelink path=/usr/lib64/amanda/chg-lib.sh dev="sda4" ino=2764901 scontext=system_u:system_r:prelink_t:s0-s0:c0.c1023 tcontext=system_u:object_r:amanda_exec_t:s0 tclass=file
----
amanda_exec_t is a "how dare you touch me" type :-) Even following command executed by root triggers an AVC:
# matchpathcon /usr/lib64/amanda/chg-lib.sh
/usr/lib64/amanda/chg-lib.sh system_u:object_r:amanda_exec_t:s0
#
----
type=PATH msg=audit(06/05/2013 16:20:57.504:1047) : item=0 name=/usr/lib64/amanda/chg-lib.sh inode=2764901 dev=08:04 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:amanda_exec_t:s0
type=CWD msg=audit(06/05/2013 16:20:57.504:1047) : cwd=/
type=SYSCALL msg=audit(06/05/2013 16:20:57.504:1047) : arch=x86_64 syscall=stat success=no exit=-13(Permission denied) a0=0x7fb78009d870 a1=0x7fb788084d00 a2=0x7fb788084d00 a3=0x62696c2f7273752f items=1 ppid=1 pid=2564 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=unset tty=(none) comm=setroubleshootd exe=/usr/bin/python2.7 subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(06/05/2013 16:20:57.504:1047) : avc: denied { getattr } for pid=2564 comm=setroubleshootd path=/usr/lib64/amanda/chg-lib.sh dev="sda4" ino=2764901 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:amanda_exec_t:s0 tclass=file
----
----
type=PATH msg=audit(06/05/2013 16:20:53.742:1043) : item=0 name=/usr/lib64/amanda/chg-lib.sh inode=2764901 dev=08:04 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:amanda_exec_t:s0
type=CWD msg=audit(06/05/2013 16:20:53.742:1043) : cwd=/root
type=SYSCALL msg=audit(06/05/2013 16:20:53.742:1043) : arch=x86_64 syscall=lstat success=no exit=-13(Permission denied) a0=0x7fff2440f315 a1=0x7fff2440d860 a2=0x7fff2440d860 a3=0x1 items=1 ppid=17219 pid=2557 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=7 tty=pts0 comm=matchpathcon exe=/usr/sbin/matchpathcon subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(06/05/2013 16:20:53.742:1043) : avc: denied { getattr } for pid=2557 comm=matchpathcon path=/usr/lib64/amanda/chg-lib.sh dev="sda4" ino=2764901 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:amanda_exec_t:s0 tclass=file
----
# rpm -q selinux-policy selinux-policy-devel-3.12.1-48.el7.noarch selinux-policy-doc-3.12.1-48.el7.noarch selinux-policy-minimum-3.12.1-48.el7.noarch selinux-policy-3.12.1-48.el7.noarch selinux-policy-targeted-3.12.1-48.el7.noarch selinux-policy-mls-3.12.1-48.el7.noarch selinux-policy-devel-3.12.1-49.el7.noarch selinux-policy-doc-3.12.1-49.el7.noarch selinux-policy-mls-3.12.1-49.el7.noarch selinux-policy-minimum-3.12.1-49.el7.noarch selinux-policy-3.12.1-49.el7.noarch selinux-policy-targeted-3.12.1-49.el7.noarch PID USER CONTEXT COMMAND 26480 amandab+ system_u:system_r:init_t:s0 /usr/sbin/amandad -auth=bsdtcp amdump Ok, there is a bug, definitely. Trying to find what is wrong with the policy. Fixed in selinux-policy-3.12.1-50.fc19 There are no AVCs but amandad runs with incorrect context: PID USER CONTEXT COMMAND 15425 amandab+ system_u:system_r:init_t:s0 /usr/sbin/amandad -auth=bsdtcp amdump # rpm -qa selinux-policy\* selinux-policy-minimum-3.12.1-59.el7.noarch selinux-policy-mls-3.12.1-59.el7.noarch selinux-policy-3.12.1-59.el7.noarch selinux-policy-doc-3.12.1-59.el7.noarch selinux-policy-devel-3.12.1-59.el7.noarch selinux-policy-targeted-3.12.1-59.el7.noarch # sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28 # I see # ps -efZ |grep amanda system_u:system_r:amanda_t:s0 amandab+ 12238 1 0 10:51 ? 00:00:00 /usr/sbin/amandad -auth=bsdtcp amdump Do you have the same reproduce as before? Could you try to run it by hand? First terminal ======== # tail -f - | ncat 127.0.0.1 10080 tail: warning: following standard input indefinitely is ineffective Second terminal ========== # ps -efZ | grep amanda system_u:system_r:init_t:s0 amandab+ 9680 1 0 10:36 ? 00:00:00 /usr/sbin/amandad -auth=bsdtcp amdump unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 9682 9629 0 10:37 pts/1 00:00:00 grep --color=auto amanda # Milos, do you have a machine with RHEL7 where I could try to test it. I am not able to reproduce it on my virtual machine. Petr, do you see this problem? Currently not. I see the problem first time. For sure I added guy from systemd team. Well I nstalled selinux and amanda packages on my RHEL-7 virtual machine and installed packages are: amanda-client-3.3.3-4.el7.x86_64 amanda-3.3.3-4.el7.x86_64 amanda-server-3.3.3-4.el7.x86_64 selinux-policy-3.12.1-65.el7.noarch selinux-policy-targeted-3.12.1-65.el7.noarch libselinux-2.1.13-16.el7.x86_64 libselinux-python-2.1.13-16.el7.x86_64 libselinux-utils-2.1.13-16.el7.x86_64 # ps -efZ | grep amanda system_u:system_r:init_t:s0 amandab+ 2815 1 0 08:55 ? 00:00:00 /usr/sbin/amandad -auth=bsdtcp amdump unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 2817 2752 0 08:56 pts/1 00:00:00 grep --color=auto amanda # I can send you IP address of my VM RHEL-7 machine over ping. Yes, it would be great. Does it work with # chcon -t amanda_exec_t /usr/sbin/amandad Actually no. # ls -Z /usr/sbin/amandad lrwxrwxrwx. root root system_u:object_r:bin_t:s0 /usr/sbin/amandad -> /usr/lib64/amanda/amandad # ls -Z /usr/lib64/amanda/amandad -rwxr-xr-x. root root system_u:object_r:amanda_exec_t:s0 /usr/lib64/amanda/amandad This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |
Description of problem: Version-Release number of selected component (if applicable): amanda-3.3.3-1.el7.x86_64 amanda-client-3.3.3-1.el7.x86_64 amanda-server-3.3.3-1.el7.x86_64 selinux-policy-3.12.1-44.el7.noarch selinux-policy-devel-3.12.1-44.el7.noarch selinux-policy-doc-3.12.1-44.el7.noarch selinux-policy-minimum-3.12.1-44.el7.noarch selinux-policy-mls-3.12.1-44.el7.noarch selinux-policy-targeted-3.12.1-44.el7.noarch How reproducible: always Steps to Reproduce: # systemctl enable amanda.socket ln -s '/usr/lib/systemd/system/amanda.socket' '/etc/systemd/system/sockets.target.wants/amanda.socket' # systemctl start amanda.socket # systemctl status amanda.socket amanda.socket - Amanda Activation Socket Loaded: loaded (/usr/lib/systemd/system/amanda.socket; enabled) Active: active (listening) since Mon 2013-05-20 15:40:02 CEST; 3s ago Listen: [::]:10080 (Stream) Accepted: 0; Connected: 0 May 20 15:40:02 rhel7 systemd[1]: Listening on Amanda Activation Socket. # nc 127.0.0.1 10080 & [1] 16109 # [1]+ Stopped nc 127.0.0.1 10080 # ps -efZ | grep amanda system_u:system_r:init_t:s0 amandab+ 16110 1 0 15:41 ? 00:00:00 /usr/sbin/amandad -auth=bsdtcp amdump unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 16112 7103 0 15:41 pts/1 00:00:00 grep --color=auto amanda # fg nc 127.0.0.1 10080 ^C # Actual results: * amandad runs as init_t Expected results: * amandad runs as amanda_t (or another amanda* domain)