RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1018722 - selinux prevents systemd-tmpfiles from removing directory labeled slapd_cert_t
Summary: selinux prevents systemd-tmpfiles from removing directory labeled slapd_cert_t
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.0
Hardware: Unspecified
OS: Linux
medium
medium
Target Milestone: beta
: ---
Assignee: Miroslav Grepl
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-10-14 09:37 UTC by Dalibor Pospíšil
Modified: 2016-01-04 12:10 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-10-21 16:07:14 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Dalibor Pospíšil 2013-10-14 09:37:04 UTC
Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-86.el7.noarch
RHEL-7.0-20131009.0

Actual results:
time->Thu Oct 10 17:06:17 2013
type=PATH msg=audit(1381439177.060:89): item=1 name="certs" inode=67697954 dev=fd:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:slapd_cert_t:s0 objtype=DELETE
type=PATH msg=audit(1381439177.060:89): item=0 name="/" inode=1396847 dev=fd:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=PARENT
type=CWD msg=audit(1381439177.060:89):  cwd="/"
type=SYSCALL msg=audit(1381439177.060:89): arch=80000015 syscall=292 success=no exit=-13 a0=8 a1=10000cb92f3 a2=200 a3=3f252380 items=2 ppid=1 pid=17453 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-tmpfile" exe="/usr/bin/systemd-tmpfiles" subj=system_u:system_r:systemd_tmpfiles_t:s0 key=(null)
type=AVC msg=audit(1381439177.060:89): avc:  denied  { rmdir } for  pid=17453 comm="systemd-tmpfile" name="certs" dev="dm-1" ino=67697954 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:slapd_cert_t:s0 tclass=dir

Comment 2 Miroslav Grepl 2013-10-16 08:23:29 UTC
Where is "certs" directory located in your case?

Comment 3 Dalibor Pospíšil 2013-10-18 08:29:57 UTC
I am not sure, this AVC appeared only once.

Here is a log where it appeared https://beaker.engineering.redhat.com/recipes/1080540#task16297972 .

Peter,
are you able to answer the question above as you are the test author?

The other possibility is that it caused some earlier task in the job.

Comment 4 Milos Malik 2013-10-18 09:37:46 UTC
The AVC is reproducible on ppc64 with RHEL-7.0-20131011.n.0 build:
----
time->Fri Oct 18 04:59:01 2013
type=PATH msg=audit(1382086741.181:61): item=1 name="certs" inode=137312409 dev=fd:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:slapd_cert_t:s0 objtype=DELETE
type=PATH msg=audit(1382086741.181:61): item=0 name="/" inode=68400318 dev=fd:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=PARENT
type=CWD msg=audit(1382086741.181:61):  cwd="/"
type=SYSCALL msg=audit(1382086741.181:61): arch=80000015 syscall=292 success=no exit=-13 a0=8 a1=10039a692f3 a2=200 a3=34d62380 items=2 ppid=1 pid=16476 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-tmpfile" exe="/usr/bin/systemd-tmpfiles" subj=system_u:system_r:systemd_tmpfiles_t:s0 key=(null)
type=AVC msg=audit(1382086741.181:61): avc:  denied  { rmdir } for  pid=16476 comm="systemd-tmpfile" name="certs" dev="dm-1" ino=137312409 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:slapd_cert_t:s0 tclass=dir
----

Unfortunately, it is a beaker/TC issue:

# find /var/tmp/ -inum 137312409
/var/tmp/beakerlib-16546152/backup/etc/openldap/certs
# ls -dZ /var/tmp/beakerlib-16546152/backup/etc/openldap/certs
drwxr-xr-x. root root system_u:object_r:slapd_cert_t:s0 /var/tmp/beakerlib-16546152/backup/etc/openldap/certs
# 

What I don't know is, why was systemd-tmpfiles running in the same time and why it wanted to remove that directory? Was it on purpose or just a coincidence? If systemd-tmpfiles was lucky (there was a SELinux allow rule present) then the TC wouldn't be able to restore /etc/openldap/certs from backup, because the backup would have been deleted by systemd-tmpfiles.

Comment 5 Milos Malik 2013-10-18 09:42:55 UTC
systemd-tmpfiles seems to be to intrusive. Here is an idea for workaround: disable systemd-tmpfiles for a period when our TCs are running.

Comment 6 Miroslav Grepl 2013-10-21 16:07:14 UTC
Ok, this is because of

/var/tmp/beakerlib-16546152/backup

location. I believe it should be fixed in tests.


Note You need to log in before you can comment on or make changes to this bug.