Red Hat Bugzilla – Bug 1020301
selinux prevents /usr/libexec/pegasus/cimprovagt from search,read,create operations
Last modified: 2015-03-02 00:28:19 EST
Description of problem: selinux prevents /usr/libexec/pegasus/cimprovagt from search,read,create operations Problem happens when I am trying join to IPA or AD domain with realmd called via openlmi join to ipa domain: time->Thu Oct 17 04:14:50 2013 type=SOCKADDR msg=audit(1381997690.478:277): saddr=01002F7661722F6C69622F7373732F70697065732F6E73730000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 type=SYSCALL msg=audit(1381997690.478:277): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fff17fb0220 a2=6e a3=7fff17fafef0 items=0 ppid=15709 pid=15710 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimprovagt" exe="/usr/libexec/pegasus/cimprovagt" subj=system_u:system_r:pegasus_openlmi_services_t:s0 key=(null) type=AVC msg=audit(1381997690.478:277): avc: denied { search } for pid=15710 comm="cimprovagt" name="sss" dev="dm-1" ino=201819913 scontext=system_u:system_r:pegasus_openlmi_services_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir ---- time->Thu Oct 17 04:14:50 2013 type=SYSCALL msg=audit(1381997690.516:278): arch=c000003e syscall=41 success=no exit=-13 a0=10 a1=2 a2=0 a3=305 items=0 ppid=1 pid=15712 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimprovagt" exe="/usr/libexec/pegasus/cimprovagt" subj=system_u:system_r:pegasus_openlmi_services_t:s0 key=(null) type=AVC msg=audit(1381997690.516:278): avc: denied { create } for pid=15712 comm="cimprovagt" scontext=system_u:system_r:pegasus_openlmi_services_t:s0 tcontext=system_u:system_r:pegasus_openlmi_services_t:s0 tclass=netlink_route_socket ---- time->Thu Oct 17 04:14:50 2013 type=PATH msg=audit(1381997690.517:279): item=0 name="/proc/net/unix" inode=4026532002 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:proc_net_t:s0 objtype=NORMAL type=CWD msg=audit(1381997690.517:279): cwd="/var/lib/Pegasus/cache/trace" type=SYSCALL msg=audit(1381997690.517:279): arch=c000003e syscall=21 success=no exit=-13 a0=7fa8fdb51660 a1=4 a2=7fa8fdb5166e a3=305 items=1 ppid=1 pid=15712 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimprovagt" exe="/usr/libexec/pegasus/cimprovagt" subj=system_u:system_r:pegasus_openlmi_services_t:s0 key=(null) type=AVC msg=audit(1381997690.517:279): avc: denied { read } for pid=15712 comm="cimprovagt" name="unix" dev="proc" ino=4026532002 scontext=system_u:system_r:pegasus_openlmi_services_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file ---- time->Thu Oct 17 04:14:50 2013 type=SYSCALL msg=audit(1381997690.517:280): arch=c000003e syscall=41 success=no exit=-13 a0=10 a1=3 a2=0 a3=0 items=0 ppid=1 pid=15712 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimprovagt" exe="/usr/libexec/pegasus/cimprovagt" subj=system_u:system_r:pegasus_openlmi_services_t:s0 key=(null) type=AVC msg=audit(1381997690.517:280): avc: denied { create } for pid=15712 comm="cimprovagt" scontext=system_u:system_r:pegasus_openlmi_services_t:s0 tcontext=system_u:system_r:pegasus_openlmi_services_t:s0 tclass=netlink_route_socket join to AD domain: time->Thu Oct 17 04:13:22 2013 type=SOCKADDR msg=audit(1381997602.197:124): saddr=01002F7661722F6C69622F7373732F70697065732F6E73730000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 type=SYSCALL msg=audit(1381997602.197:124): arch=c000003e syscall=42 success=no exit=-13 a0=4 a1=7fffcdd6ef70 a2=6e a3=7fffcdd6ec40 items=0 ppid=12062 pid=12063 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimprovagt" exe="/usr/libexec/pegasus/cimprovagt" subj=system_u:system_r:pegasus_openlmi_services_t:s0 key=(null) type=AVC msg=audit(1381997602.197:124): avc: denied { search } for pid=12063 comm="cimprovagt" name="sss" dev="dm-1" ino=201819913 scontext=system_u:system_r:pegasus_openlmi_services_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir Fail: AVC messages found. Running '/usr/sbin/sestatus' SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28 Running 'rpm -q selinux-policy || true' selinux-policy-3.12.1-77.2.el7.noarch Version-Release number of selected component (if applicable): selinux-policy-3.12.1-77.2.el7 realmd-0.14.6-1.el7 openlmi-providers-0.2.0-0.el7 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
David, any chance to switch to permissive to collect all AVC msgs? Thank you.
Hi Mirek, It is possible. Here are AVC messages in permissive: time->Thu Oct 17 17:00:43 2013 type=SYSCALL msg=audit(1382043643.109:177): arch=c000003e syscall=41 success=yes exit=4 a0=10 a1=2 a2=0 a3=305 items=0 ppid=1 pid=10972 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimprovagt" exe="/usr/libexec/pegasus/cimprovagt" subj=system_u:system_r:pegasus_openlmi_services_t:s0 key=(null) type=AVC msg=audit(1382043643.109:177): avc: denied { create } for pid=10972 comm="cimprovagt" scontext=system_u:system_r:pegasus_openlmi_services_t:s0 tcontext=system_u:system_r:pegasus_openlmi_services_t:s0 tclass=netlink_route_socket ---- time->Thu Oct 17 17:00:43 2013 type=SYSCALL msg=audit(1382043643.109:178): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=1 a2=10 a3=7f2a854366a0 items=0 ppid=1 pid=10972 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimprovagt" exe="/usr/libexec/pegasus/cimprovagt" subj=system_u:system_r:pegasus_openlmi_services_t:s0 key=(null) type=AVC msg=audit(1382043643.109:178): avc: denied { setopt } for pid=10972 comm="cimprovagt" scontext=system_u:system_r:pegasus_openlmi_services_t:s0 tcontext=system_u:system_r:pegasus_openlmi_services_t:s0 tclass=netlink_route_socket ---- time->Thu Oct 17 17:00:43 2013 type=SYSCALL msg=audit(1382043643.109:179): arch=c000003e syscall=44 success=yes exit=17 a0=4 a1=7f2a854366b0 a2=11 a3=0 items=0 ppid=1 pid=10972 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimprovagt" exe="/usr/libexec/pegasus/cimprovagt" subj=system_u:system_r:pegasus_openlmi_services_t:s0 key=(null) type=AVC msg=audit(1382043643.109:179): avc: denied { nlmsg_read } for pid=10972 comm="cimprovagt" scontext=system_u:system_r:pegasus_openlmi_services_t:s0 tcontext=system_u:system_r:pegasus_openlmi_services_t:s0 tclass=netlink_route_socket ---- time->Thu Oct 17 17:00:43 2013 type=SOCKADDR msg=audit(1382043643.110:180): saddr=100000000000000000000000 type=SYSCALL msg=audit(1382043643.110:180): arch=c000003e syscall=49 success=yes exit=0 a0=4 a1=7f2a85436d00 a2=c a3=7f2a78000078 items=0 ppid=1 pid=10972 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimprovagt" exe="/usr/libexec/pegasus/cimprovagt" subj=system_u:system_r:pegasus_openlmi_services_t:s0 key=(null) type=AVC msg=audit(1382043643.110:180): avc: denied { bind } for pid=10972 comm="cimprovagt" scontext=system_u:system_r:pegasus_openlmi_services_t:s0 tcontext=system_u:system_r:pegasus_openlmi_services_t:s0 tclass=netlink_route_socket ---- time->Thu Oct 17 17:00:43 2013 type=SOCKADDR msg=audit(1382043643.110:181): saddr=10000000DB2A000000000000 type=SYSCALL msg=audit(1382043643.110:181): arch=c000003e syscall=51 success=yes exit=0 a0=4 a1=7f2a85436d00 a2=7f2a85436cfc a3=7f2a78000078 items=0 ppid=1 pid=10972 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimprovagt" exe="/usr/libexec/pegasus/cimprovagt" subj=system_u:system_r:pegasus_openlmi_services_t:s0 key=(null) type=AVC msg=audit(1382043643.110:181): avc: denied { getattr } for pid=10972 comm="cimprovagt" scontext=system_u:system_r:pegasus_openlmi_services_t:s0 tcontext=system_u:system_r:pegasus_openlmi_services_t:s0 tclass=netlink_route_socket
Added fixes.
There are still two AVC denial appearing to me with the new policy: type=AVC msg=audit(1382697256.286:17077): avc: denied { search } for pid=26337 comm="cimprovagt" name="sss" dev="dm-1" ino=121627 scontext=system_u:system_r:pegasus_openlmi_services_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir type=AVC msg=audit(1382697459.268:17219): avc: denied { write } for pid=30162 comm="cimprovagt" name="nss" dev="dm-1" ino=203163762 scontext=system_u:system_r:pegasus_openlmi_services_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file
---- time->Fri Oct 25 06:34:16 2013 type=SOCKADDR msg=audit(1382697256.286:17077): saddr=01002F7661722F6C69622F7373732F70697065732F6E73730000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 type=SYSCALL msg=audit(1382697256.286:17077): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fff42aaac80 a2=6e a3=7fff42aaa950 items=0 ppid=26336 pid=26337 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimprovagt" exe="/usr/libexec/pegasus/cimprovagt" subj=system_u:system_r:pegasus_openlmi_services_t:s0 key=(null) type=AVC msg=audit(1382697256.286:17077): avc: denied { search } for pid=26337 comm="cimprovagt" name="sss" dev="dm-1" ino=121627 scontext=system_u:system_r:pegasus_openlmi_services_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir ---- time->Fri Oct 25 06:37:39 2013 type=PATH msg=audit(1382697459.268:17219): item=0 name=(null) inode=203163762 dev=fd:01 mode=0140666 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:sssd_var_lib_t:s0 objtype=NORMAL type=SOCKADDR msg=audit(1382697459.268:17219): saddr=01002F7661722F6C69622F7373732F70697065732F6E73730000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 type=SYSCALL msg=audit(1382697459.268:17219): arch=c000003e syscall=42 success=no exit=-111 a0=3 a1=7fffc264e280 a2=6e a3=7fffc264df50 items=1 ppid=30161 pid=30162 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimprovagt" exe="/usr/libexec/pegasus/cimprovagt" subj=system_u:system_r:pegasus_openlmi_services_t:s0 key=(null) type=AVC msg=audit(1382697459.268:17219): avc: denied { write } for pid=30162 comm="cimprovagt" name="nss" dev="dm-1" ino=203163762 scontext=system_u:system_r:pegasus_openlmi_services_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file
Shouldn't have the cases above fixed too?
Need to fix them.
commit b31c17d5bf9fde2975d39b6d82ffafc0851c2a37 Author: Miroslav Grepl <mgrepl@redhat.com> Date: Tue Oct 29 13:20:23 2013 +0100 Allow pegasus_openlmi_services_t to stream connect to sssd_t
# rpm -qa selinux-policy\* selinux-policy-minimum-3.12.1-98.el7.noarch selinux-policy-mls-3.12.1-98.el7.noarch selinux-policy-devel-3.12.1-98.el7.noarch selinux-policy-3.12.1-98.el7.noarch selinux-policy-doc-3.12.1-98.el7.noarch selinux-policy-targeted-3.12.1-98.el7.noarch # sesearch -t proc_net_t -c file -A -C | grep pegasus allow pegasus_t proc_net_t : file { ioctl read getattr lock open } ; allow pegasus_openlmi_system_t proc_net_t : file { ioctl read getattr lock open } ; # An allow rule for pegasus_openlmi_services_t is missing.
commit cd0c4b8eed6b94b376ccc4cb2ace7441b7300604 Author: Miroslav Grepl <mgrepl@redhat.com> Date: Mon Nov 11 13:54:34 2013 +0100 Allow cimprovagt service providers to read network states
This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request.