Bug 1020301 - selinux prevents /usr/libexec/pegasus/cimprovagt from search,read,create operations
selinux prevents /usr/libexec/pegasus/cimprovagt from search,read,create oper...
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.0
All Linux
medium Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks: 922084
  Show dependency treegraph
 
Reported: 2013-10-17 08:13 EDT by David Spurek
Modified: 2015-03-02 00:28 EST (History)
5 users (show)

See Also:
Fixed In Version: selinux-policy-3.12.1-100.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-13 06:38:14 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Spurek 2013-10-17 08:13:06 EDT
Description of problem:
selinux prevents /usr/libexec/pegasus/cimprovagt from search,read,create operations 

Problem happens when I am trying join to IPA or AD domain with realmd called via openlmi

join to ipa domain:
time->Thu Oct 17 04:14:50 2013
type=SOCKADDR msg=audit(1381997690.478:277): saddr=01002F7661722F6C69622F7373732F70697065732F6E73730000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
type=SYSCALL msg=audit(1381997690.478:277): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fff17fb0220 a2=6e a3=7fff17fafef0 items=0 ppid=15709 pid=15710 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimprovagt" exe="/usr/libexec/pegasus/cimprovagt" subj=system_u:system_r:pegasus_openlmi_services_t:s0 key=(null)
type=AVC msg=audit(1381997690.478:277): avc:  denied  { search } for  pid=15710 comm="cimprovagt" name="sss" dev="dm-1" ino=201819913 scontext=system_u:system_r:pegasus_openlmi_services_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir
----
time->Thu Oct 17 04:14:50 2013
type=SYSCALL msg=audit(1381997690.516:278): arch=c000003e syscall=41 success=no exit=-13 a0=10 a1=2 a2=0 a3=305 items=0 ppid=1 pid=15712 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimprovagt" exe="/usr/libexec/pegasus/cimprovagt" subj=system_u:system_r:pegasus_openlmi_services_t:s0 key=(null)
type=AVC msg=audit(1381997690.516:278): avc:  denied  { create } for  pid=15712 comm="cimprovagt" scontext=system_u:system_r:pegasus_openlmi_services_t:s0 tcontext=system_u:system_r:pegasus_openlmi_services_t:s0 tclass=netlink_route_socket
----
time->Thu Oct 17 04:14:50 2013
type=PATH msg=audit(1381997690.517:279): item=0 name="/proc/net/unix" inode=4026532002 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:proc_net_t:s0 objtype=NORMAL
type=CWD msg=audit(1381997690.517:279):  cwd="/var/lib/Pegasus/cache/trace"
type=SYSCALL msg=audit(1381997690.517:279): arch=c000003e syscall=21 success=no exit=-13 a0=7fa8fdb51660 a1=4 a2=7fa8fdb5166e a3=305 items=1 ppid=1 pid=15712 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimprovagt" exe="/usr/libexec/pegasus/cimprovagt" subj=system_u:system_r:pegasus_openlmi_services_t:s0 key=(null)
type=AVC msg=audit(1381997690.517:279): avc:  denied  { read } for  pid=15712 comm="cimprovagt" name="unix" dev="proc" ino=4026532002 scontext=system_u:system_r:pegasus_openlmi_services_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
----
time->Thu Oct 17 04:14:50 2013
type=SYSCALL msg=audit(1381997690.517:280): arch=c000003e syscall=41 success=no exit=-13 a0=10 a1=3 a2=0 a3=0 items=0 ppid=1 pid=15712 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimprovagt" exe="/usr/libexec/pegasus/cimprovagt" subj=system_u:system_r:pegasus_openlmi_services_t:s0 key=(null)
type=AVC msg=audit(1381997690.517:280): avc:  denied  { create } for  pid=15712 comm="cimprovagt" scontext=system_u:system_r:pegasus_openlmi_services_t:s0 tcontext=system_u:system_r:pegasus_openlmi_services_t:s0 tclass=netlink_route_socket

join to AD domain:
time->Thu Oct 17 04:13:22 2013
type=SOCKADDR msg=audit(1381997602.197:124): saddr=01002F7661722F6C69622F7373732F70697065732F6E73730000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
type=SYSCALL msg=audit(1381997602.197:124): arch=c000003e syscall=42 success=no exit=-13 a0=4 a1=7fffcdd6ef70 a2=6e a3=7fffcdd6ec40 items=0 ppid=12062 pid=12063 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimprovagt" exe="/usr/libexec/pegasus/cimprovagt" subj=system_u:system_r:pegasus_openlmi_services_t:s0 key=(null)
type=AVC msg=audit(1381997602.197:124): avc:  denied  { search } for  pid=12063 comm="cimprovagt" name="sss" dev="dm-1" ino=201819913 scontext=system_u:system_r:pegasus_openlmi_services_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir
Fail: AVC messages found.

Running '/usr/sbin/sestatus'
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
Running 'rpm -q selinux-policy || true'
selinux-policy-3.12.1-77.2.el7.noarch

Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-77.2.el7
realmd-0.14.6-1.el7
openlmi-providers-0.2.0-0.el7

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 2 Miroslav Grepl 2013-10-17 09:44:27 EDT
David,
any chance to switch to permissive to collect all AVC msgs? Thank you.
Comment 3 David Spurek 2013-10-17 17:05:04 EDT
Hi Mirek, It is possible. Here are AVC messages in permissive:

time->Thu Oct 17 17:00:43 2013
type=SYSCALL msg=audit(1382043643.109:177): arch=c000003e syscall=41 success=yes exit=4 a0=10 a1=2 a2=0 a3=305 items=0 ppid=1 pid=10972 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimprovagt" exe="/usr/libexec/pegasus/cimprovagt" subj=system_u:system_r:pegasus_openlmi_services_t:s0 key=(null)
type=AVC msg=audit(1382043643.109:177): avc:  denied  { create } for  pid=10972 comm="cimprovagt" scontext=system_u:system_r:pegasus_openlmi_services_t:s0 tcontext=system_u:system_r:pegasus_openlmi_services_t:s0 tclass=netlink_route_socket
----
time->Thu Oct 17 17:00:43 2013
type=SYSCALL msg=audit(1382043643.109:178): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=1 a2=10 a3=7f2a854366a0 items=0 ppid=1 pid=10972 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimprovagt" exe="/usr/libexec/pegasus/cimprovagt" subj=system_u:system_r:pegasus_openlmi_services_t:s0 key=(null)
type=AVC msg=audit(1382043643.109:178): avc:  denied  { setopt } for  pid=10972 comm="cimprovagt" scontext=system_u:system_r:pegasus_openlmi_services_t:s0 tcontext=system_u:system_r:pegasus_openlmi_services_t:s0 tclass=netlink_route_socket
----
time->Thu Oct 17 17:00:43 2013
type=SYSCALL msg=audit(1382043643.109:179): arch=c000003e syscall=44 success=yes exit=17 a0=4 a1=7f2a854366b0 a2=11 a3=0 items=0 ppid=1 pid=10972 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimprovagt" exe="/usr/libexec/pegasus/cimprovagt" subj=system_u:system_r:pegasus_openlmi_services_t:s0 key=(null)
type=AVC msg=audit(1382043643.109:179): avc:  denied  { nlmsg_read } for  pid=10972 comm="cimprovagt" scontext=system_u:system_r:pegasus_openlmi_services_t:s0 tcontext=system_u:system_r:pegasus_openlmi_services_t:s0 tclass=netlink_route_socket
----
time->Thu Oct 17 17:00:43 2013
type=SOCKADDR msg=audit(1382043643.110:180): saddr=100000000000000000000000
type=SYSCALL msg=audit(1382043643.110:180): arch=c000003e syscall=49 success=yes exit=0 a0=4 a1=7f2a85436d00 a2=c a3=7f2a78000078 items=0 ppid=1 pid=10972 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimprovagt" exe="/usr/libexec/pegasus/cimprovagt" subj=system_u:system_r:pegasus_openlmi_services_t:s0 key=(null)
type=AVC msg=audit(1382043643.110:180): avc:  denied  { bind } for  pid=10972 comm="cimprovagt" scontext=system_u:system_r:pegasus_openlmi_services_t:s0 tcontext=system_u:system_r:pegasus_openlmi_services_t:s0 tclass=netlink_route_socket
----
time->Thu Oct 17 17:00:43 2013
type=SOCKADDR msg=audit(1382043643.110:181): saddr=10000000DB2A000000000000
type=SYSCALL msg=audit(1382043643.110:181): arch=c000003e syscall=51 success=yes exit=0 a0=4 a1=7f2a85436d00 a2=7f2a85436cfc a3=7f2a78000078 items=0 ppid=1 pid=10972 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimprovagt" exe="/usr/libexec/pegasus/cimprovagt" subj=system_u:system_r:pegasus_openlmi_services_t:s0 key=(null)
type=AVC msg=audit(1382043643.110:181): avc:  denied  { getattr } for  pid=10972 comm="cimprovagt" scontext=system_u:system_r:pegasus_openlmi_services_t:s0 tcontext=system_u:system_r:pegasus_openlmi_services_t:s0 tclass=netlink_route_socket
Comment 5 Miroslav Grepl 2013-10-22 07:40:14 EDT
Added fixes.
Comment 6 Patrik Kis 2013-10-25 06:44:21 EDT
There are still two AVC denial appearing to me with the new policy:

type=AVC msg=audit(1382697256.286:17077): avc:  denied  { search } for  pid=26337 comm="cimprovagt" name="sss" dev="dm-1" ino=121627 scontext=system_u:system_r:pegasus_openlmi_services_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir

type=AVC msg=audit(1382697459.268:17219): avc:  denied  { write } for  pid=30162 comm="cimprovagt" name="nss" dev="dm-1" ino=203163762 scontext=system_u:system_r:pegasus_openlmi_services_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file
Comment 7 Patrik Kis 2013-10-25 07:31:11 EDT
----
time->Fri Oct 25 06:34:16 2013
type=SOCKADDR msg=audit(1382697256.286:17077): saddr=01002F7661722F6C69622F7373732F70697065732F6E73730000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
type=SYSCALL msg=audit(1382697256.286:17077): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7fff42aaac80 a2=6e a3=7fff42aaa950 items=0 ppid=26336 pid=26337 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimprovagt" exe="/usr/libexec/pegasus/cimprovagt" subj=system_u:system_r:pegasus_openlmi_services_t:s0 key=(null)
type=AVC msg=audit(1382697256.286:17077): avc:  denied  { search } for  pid=26337 comm="cimprovagt" name="sss" dev="dm-1" ino=121627 scontext=system_u:system_r:pegasus_openlmi_services_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir
----
time->Fri Oct 25 06:37:39 2013
type=PATH msg=audit(1382697459.268:17219): item=0 name=(null) inode=203163762 dev=fd:01 mode=0140666 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:sssd_var_lib_t:s0 objtype=NORMAL
type=SOCKADDR msg=audit(1382697459.268:17219): saddr=01002F7661722F6C69622F7373732F70697065732F6E73730000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
type=SYSCALL msg=audit(1382697459.268:17219): arch=c000003e syscall=42 success=no exit=-111 a0=3 a1=7fffc264e280 a2=6e a3=7fffc264df50 items=1 ppid=30161 pid=30162 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cimprovagt" exe="/usr/libexec/pegasus/cimprovagt" subj=system_u:system_r:pegasus_openlmi_services_t:s0 key=(null)
type=AVC msg=audit(1382697459.268:17219): avc:  denied  { write } for  pid=30162 comm="cimprovagt" name="nss" dev="dm-1" ino=203163762 scontext=system_u:system_r:pegasus_openlmi_services_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file
Comment 8 Patrik Kis 2013-10-29 07:04:44 EDT
Shouldn't have the cases above fixed too?
Comment 9 Miroslav Grepl 2013-10-29 08:07:17 EDT
Need to fix them.
Comment 10 Miroslav Grepl 2013-10-29 08:20:22 EDT
commit b31c17d5bf9fde2975d39b6d82ffafc0851c2a37
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Tue Oct 29 13:20:23 2013 +0100

    Allow pegasus_openlmi_services_t to stream connect to sssd_t
Comment 11 Milos Malik 2013-11-08 08:59:16 EST
# rpm -qa selinux-policy\*
selinux-policy-minimum-3.12.1-98.el7.noarch
selinux-policy-mls-3.12.1-98.el7.noarch
selinux-policy-devel-3.12.1-98.el7.noarch
selinux-policy-3.12.1-98.el7.noarch
selinux-policy-doc-3.12.1-98.el7.noarch
selinux-policy-targeted-3.12.1-98.el7.noarch
# sesearch -t proc_net_t -c file -A -C | grep pegasus
   allow pegasus_t proc_net_t : file { ioctl read getattr lock open } ; 
   allow pegasus_openlmi_system_t proc_net_t : file { ioctl read getattr lock open } ; 
#

An allow rule for pegasus_openlmi_services_t is missing.
Comment 12 Miroslav Grepl 2013-11-11 07:55:02 EST
commit cd0c4b8eed6b94b376ccc4cb2ace7441b7300604
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Mon Nov 11 13:54:34 2013 +0100

    Allow cimprovagt service providers to read network states
Comment 14 Ludek Smid 2014-06-13 06:38:14 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.