Bug 1021984 - create a MLS policy for lldpad
create a MLS policy for lldpad
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.5
All Linux
medium Severity medium
: rc
: ---
Assigned To: Lukas Vrabec
Milos Malik
:
Depends On: 891779
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-22 08:47 EDT by Milos Malik
Modified: 2014-10-14 03:57 EDT (History)
5 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-252.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 891779
Environment:
Last Closed: 2014-10-14 03:57:22 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Milos Malik 2013-10-22 08:47:47 EDT
Description of problem:
When running MLS policy, SELinux generates AVC for lldpad as per previous bug: 723958.

Version-Release number of selected component (if applicable):
selinux-policy-mls-3.7.19-154.el6

How reproducible:

Create minimal install of EL 6.3, and apply MLS policy as per slightly modified process from: http://fedoraproject.org/wiki/SELinux/FedoraMLSHowto

Steps to Reproduce:
1. yum update
2. reboot
3. yum install selinux-policy-mls
4. change /etc/sysconfig/selinux values to SELINUX=permissive and SELINUXTYPE=mls
5. touch /.autorelabel
6. reboot
7. give grub kernel argument '1' to boot into single user mode
8. change /etc/sysconfig/selinux value for SELINUX back to 'enforcing'
9. reboot

Actual results:
audit2allow generates the following policy for lldpad from the audit log:

allow initrc_t self:netlink_route_socket nlmsg_write;
allow initrc_t self:packet_socket { bind create ioctl setopt };
allow initrc_t self:shm { write unix_read unix_write associate read create };
Comment 1 Lukas Vrabec 2014-07-04 06:02:22 EDT
Patch sent.
Comment 4 Lukas Vrabec 2014-08-12 08:25:44 EDT
fixed patch sent.
Comment 7 Lukas Vrabec 2014-08-25 09:27:08 EDT
# rpm -q selinux-policy
selinux-policy-3.7.19-251.el6.noarch

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: TEST PROTOCOL
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: Package       : unknown
:: [   LOG    ] :: beakerlib RPM : beakerlib-1.9-3.el6 
:: [   LOG    ] :: bl-redhat RPM : beakerlib-redhat-1-12.el6eso 
:: [   LOG    ] :: Test started  : 2014-08-25 15:18:35 CEST
:: [   LOG    ] :: Test finished : 2014-08-25 15:19:26 CEST
:: [   LOG    ] :: Test name     : unknown
:: [   LOG    ] :: Distro:       : Red Hat Enterprise Linux Workstation release 6.6 Beta (Santiago)
:: [   LOG    ] :: Hostname      : localhost.localdomain
:: [   LOG    ] :: Architecture  : x86_64

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Test description
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

PURPOSE of /CoreOS/selinux-policy/Regression/bz723958-lldpad-and-similar

Description: SELinux interferes with lldpad and related tools

Author: Milos Malik <mmalik@redhat.com>



::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Setup
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   INFO   ] :: rlImport: Found 'selinux-policy/common' in /mnt/tests
:: [   INFO   ] :: rlImport: Will try to import selinux-policy/common from /mnt/tests/CoreOS/selinux-policy/Library/common/lib.sh
:: [   PASS   ] :: Command 'rlImport 'selinux-policy/common'' (Expected 0, got 0)
:: [   PASS   ] :: Checking for the presence of selinux-policy rpm 
:: [   LOG    ] :: Package versions:
:: [   LOG    ] ::   selinux-policy-3.7.19-251.el6.noarch
:: [   PASS   ] :: Checking for the presence of selinux-policy-mls rpm 
:: [   LOG    ] :: Package versions:
:: [   LOG    ] ::   selinux-policy-mls-3.7.19-251.el6.noarch
:: [   PASS   ] :: Checking for the presence of selinux-policy-targeted rpm 
:: [   LOG    ] :: Package versions:
:: [   LOG    ] ::   selinux-policy-targeted-3.7.19-251.el6.noarch
:: [   PASS   ] :: Checking for the presence of lldpad rpm 
:: [   LOG    ] :: Package versions:
:: [   LOG    ] ::   lldpad-0.9.46-2.el6.x86_64
:: [   PASS   ] :: Command 'setenforce 1' (Expected 0, got 0)
:: [   PASS   ] :: Command 'sestatus' (Expected 0, got 0)
:: [   LOG    ] :: Setting timestamp 'TIMESTAMP' [08/25/2014 15:18:37]
:: [   LOG    ] :: Duration: 4s
:: [   LOG    ] :: Assertions: 7 good, 0 bad
:: [   PASS   ] :: RESULT: Setup

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: bz#723958
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Result of matchpathcon /etc/rc.d/init.d/lldpad should contain lldpad_initrc_exec_t (Assert: expected 0, got 0)
:: [   PASS   ] :: Result of matchpathcon /usr/sbin/dcbtool should contain bin_t (Assert: expected 0, got 0)
:: [   PASS   ] :: Result of matchpathcon /usr/sbin/lldpad should contain lldpad_exec_t (Assert: expected 0, got 0)
:: [   PASS   ] :: Result of matchpathcon /usr/sbin/lldptool should contain bin_t (Assert: expected 0, got 0)
:: [   PASS   ] :: Result of matchpathcon /var/lib/lldpad should contain lldpad_var_lib_t (Assert: expected 0, got 0)
:: [   PASS   ] :: sesearch --type -C -s initrc_t -t lldpad_exec_t -c process -p lldpad_t  (Expected 0, got 0)
:: [   LOG    ] :: Checking rule 'allow lldpad_t unconfined_t : unix_dgram_socket { sendto }'
:: [   PASS   ] :: sesearch --allow -C -s lldpad_t -t unconfined_t -c unix_dgram_socket -p sendto  (Expected 0, got 0)
:: [   LOG    ] :: Duration: 9s
:: [   LOG    ] :: Assertions: 7 good, 0 bad
:: [   PASS   ] :: RESULT: bz#723958

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: bz#727290
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Result of matchpathcon /usr/sbin/lldpad should contain lldpad_exec_t (Assert: expected 0, got 0)
:: [   LOG    ] :: Checking rule 'allow lldpad_t lldpad_t : capability { sys_module }'
:: [   PASS   ] :: sesearch --allow -C -s lldpad_t -t lldpad_t -c capability -p sys_module  (Expected 0, got 0)
:: [   LOG    ] :: Duration: 2s
:: [   LOG    ] :: Assertions: 2 good, 0 bad
:: [   PASS   ] :: RESULT: bz#727290

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: bz#891779
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Result of matchpathcon /usr/sbin/lldpad should contain lldpad_exec_t (Assert: expected 0, got 0)
:: [   LOG    ] :: Checking rule 'allow lldpad_t lldpad_t : netlink_route_socket { nlmsg_write }'
:: [   PASS   ] :: sesearch --allow -C -s lldpad_t -t lldpad_t -c netlink_route_socket -p nlmsg_write  (Expected 0, got 0)
:: [   LOG    ] :: Checking rule 'allow lldpad_t lldpad_t : packet_socket { bind create ioctl setopt }'
:: [   PASS   ] :: sesearch --allow -C -s lldpad_t -t lldpad_t -c packet_socket -p bind  (Expected 0, got 0)
:: [   PASS   ] :: sesearch --allow -C -s lldpad_t -t lldpad_t -c packet_socket -p create  (Expected 0, got 0)
:: [   PASS   ] :: sesearch --allow -C -s lldpad_t -t lldpad_t -c packet_socket -p ioctl  (Expected 0, got 0)
:: [   PASS   ] :: sesearch --allow -C -s lldpad_t -t lldpad_t -c packet_socket -p setopt  (Expected 0, got 0)
:: [   LOG    ] :: Checking rule 'allow lldpad_t lldpad_t : shm { create destroy read write associate unix_read unix_write }'
:: [   PASS   ] :: sesearch --allow -C -s lldpad_t -t lldpad_t -c shm -p create  (Expected 0, got 0)
:: [   PASS   ] :: sesearch --allow -C -s lldpad_t -t lldpad_t -c shm -p destroy  (Expected 0, got 0)
:: [   PASS   ] :: sesearch --allow -C -s lldpad_t -t lldpad_t -c shm -p read  (Expected 0, got 0)
:: [   PASS   ] :: sesearch --allow -C -s lldpad_t -t lldpad_t -c shm -p write  (Expected 0, got 0)
:: [   PASS   ] :: sesearch --allow -C -s lldpad_t -t lldpad_t -c shm -p associate  (Expected 0, got 0)
:: [   PASS   ] :: sesearch --allow -C -s lldpad_t -t lldpad_t -c shm -p unix_read  (Expected 0, got 0)
:: [   PASS   ] :: sesearch --allow -C -s lldpad_t -t lldpad_t -c shm -p unix_write  (Expected 0, got 0)
:: [   LOG    ] :: Duration: 5s
:: [   LOG    ] :: Assertions: 13 good, 0 bad
:: [   PASS   ] :: RESULT: bz#891779

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: bz#986870
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Result of matchpathcon /usr/sbin/lldpad should contain lldpad_exec_t (Assert: expected 0, got 0)
:: [   LOG    ] :: Checking rule 'allow lldpad_t lldpad_t : capability { sys_resource }'
:: [   PASS   ] :: sesearch --allow -C -s lldpad_t -t lldpad_t -c capability -p sys_resource  (Expected 0, got 0)
:: [   LOG    ] :: Duration: 3s
:: [   LOG    ] :: Assertions: 2 good, 0 bad
:: [   PASS   ] :: RESULT: bz#986870

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: bz#995434
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Result of matchpathcon /usr/sbin/lldpad should contain lldpad_exec_t (Assert: expected 0, got 0)
:: [   LOG    ] :: Checking rule 'allow lldpad_t fcoemon_t : unix_dgram_socket { sendto }'
:: [   PASS   ] :: sesearch --allow -C -s lldpad_t -t fcoemon_t -c unix_dgram_socket -p sendto  (Expected 0, got 0)
:: [   LOG    ] :: Duration: 2s
:: [   LOG    ] :: Assertions: 2 good, 0 bad
:: [   PASS   ] :: RESULT: bz#995434

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: bz#1021984
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Result of matchpathcon /usr/sbin/lldpad should contain lldpad_exec_t (Assert: expected 0, got 0)
:: [   PASS   ] :: Result of matchpathcon /etc/localtime should contain locale_t (Assert: expected 0, got 0)
:: [   LOG    ] :: Checking rule 'allow lldpad_t lldpad_t : capability { sys_resource } mls'
:: [   PASS   ] :: sesearch --allow -C -s lldpad_t -t lldpad_t -c capability -p sys_resource /etc/selinux/mls/policy/policy.24 (Expected 0, got 0)
:: [   LOG    ] :: Checking rule 'allow lldpad_t locale_t : file { getattr open read } mls'
:: [   PASS   ] :: sesearch --allow -C -s lldpad_t -t locale_t -c file -p getattr /etc/selinux/mls/policy/policy.24 (Expected 0, got 0)
:: [   PASS   ] :: sesearch --allow -C -s lldpad_t -t locale_t -c file -p open /etc/selinux/mls/policy/policy.24 (Expected 0, got 0)
:: [   PASS   ] :: sesearch --allow -C -s lldpad_t -t locale_t -c file -p read /etc/selinux/mls/policy/policy.24 (Expected 0, got 0)
:: [   LOG    ] :: Duration: 4s
:: [   LOG    ] :: Assertions: 6 good, 0 bad
:: [   PASS   ] :: RESULT: bz#1021984

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: real scenario
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Command 'echo redhat | passwd --stdin root' (Expected 0, got 0)
:: [   PASS   ] :: Command 'semodule -l | grep lldpad' (Expected 0, got 0)
:: [   PASS   ] :: Command 'service lldpad start' (Expected 0, got 0)
:: [   PASS   ] :: Command 'ps -efZ | egrep -v " egrep " | egrep "lldpad_t.*lldpad"' (Expected 0, got 0)
:: [   PASS   ] :: Command 'service lldpad status' (Expected 0,1,3, got 0)
:: [   PASS   ] :: Command 'service lldpad restart' (Expected 0, got 0)
:: [   PASS   ] :: Command 'ps -efZ | egrep -v " egrep " | egrep "lldpad_t.*lldpad"' (Expected 0, got 0)
:: [   PASS   ] :: Command 'service lldpad status' (Expected 0,1,3, got 0)
:: [   PASS   ] :: Command 'lldptool -t -i eth0' (Expected 0,1, got 1)
:: [   PASS   ] :: Command 'lldptool -l -i eth0' (Expected 0,1, got 1)
:: [   PASS   ] :: Command 'lldptool -S -i eth0' (Expected 0,1, got 1)
:: [   PASS   ] :: Command 'dcbtool gc dcbx' (Expected 0, got 0)
:: [   PASS   ] :: Command 'dcbtool go dcbx' (Expected 0, got 0)
:: [   PASS   ] :: Command 'dcbtool gc eth0 dcb' (Expected 0-255, got 2)
:: [   PASS   ] :: Command 'dcbtool gc eth0 pg' (Expected 0-255, got 2)
:: [   PASS   ] :: Command 'dcbtool gc eth0 pfc' (Expected 0-255, got 2)
:: [   PASS   ] :: Command 'dcbtool gc eth0 app:0' (Expected 0-255, got 2)
:: [   PASS   ] :: Command 'dcbtool gc eth0 app:1' (Expected 0-255, got 2)
:: [   PASS   ] :: Command 'dcbtool gc eth0 ll:0' (Expected 0-255, got 2)
:: [   PASS   ] :: Command 'dcbtool go eth0 dcb' (Expected 0-255, got 2)
:: [   PASS   ] :: Command 'dcbtool go eth0 pg' (Expected 0-255, got 2)
:: [   PASS   ] :: Command 'dcbtool go eth0 pfc' (Expected 0-255, got 2)
:: [   PASS   ] :: Command 'dcbtool go eth0 app:0' (Expected 0-255, got 2)
:: [   PASS   ] :: Command 'dcbtool go eth0 app:1' (Expected 0-255, got 2)
:: [   PASS   ] :: Command 'dcbtool go eth0 ll:0' (Expected 0-255, got 2)
:: [   PASS   ] :: Command 'dcbtool gp eth0 dcb' (Expected 0-255, got 255)
:: [   PASS   ] :: Command 'dcbtool gp eth0 pg' (Expected 0-255, got 2)
:: [   PASS   ] :: Command 'dcbtool gp eth0 pfc' (Expected 0-255, got 2)
:: [   PASS   ] :: Command 'dcbtool gp eth0 app:0' (Expected 0-255, got 2)
:: [   PASS   ] :: Command 'dcbtool gp eth0 app:1' (Expected 0-255, got 2)
:: [   PASS   ] :: Command 'dcbtool gp eth0 ll:0' (Expected 0-255, got 2)
:: [   PASS   ] :: Command 'service lldpad stop' (Expected 0, got 0)
:: [   PASS   ] :: Command 'service lldpad status' (Expected 0,1,3, got 3)
:: [   LOG    ] :: Duration: 19s
:: [   LOG    ] :: Assertions: 33 good, 0 bad
:: [   PASS   ] :: RESULT: real scenario

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Cleanup
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: Search for AVCs and SELINUX_ERRs since timestamp 'TIMESTAMP' [08/25/2014 15:18:37]
:: [   PASS   ] :: Command 'LC_TIME='en_US.UTF-8' ausearch -m AVC -m SELINUX_ERR -ts 08/25/2014 15:18:37 2>&1 | grep -v '<no matches>'' (Expected 1, got 1)
:: [   LOG    ] :: Duration: 2s
:: [   LOG    ] :: Assertions: 1 good, 0 bad
:: [   PASS   ] :: RESULT: Cleanup

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: unknown
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: Phases: 9 good, 0 bad
:: [   PASS   ] :: RESULT: unknown
:: [ 15:19:26 ] :: JOURNAL XML: /var/tmp/beakerlib-NhvRIfU/journal.xml
:: [ 15:19:27 ] :: JOURNAL TXT: /var/tmp/beakerlib-NhvRIfU/journal.txt

rhel6:/var/log/audit
# service lldpad status
lldpad (pid  27985) is running...
rhel6:/var/log/audit
# lldptool -p
27985

I'm without any AVC. Could you re-test it, or I have bad reproducer?
Comment 8 Miroslav Grepl 2014-08-25 09:47:47 EDT
Milos,
then you need to have

lldpad_admin()
Comment 9 Milos Malik 2014-08-25 10:38:01 EDT
(In reply to Lukas Vrabec from comment #7)

> I'm without any AVC. Could you re-test it, or I have bad reproducer?

You need to run the automated TC (to be precise - the real scenario phase) on a machine where the MLS policy is active. The TC is unable to switch the machine from targeted to MLS.
Comment 10 Milos Malik 2014-08-25 10:57:34 EDT
Following AVCs appear when "lldptool -p" is executed in permissive mode:
----
type=SOCKADDR msg=audit(08/25/2014 16:54:28.606:88) : saddr=local /com/intel/lldpad 
type=SYSCALL msg=audit(08/25/2014 16:54:28.606:88) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x3 a1=0x9c7352 a2=0x14 a3=0x7fff949f9210 items=0 ppid=2600 pid=2665 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=lldptool exe=/usr/sbin/lldptool subj=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 key=(null) 
type=AVC msg=audit(08/25/2014 16:54:28.606:88) : avc:  denied  { sendto } for  pid=2665 comm=lldptool path=/com/intel/lldpad scontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:system_r:lldpad_t:s0-s15:c0.c1023 tclass=unix_dgram_socket 
----
type=SOCKADDR msg=audit(08/25/2014 16:54:28.607:89) : saddr=local /com/intel/lldpad/2665 
type=SYSCALL msg=audit(08/25/2014 16:54:28.607:89) : arch=x86_64 syscall=sendto success=yes exit=12 a0=0x4 a1=0x21ffb60 a2=0xc a3=0x0 items=0 ppid=1 pid=1375 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lldpad exe=/usr/sbin/lldpad subj=system_u:system_r:lldpad_t:s0-s15:c0.c1023 key=(null) 
type=AVC msg=audit(08/25/2014 16:54:28.607:89) : avc:  denied  { sendto } for  pid=1375 comm=lldpad path=/com/intel/lldpad/2665 scontext=system_u:system_r:lldpad_t:s0-s15:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 tclass=unix_dgram_socket 
----

Following rules seem to be needed:
allow lldpad_t sysadm_t:unix_dgram_socket sendto;
allow sysadm_t lldpad_t:unix_dgram_socket sendto;
Comment 11 Lukas Vrabec 2014-08-26 10:01:52 EDT
commit a37f930d9fa6293c2a724e09c79207cda0854ae5
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Tue Aug 26 15:52:39 2014 +0200

    Allow sysadm to talk with lldpad over unix dgram socket.
Comment 14 errata-xmlrpc 2014-10-14 03:57:22 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1568.html

Note You need to log in before you can comment on or make changes to this bug.