1035683 – SELinux prevents yum running as sosreport_t to unlink pid file

Bug 1035683 - SELinux prevents yum running as sosreport_t to unlink pid file

Summary: SELinux prevents yum running as sosreport_t to unlink pid file

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Duplicates (2):	1033559 1037732 (view as bug list)
Depends On:
Blocks:	782468
TreeView+	depends on / blocked

Reported:	2013-11-28 09:56 UTC by Michal Trunecka
Modified:	2015-11-02 13:54 UTC (History)
CC List:	5 users (show)
Fixed In Version:	selinux-policy-3.12.1-106.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-06-13 09:53:57 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Michal Trunecka 2013-11-28 09:56:07 UTC

Description of problem:

If you believe that python2.7 should be allowed unlink access on the yum.pid file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep yum /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:sosreport_t:s0-s0:c0.c1023
Target Context                system_u:object_r:rpm_var_run_t:s0
Target Objects                yum.pid [ file ]
Source                        yum
Source Path                   /usr/bin/python2.7
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           python-2.7.5-10.el7.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-103.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     rhel7
Platform                      Linux rhel7 3.10.0-54.el7.x86_64 #1 SMP Thu Nov 21
                              15:34:15 EST 2013 x86_64 x86_64
Alert Count                   1212
First Seen                    2013-11-27 16:16:11 GMT
Last Seen                     2013-11-28 09:50:05 GMT
Local ID                      a73a1890-a53a-4430-a354-86608508f6be

Raw Audit Messages
type=AVC msg=audit(1385632205.171:108246747): avc:  denied  { unlink } for  pid=31417 comm="yum" name="yum.pid" dev="tmpfs" ino=623956 scontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_var_run_t:s0 tclass=file


type=SYSCALL msg=audit(1385632205.171:108246747): arch=x86_64 syscall=unlink success=no exit=EACCES a0=2e034f0 a1=1 a2=3703dbbf88 a3=0 items=0 ppid=31416 pid=31417 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=yum exe=/usr/bin/python2.7 subj=system_u:system_r:sosreport_t:s0-s0:c0.c1023 key=(null)


Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-103.el7.noarch

How reproducible:

Comment 1 Miroslav Grepl 2013-11-28 12:05:30 UTC

I guess we will end up with

optional_policy(`
   rpm_domtrans(sosreport_t)
')

optional_policy(`
   unconfined_domain(sosreport_t)
')


Do you get more AVC msgs in permissive mode?

Comment 2 Milos Malik 2013-11-28 12:54:02 UTC

# rpm -qa selinux-policy\*
selinux-policy-mls-3.12.1-105.el7.noarch
selinux-policy-doc-3.12.1-105.el7.noarch
selinux-policy-targeted-3.12.1-105.el7.noarch
selinux-policy-3.12.1-105.el7.noarch
selinux-policy-minimum-3.12.1-105.el7.noarch
selinux-policy-devel-3.12.1-105.el7.noarch
#

Following message appeared at least ten times:
----
type=SYSCALL msg=audit(11/28/2013 13:45:55.473:1116) : arch=x86_64 syscall=setpgid success=no exit=-13(Permission denied) a0=0x0 a1=0x0 a2=0x7fff393a1eb1 a3=0x32509bbc8c items=0 ppid=6390 pid=11209 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=timeout exe=/usr/bin/timeout subj=system_u:system_r:sosreport_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/28/2013 13:45:55.473:1116) : avc:  denied  { setpgid } for  pid=11209 comm=timeout scontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023 tclass=process 
----

Following messages appeared once:
----
type=PATH msg=audit(11/28/2013 13:45:50.168:1081) : item=1 name=/var/log/up2date objtype=CREATE 
type=PATH msg=audit(11/28/2013 13:45:50.168:1081) : item=0 name=/var/log/ inode=16818314 dev=fd:03 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_log_t:s0 objtype=PARENT 
type=CWD msg=audit(11/28/2013 13:45:50.168:1081) :  cwd=/var/tmp/abrt/Python-2013-11-28-13:44:59-6326 
type=SYSCALL msg=audit(11/28/2013 13:45:50.168:1081) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x2301a60 a1=O_WRONLY|O_CREAT|O_APPEND a2=0666 a3=0x22f99e0 items=2 ppid=7117 pid=7118 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=python exe=/usr/bin/python2.7 subj=system_u:system_r:sosreport_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/28/2013 13:45:50.168:1081) : avc:  denied  { write } for  pid=7118 comm=python name=log dev="vda3" ino=16818314 scontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=dir 
----
type=PATH msg=audit(11/28/2013 13:45:56.035:1117) : item=1 name=/var/cache/yum/x86_64/7Server objtype=CREATE 
type=PATH msg=audit(11/28/2013 13:45:56.035:1117) : item=0 name=/var/cache/yum/x86_64/ inode=8910782 dev=fd:03 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:rpm_var_cache_t:s0 objtype=PARENT 
type=CWD msg=audit(11/28/2013 13:45:56.035:1117) :  cwd=/var/tmp/abrt/Python-2013-11-28-13:44:59-6326 
type=SYSCALL msg=audit(11/28/2013 13:45:56.035:1117) : arch=x86_64 syscall=mkdir success=no exit=-13(Permission denied) a0=0x21981f0 a1=0755 a2=0x3255dbbf88 a3=0x0 items=2 ppid=11209 pid=11219 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=yum exe=/usr/bin/python2.7 subj=system_u:system_r:sosreport_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/28/2013 13:45:56.035:1117) : avc:  denied  { write } for  pid=11219 comm=yum name=x86_64 dev="vda3" ino=8910782 scontext=system_u:system_r:sosreport_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_var_cache_t:s0 tclass=dir 
----

Comment 3 Miroslav Grepl 2013-11-29 10:23:09 UTC

commit 90b623bb27b22e1b04617463f7c866af50e4787f
Author: Miroslav Grepl <mgrepl>
Date:   Fri Nov 29 11:21:15 2013 +0100

    Label /var/log/up2date as rpm_log_t and allow sosreport to manage rpm log/pid/cache files which is a part of ABRT policy for sosreport running as abrt_t

Comment 4 Miroslav Grepl 2013-11-29 10:27:59 UTC

*** Bug 1033559 has been marked as a duplicate of this bug. ***

Comment 5 Miroslav Grepl 2013-12-03 18:26:39 UTC

*** Bug 1037732 has been marked as a duplicate of this bug. ***

Comment 8 Ludek Smid 2014-06-13 09:53:57 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.