1037484 – bmc-watchdog runs as init_t

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1037484 - bmc-watchdog runs as init_t

Summary: bmc-watchdog runs as init_t

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:	nopolicy
Blocks:	848829 1042753
TreeView+	depends on / blocked

Reported:	2013-12-03 09:30 UTC by Milos Malik
Modified:	2014-06-18 02:31 UTC (History)
CC List:	3 users (show)
Fixed In Version:	selinux-policy-3.12.1-110.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-06-13 12:49:30 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Milos Malik 2013-12-03 09:30:35 UTC

Description of problem:
 * bmc-watchdog uses too powerful SELinux domain

Version-Release number of selected component (if applicable):
freeipmi-bmc-watchdog-1.2.9-2.el7.x86_64
selinux-policy-3.12.1-105.el7.noarch
selinux-policy-devel-3.12.1-105.el7.noarch
selinux-policy-doc-3.12.1-105.el7.noarch
selinux-policy-minimum-3.12.1-105.el7.noarch
selinux-policy-mls-3.12.1-105.el7.noarch
selinux-policy-targeted-3.12.1-105.el7.noarch

How reproducible:
always

Steps to Reproduce:
# service bmc-watchdog status
Redirecting to /bin/systemctl status  bmc-watchdog.service
bmc-watchdog.service - BMC Watchdog Timer Daemon
   Loaded: loaded (/usr/lib/systemd/system/bmc-watchdog.service; disabled)
   Active: inactive (dead)

# service bmc-watchdog start
Redirecting to /bin/systemctl start  bmc-watchdog.service
# service bmc-watchdog status
Redirecting to /bin/systemctl status  bmc-watchdog.service
bmc-watchdog.service - BMC Watchdog Timer Daemon
   Loaded: loaded (/usr/lib/systemd/system/bmc-watchdog.service; disabled)
   Active: active (running) since Tue 2013-12-03 10:24:02 CET; 982ms ago
  Process: 6723 ExecStart=/usr/sbin/bmc-watchdog $OPTIONS (code=exited, status=0/SUCCESS)
 Main PID: 6725 (bmc-watchdog)
   CGroup: /system.slice/bmc-watchdog.service
           └─6725 /usr/sbin/bmc-watchdog -d -u 4 -p 0 -a 1 -F -P -L -S -O -i ...

Dec 03 10:24:02 rhel70.localdomain systemd[1]: Starting BMC Watchdog Timer D....
Dec 03 10:24:02 rhel70.localdomain systemd[1]: Started BMC Watchdog Timer Da....
Hint: Some lines were ellipsized, use -l to show in full.
# ps -efZ | grep bmc-watchdog
system_u:system_r:init_t:s0     root      6725     1 36 10:24 ?        00:00:04 /usr/sbin/bmc-watchdog -d -u 4 -p 0 -a 1 -F -P -L -S -O -i 900 -e 60
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 6738 2416  0 10:24 pts/0 00:00:00 grep --color=auto bmc-watchdog
#

Actual results:
 * bmc-watchdog runs as init_t

Expected results:
 * bmc-watchdog runs in its own SELinux domain

Comment 1 Miroslav Grepl 2013-12-03 10:04:18 UTC

Milos,
does it work with "watchdog_exec_t"?


I will add

commit 63b4dceb33ffbfb86516a257926a711b4c653d45
Author: Miroslav Grepl <mgrepl>
Date:   Tue Dec 3 11:02:45 2013 +0100

    Allow watchdog to be executed from cron


if yes.

Comment 2 Milos Malik 2013-12-03 10:12:35 UTC

After assigning watchdog_exec_t label to /usr/sbin/bmc-watchdog file following AVCs appeared in enforcing mode:
----
type=PATH msg=audit(12/03/2013 11:07:16.975:76987) : item=0 name=/dev/ipmi0 inod
e=4460792 dev=00:05 mode=character,644 ouid=root ogid=root rdev=f6:00 obj=unconf
ined_u:object_r:ipmi_device_t:s0 objtype=NORMAL 
type=CWD msg=audit(12/03/2013 11:07:16.975:76987) :  cwd=/ 
type=SYSCALL msg=audit(12/03/2013 11:07:16.975:76987) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7f25959905c8 a1=O_RDWR a2=0x7f25980ab310 a3=0x7fffd0711710 items=1 ppid=18756 pid=18757 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=bmc-watchdog exe=/usr/sbin/bmc-watchdog subj=system_u:system_r:watchdog_t:s0 key=(null) 
type=AVC msg=audit(12/03/2013 11:07:16.975:76987) : avc:  denied  { read write } for  pid=18757 comm=bmc-watchdog name=ipmi0 dev="devtmpfs" ino=4460792 scontext=system_u:system_r:watchdog_t:s0 tcontext=unconfined_u:object_r:ipmi_device_t:s0 tclass=chr_file 
----
type=PATH msg=audit(12/03/2013 11:07:16.976:76988) : item=0 name=/dev/mem inode=1027 dev=00:05 mode=character,640 ouid=root ogid=kmem rdev=01:01 obj=system_u:object_r:memory_device_t:s0 objtype=NORMAL 
type=CWD msg=audit(12/03/2013 11:07:16.976:76988) :  cwd=/ 
type=SYSCALL msg=audit(12/03/2013 11:07:16.976:76988) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7f2595997d2b a1=O_RDONLY a2=0x10000 a3=0x7fffd0711bb0 items=1 ppid=1 pid=18757 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=bmc-watchdog exe=/usr/sbin/bmc-watchdog subj=system_u:system_r:watchdog_t:s0 key=(null) 
type=AVC msg=audit(12/03/2013 11:07:16.976:76988) : avc:  denied  { read } for  pid=18757 comm=bmc-watchdog name=mem dev="devtmpfs" ino=1027 scontext=system_u:system_r:watchdog_t:s0 tcontext=system_u:object_r:memory_device_t:s0 tclass=chr_file 
----
type=PATH msg=audit(12/03/2013 11:07:16.977:77037) : item=0 name=/var/lib/freeipmi/ipckey inode=2494726 dev=08:04 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_lib_t:s0 objtype=NORMAL 
type=CWD msg=audit(12/03/2013 11:07:16.977:77037) :  cwd=/ 
type=SYSCALL msg=audit(12/03/2013 11:07:16.977:77037) : arch=x86_64 syscall=stat success=no exit=-13(Permission denied) a0=0x7f2595990541 a1=0x7fffd0711890 a2=0x7fffd0711890 a3=0x3 items=1 ppid=1 pid=18757 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=bmc-watchdog exe=/usr/sbin/bmc-watchdog subj=system_u:system_r:watchdog_t:s0 key=(null) 
type=AVC msg=audit(12/03/2013 11:07:16.977:77037) : avc:  denied  { getattr } for  pid=18757 comm=bmc-watchdog path=/var/lib/freeipmi/ipckey dev="sda4" ino=2494726 scontext=system_u:system_r:watchdog_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file 
----

Comment 3 Miroslav Grepl 2013-12-03 10:42:53 UTC

Milos, I see

$ rpm -ql freeipmi-bmc-watchdog
/etc/sysconfig/bmc-watchdog
/usr/lib/systemd/system/bmc-watchdog.service
/usr/sbin/bmc-watchdog
/usr/share/doc/freeipmi/COPYING.bmc-watchdog
/usr/share/doc/freeipmi/DISCLAIMER.bmc-watchdog
/usr/share/doc/freeipmi/DISCLAIMER.bmc-watchdog.UC
/usr/share/man/man8/bmc-watchdog.8.gz


on my F20 system. It looks the /var/lib/freeipmi is created on the fly.

Comment 4 Milos Malik 2013-12-03 10:45:21 UTC

It's a part of another package:

# rpm -qf /var/lib/freeipmi
freeipmi-1.2.9-2.el7.x86_64
# rpm -qf /var/lib/freeipmi/ipckey
freeipmi-1.2.9-2.el7.x86_64
#

Comment 5 Miroslav Grepl 2013-12-03 11:26:33 UTC

Ok, taking back. 

We have more services from freeipmi which run as init_t. So we would introduce

freeipmi.pp

Comment 6 Miroslav Grepl 2013-12-03 11:27:29 UTC

https://bugzilla.redhat.com/show_bug.cgi?id=1037475
https://bugzilla.redhat.com/show_bug.cgi?id=1037459

Comment 7 Miroslav Grepl 2013-12-10 13:29:26 UTC

commit dee0ab128c1730828e041645811da995a2929f0b
Author: Miroslav Grepl <mgrepl>
Date:   Thu Dec 5 17:11:53 2013 +0100

    Add policy for freeipmi services

Comment 10 Miroslav Grepl 2013-12-12 14:02:21 UTC

commit 635d073c3124218716c94266a511366d3cb69de6
Author: Miroslav Grepl <mgrepl>
Date:   Thu Dec 12 15:00:06 2013 +0100

    Update freeipmi policy

Comment 13 Ludek Smid 2014-06-13 12:49:30 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.