1069842 – selinux preventing targetd plugin from opening a tcp socket

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1069842 - selinux preventing targetd plugin from opening a tcp socket

Summary: selinux preventing targetd plugin from opening a tcp socket

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.0
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:	1069355
Blocks:
TreeView+	depends on / blocked

Reported:	2014-02-25 18:32 UTC by Andy Grover
Modified:	2014-07-09 15:11 UTC (History)
CC List:	6 users (show)
Fixed In Version:	selinux-policy-3.12.1-127.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:	1069355
Environment:
Last Closed:	2014-06-13 12:21:27 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Andy Grover 2014-02-25 18:32:58 UTC

+++ This bug was initially created as a clone of Bug #1069355 +++

This prevents targetd plugin from working.

[root@localhost log]# sealert -l 4c68fbd5-ab47-476c-a175-cd6fde302166
SELinux is preventing /usr/bin/python2.7 from create access on the tcp_socket .

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that python2.7 should be allowed create access on the  tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep python /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:lsmd_plugin_t:s0
Target Context                system_u:system_r:lsmd_plugin_t:s0
Target Objects                 [ tcp_socket ]
Source                        python
Source Path                   /usr/bin/python2.7
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           python-2.7.5-11.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-122.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 3.13.3-201.fc20.x86_64
                              #1 SMP Fri Feb 14 19:08:32 UTC 2014 x86_64 x86_64
Alert Count                   4
First Seen                    2014-02-24 11:41:56 PST
Last Seen                     2014-02-24 11:52:33 PST
Local ID                      4c68fbd5-ab47-476c-a175-cd6fde302166

Raw Audit Messages
type=AVC msg=audit(1393271553.830:425): avc:  denied  { create } for  pid=1645 comm="python" scontext=system_u:system_r:lsmd_plugin_t:s0 tcontext=system_u:system_r:lsmd_plugin_t:s0 tclass=tcp_socket


type=SYSCALL msg=audit(1393271553.830:425): arch=x86_64 syscall=socket success=no exit=EACCES a0=2 a1=1 a2=6 a3=1 items=0 ppid=1643 pid=1645 auid=4294967295 uid=994 gid=990 euid=994 suid=994 fsuid=994 egid=990 sgid=990 fsgid=990 ses=4294967295 tty=(none) comm=python exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_plugin_t:s0 key=(null)

Hash: python,lsmd_plugin_t,lsmd_plugin_t,tcp_socket,create

--- Additional comment from Daniel Walsh on 2014-02-24 13:34:30 PST ---

Could you run this in permissive mode to catch more avcs

semanage permissive -a lsmd_plugin_t

--- Additional comment from Tony Asleson on 2014-02-24 13:48:57 PST ---



--- Additional comment from Daniel Walsh on 2014-02-24 13:51:19 PST ---

Do you know what is listening at tcp port 18700?

--- Additional comment from Tony Asleson on 2014-02-24 13:59:20 PST ---

(In reply to Daniel Walsh from comment #3)
> Do you know what is listening at tcp port 18700?

In this specific case the libStorageMgmt targetd plug-in (/usr/bin/targetd_lsmplugin) is connecting to a remote system which is running the targetd storage daemon.

The port number can be configured by end users, so that may change.

Some background which may help with creating policy.

The daemon lsmd execs the plug-in.  The plug-in needs network access and all that entails to connect to the external storage arrays over the network.  

The current targeted selinux policy allows the plug-in to create a socket if it is executed via the command line, but rejects it when executed via lsmd.

Please note that plug-ins can be written in C or python at this time and will connect to a number of different listening ports, each of which is modifiable by the end user.

--- Additional comment from Daniel Walsh on 2014-02-24 14:06:43 PST ---

Is that the default port

--- Additional comment from Tony Asleson on 2014-02-24 14:10:26 PST ---

(In reply to Daniel Walsh from comment #5)
> Is that the default port

For targetd plug-in yes.  

For other plugins, default ports:
libstoragemgmt-ontap-plugin  (80/443)
libstoragemgmt-smis-plugin   (5988/5989)
libstoragemgmt-nstor-plugin  (80/443)
libstoragemgmt-ibm-v7k-plugin (22)

But like I stated, the user can change.

--- Additional comment from Miroslav Grepl on 2014-02-25 05:59:28 PST ---

I believe we want to add a boolean for lsmd plugins.

--- Additional comment from Miroslav Grepl on 2014-02-25 06:17:39 PST ---

commit 4c57934448663d99368d0e1616c6f0c4849ed550
Author: Miroslav Grepl <mgrepl>
Date:   Tue Feb 25 15:16:49 2014 +0100

    Add lsmd_plugin_connect_any boolean

--- Additional comment from Miroslav Grepl on 2014-02-25 06:19:22 PST ---

Also added

commit 7ac723de65080bbbc0f2b125844fc2f46b50e764
Author: Miroslav Grepl <mgrepl>
Date:   Tue Feb 25 15:19:00 2014 +0100

    Allow lsmd plugins to connect to http/ssh/http_caccommit

Comment 5 Miroslav Grepl 2014-02-26 11:54:11 UTC

Milos,
how does it work with the latest build. There should be a new boolean to cover it.

Comment 7 Ludek Smid 2014-06-13 12:21:27 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.