1093733 – SELinux is stopping libstoragemgmt smis and targetd plugin to use TCP connection.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1093733 - SELinux is stopping libstoragemgmt smis and targetd plugin to use TCP connection.

Summary: SELinux is stopping libstoragemgmt smis and targetd plugin to use TCP connect...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.0
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1162133 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-05-02 13:41 UTC by Gris Ge
Modified:	2015-03-05 10:38 UTC (History)
CC List:	5 users (show)
Fixed In Version:	selinux-policy-3.13.1-21.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-03-05 10:38:59 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:0458	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2015-03-05 15:17:00 UTC

Description Gris Ge 2014-05-02 13:41:51 UTC

Description of problem:
Then executing these commands:
====
export LSMCLI_URI='smispy+ssl://admin@host:5989?namespace=root/emc&no_ssl_verify=yes'
export LSMCLI_PASSWORD='some_password'
lsmcli list --type systems
====

SELinux will stop the TCP connection:
====
SELinux is preventing /usr/bin/python2.7 from name_connect access on the tcp_socket .

*****  Plugin connect_ports (92.2 confidence) suggests   *********************

If you want to allow /usr/bin/python2.7 to connect to network port 18700
Then you need to modify the port type.
Do
# semanage port -a -t PORT_TYPE -p tcp 18700
    where PORT_TYPE is one of the following: http_cache_port_t, http_port_t, ssh_port_t.

*****  Plugin catchall_boolean (7.83 confidence) suggests   ******************

If you want to allow lsmd to plugin connect any
Then you must tell SELinux about this by enabling the 'lsmd_plugin_connect_any' boolean.
You can read 'None' man page for more details.
Do
setsebool -P lsmd_plugin_connect_any 1

*****  Plugin catchall (1.41 confidence) suggests   **************************

If you believe that python2.7 should be allowed name_connect access on the  tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep python /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:lsmd_plugin_t:s0
Target Context                system_u:object_r:unreserved_port_t:s0
Target Objects                 [ tcp_socket ]
Source                        python
Source Path                   /usr/bin/python2.7
Port                          18700
Host                          fge-rhel7-mock.novalocal
Source RPM Packages           python-2.7.5-16.el7.x86_64
Target RPM Packages
Policy RPM                    selinux-policy-3.12.1-153.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     fge-rhel7-mock.novalocal
Platform                      Linux fge-rhel7-mock.novalocal
                              3.10.0-121.el7.x86_64 #1 SMP Tue Apr 8 10:48:19
                              EDT 2014 x86_64 x86_64
Alert Count                   4
First Seen                    2014-05-02 08:53:57 EDT
Last Seen                     2014-05-02 09:30:54 EDT
Local ID                      d7b8c419-5c0f-4c02-9ea5-47c960433d13

Raw Audit Messages
type=AVC msg=audit(1399037454.437:270): avc:  denied  { name_connect } for  pid=3261 comm="python2.7" dest=18700 scontext=system_u:system_r:lsmd_plugin_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket


type=SYSCALL msg=audit(1399037454.437:270): arch=x86_64 syscall=connect success=no exit=EACCES a0=5 a1=7ffff8a83380 a2=10 a3=68 items=0 ppid=3033 pid=3261 auid=4294967295 uid=997 gid=994 euid=997 suid=997 fsuid=997 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm=python2.7 exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_plugin_t:s0 key=(null)

Hash: python,lsmd_plugin_t,unreserved_port_t,tcp_socket,name_connect
=====

Version-Release number of selected component (if applicable):
libstoragemgmt-targetd-plugin-0.0.24-4.el7.noarch
libstoragemgmt-python-0.0.24-4.el7.noarch
libstoragemgmt-smis-plugin-0.0.24-4.el7.noarch
libstoragemgmt-nstor-plugin-0.0.24-4.el7.noarch
libstoragemgmt-0.0.24-4.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Install libstoragemgmt-smis-plugin
2. Start libstoramgemgt daemon:

   sudo systemctl start libstoragemgmt.service

3. Use lsmcli to list system of a SMI-S provider:

export LSMCLI_URI='smispy+ssl://admin@host:5989?namespace=root/emc&no_ssl_verify=yes'
export LSMCLI_PASSWORD='some_password'
lsmcli list --type systems


Actual results:
SELinux stopped the TCP connection of SMI-S plugin.

Expected results:
No error.

Additional info:
The ONTAP plugin of libstoramgemgt(libstoragemgmt-netapp-plugin) is not impacted.
And these plugins are impacted:

libstoragemgmt-targetd-plugin-0.0.24-4.el7.noarch
libstoragemgmt-smis-plugin-0.0.24-4.el7.noarch
libstoragemgmt-nstor-plugin-0.0.24-4.el7.noarch

Comment 1 Miroslav Grepl 2014-05-05 08:46:26 UTC

You will need to use

setsebool -P lsmd_plugin_connect_any 1

boolean. Or is tcp/18700 used by default?

Comment 2 Bruno Goncalves 2014-05-05 12:35:21 UTC

It does work using "setsebool -P lsmd_plugin_connect_any 1".

Should this setting be done when libstoragemgmt-smis-plugin is installed, or it will be documented on lsmcli man page?

Comment 3 Milos Malik 2014-05-05 12:37:49 UTC

man lsmd_plugin_selinux

Comment 4 Milos Malik 2014-05-05 12:39:31 UTC

Are there additional AVCs?

# ausearch -m avc -i -ts recent

Comment 5 Bruno Goncalves 2014-05-05 13:05:31 UTC

it looks that was all.

# ausearch -m avc -i -ts recent
<no matches>

Comment 6 Gris Ge 2014-05-07 02:17:39 UTC

(In reply to Miroslav Grepl from comment #1)
> You will need to use
> 
> setsebool -P lsmd_plugin_connect_any 1
> 
> boolean. Or is tcp/18700 used by default?
Milos Malik,

The tcp/18700 is not default port. libstoragemgmt SMI-S plugin using pywbem 
which acting like a TCP client application. The OS is choosing random ports 
above 1024.

Are you suggesting use to create a man page 'lsmd_plugin_selinux' documenting
the SELinux commands to enable SMI-S plugins?

I noticed firefox does not need to set a SELinux bool value before make TCP connection.
Is there any application whitelist for making TCP connection?

Meanwhile, a similar bug #1069842 was fixed in selinux-policy-3.12.1-127.el7.
Sounds like a regression to me.

Thanks.

Comment 7 Milos Malik 2014-05-07 08:38:38 UTC

The lsmd_plugin_selinux man page already exists and it's part of selinux-policy-devel package.

Because tcp/18700 is not default port you need to enable lsmd_plugin_connect_any boolean to make it work.

The lsmd plugins, I know of, are confined and run under lsmd_plugin_t context. On the other hand the firefox process gets its context from the user who runs it - usually unconfined_t, which means it is much less limited.

Comment 8 Milos Malik 2014-05-07 08:44:32 UTC

About the regression point:
First enable the lsmd_plugin_connect_any boolean (as described in the man page) and then let me know if new AVCs still appear.

Comment 9 Gris Ge 2014-05-07 09:24:22 UTC

Hi Milos,

Thanks for the explanation.

Just realized we are talking TCP destination port.
Yes. 18700 is the default port for targetd plugin.

Please allow lsm plugin access these default destination ports:

===
SMI-S plugin: TCP 5888
SMI-S plugin: TCP 5889
Targetd plugin: TCP 18700
nstor plugin: TCP 2000
===

Re-opening this bug.

Comment 10 Gris Ge 2014-05-07 09:26:46 UTC

Sorry.

The TCP ports in previous comment is incorrect.
Please use this list:

====
SMI-S plugin: TCP 5988
#                 ^^^^
SMI-S plugin: TCP 5989
#                 ^^^^
Targetd plugin: TCP 18700
nstor plugin: TCP 2000
===

Comment 11 Milos Malik 2014-05-07 11:03:15 UTC

Thanks for the list of destination ports. I'm going to modify our automated TC to reflect that.

Comment 12 Ludek Smid 2014-06-26 10:55:21 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Comment 13 Ludek Smid 2014-06-26 11:15:23 UTC

The comment above is incorrect. The correct version is bellow.
I'm sorry for any inconvenience.
---------------------------------------------------------------

This request was NOT resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you need
to escalate this bug.

Comment 14 Milos Malik 2014-10-09 20:37:27 UTC

The automated TC triggers several AVCs of this kind in enforcing mode:
----
time->Thu Oct  9 22:29:21 2014
type=PATH msg=audit(1412886561.487:651): item=0 name="/etc/passwd" inode=18299892 dev=fd:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:passwd_file_t:s0 objtype=NORMAL
type=CWD msg=audit(1412886561.487:651):  cwd="/"
type=SYSCALL msg=audit(1412886561.487:651): arch=c000003e syscall=2 success=no exit=-13 a0=7f257ec09d8a a1=80000 a2=1b6 a3=0 items=1 ppid=7699 pid=9130 auid=4294967295 uid=987 gid=983 euid=987 suid=987 fsuid=987 egid=983 sgid=983 fsgid=983 tty=(none) ses=4294967295 comm="python2" exe="/usr/bin/python2.7" subj=system_u:system_r:lsmd_plugin_t:s0 key=(null)
type=AVC msg=audit(1412886561.487:651): avc:  denied  { read } for  pid=9130 comm="python2" name="passwd" dev="vda2" ino=18299892 scontext=system_u:system_r:lsmd_plugin_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
----

The automated TC triggers following AVCs in permissive mode:
----
time->Thu Oct  9 22:33:43 2014
type=PATH msg=audit(1412886823.501:684): item=0 name="/etc/passwd" inode=18299892 dev=fd:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:passwd_file_t:s0 objtype=NORMAL
type=CWD msg=audit(1412886823.501:684):  cwd="/"
type=SYSCALL msg=audit(1412886823.501:684): arch=c000003e syscall=2 success=yes exit=6 a0=7fc67b29bd8a a1=80000 a2=1b6 a3=0 items=1 ppid=23197 pid=23318 auid=4294967295 uid=987 gid=983 euid=987 suid=987 fsuid=987 egid=983 sgid=983 fsgid=983 tty=(none) ses=4294967295 comm="python2" exe="/usr/bin/python2.7" subj=system_u:system_r:lsmd_plugin_t:s0 key=(null)
type=AVC msg=audit(1412886823.501:684): avc:  denied  { open } for  pid=23318 comm="python2" path="/etc/passwd" dev="vda2" ino=18299892 scontext=system_u:system_r:lsmd_plugin_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=AVC msg=audit(1412886823.501:684): avc:  denied  { read } for  pid=23318 comm="python2" name="passwd" dev="vda2" ino=18299892 scontext=system_u:system_r:lsmd_plugin_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
----
time->Thu Oct  9 22:33:43 2014
type=SYSCALL msg=audit(1412886823.501:685): arch=c000003e syscall=5 success=yes exit=0 a0=6 a1=7fff7c5a3c60 a2=7fff7c5a3c60 a3=0 items=0 ppid=23197 pid=23318 auid=4294967295 uid=987 gid=983 euid=987 suid=987 fsuid=987 egid=983 sgid=983 fsgid=983 tty=(none) ses=4294967295 comm="python2" exe="/usr/bin/python2.7" subj=system_u:system_r:lsmd_plugin_t:s0 key=(null)
type=AVC msg=audit(1412886823.501:685): avc:  denied  { getattr } for  pid=23318 comm="python2" path="/etc/passwd" dev="vda2" ino=18299892 scontext=system_u:system_r:lsmd_plugin_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
----

Comment 15 Lukas Vrabec 2014-10-13 09:08:40 UTC

commit b3abda8bb879d820b23ac2a52e2c9ce28bc033d6
Author: Lukas Vrabec <lvrabec>
Date:   Mon Oct 13 11:05:33 2014 +0200

    Allow lmsd_plugin to read passwd file. BZ(1093733)

https://github.com/selinux-policy/selinux-policy/commit/b3abda8bb879d820b23ac2a52e2c9ce28bc033d6

Comment 16 Tony Asleson 2014-10-13 18:30:45 UTC

(In reply to Lukas Vrabec from comment #15)
> commit b3abda8bb879d820b23ac2a52e2c9ce28bc033d6
> Author: Lukas Vrabec <lvrabec>
> Date:   Mon Oct 13 11:05:33 2014 +0200
> 
>     Allow lmsd_plugin to read passwd file. BZ(1093733)
> 
> https://github.com/selinux-policy/selinux-policy/commit/
> b3abda8bb879d820b23ac2a52e2c9ce28bc033d6

Just to clarify, the lsmd daemon when starting is doing the following:

Calling getpwnam to see if the user libstoragemgmt is available.  If it is it then makes calls to setgid, setgroups, setuid to drop privileges to that user.

If there is a more appropriate way to do this please let me know.

Comment 18 Miroslav Grepl 2014-12-02 12:17:21 UTC

*** Bug 1162133 has been marked as a duplicate of this bug. ***

Comment 21 Miroslav Grepl 2015-01-09 13:52:44 UTC

commit 928ad6ecbd1963e3466f8f6c68644c6b5d983576
Author: Miroslav Grepl <mgrepl>
Date:   Fri Jan 9 14:50:37 2015 +0100

    Allow lsm plugins to connect to tcp/18700 by default.

Comment 24 Bruno Goncalves 2015-01-23 13:24:52 UTC

It looks like the problem still persists on selinux-policy-3.13.1-19.el7.noarch

###########################################################################

Running '/usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 01/23/2015 12:44:45 < /dev/null >/mnt/testarea/tmp.rhts-db-submit-result.5mQSBu 2>&1'
----
time->Fri Jan 23 12:57:48 2015
type=USER_AVC msg=audit(1422014268.104:97): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Fri Jan 23 12:58:08 2015
type=SYSCALL msg=audit(1422014288.545:100): arch=c000003e syscall=42 success=yes exit=0 a0=5 a1=7ffff3f20b10 a2=10 a3=36 items=0 ppid=25316 pid=25479 auid=4294967295 uid=997 gid=995 euid=997 suid=997 fsuid=997 egid=995 sgid=995 fsgid=995 tty=(none) ses=4294967295 comm="python2" exe="/usr/bin/python2.7" subj=system_u:system_r:lsmd_plugin_t:s0 key=(null)
type=AVC msg=audit(1422014288.545:100): avc:  denied  { name_connect } for  pid=25479 comm="python2" dest=5988 scontext=system_u:system_r:lsmd_plugin_t:s0 tcontext=system_u:object_r:pegasus_http_port_t:s0 tclass=tcp_socket
----
time->Fri Jan 23 12:58:32 2015
type=SYSCALL msg=audit(1422014312.204:103): arch=c000003e syscall=42 success=yes exit=0 a0=5 a1=7fff26060050 a2=10 a3=36 items=0 ppid=25504 pid=25743 auid=4294967295 uid=997 gid=995 euid=997 suid=997 fsuid=997 egid=995 sgid=995 fsgid=995 tty=(none) ses=4294967295 comm="python2" exe="/usr/bin/python2.7" subj=system_u:system_r:lsmd_plugin_t:s0 key=(null)
type=AVC msg=audit(1422014312.204:103): avc:  denied  { name_connect } for  pid=25743 comm="python2" dest=5988 scontext=system_u:system_r:lsmd_plugin_t:s0 tcontext=system_u:object_r:pegasus_http_port_t:s0 tclass=tcp_socket
----
time->Fri Jan 23 12:59:28 2015
type=SYSCALL msg=audit(1422014368.542:108): arch=c000003e syscall=42 success=yes exit=0 a0=5 a1=7fffd19f43d0 a2=10 a3=36 items=0 ppid=26158 pid=26313 auid=4294967295 uid=997 gid=995 euid=997 suid=997 fsuid=997 egid=995 sgid=995 fsgid=995 tty=(none) ses=4294967295 comm="python2" exe="/usr/bin/python2.7" subj=system_u:system_r:lsmd_plugin_t:s0 key=(null)
type=AVC msg=audit(1422014368.542:108): avc:  denied  { name_connect } for  pid=26313 comm="python2" dest=5989 scontext=system_u:system_r:lsmd_plugin_t:s0 tcontext=system_u:object_r:pegasus_https_port_t:s0 tclass=tcp_socket
Fail: AVC messages found.

###########################################################################

Jan 23 12:58:10 karkulka setroubleshoot: Plugin Exception restorecon_source
Jan 23 12:58:10 karkulka setroubleshoot: SELinux is preventing /usr/bin/python2.7 from name_connect access on the tcp_socket port 5988. For complete SELinux messages. run sealert -l 31ac1246-f696-4c49-9402-bcb3c2060fdf
Jan 23 12:58:10 karkulka python: SELinux is preventing /usr/bin/python2.7 from name_connect access on the tcp_socket port 5988.

###########################################################################

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
Running 'rpm -q selinux-policy || true'
selinux-policy-3.13.1-19.el7.noarch

Comment 25 Miroslav Grepl 2015-01-26 11:45:06 UTC

commit 0d97f0148cebf425381d43813c58ad9f9ce5051b
Author: Miroslav Grepl <mgrepl>
Date:   Mon Jan 26 12:44:33 2015 +0100

    Allow lsmd plugin to connect to tcp/5988 by default.

commit 06a7a977f429373e2b8d0fbee6112c05e13c0976
Author: Miroslav Grepl <mgrepl>
Date:   Mon Jan 26 12:42:03 2015 +0100

    Allow lsmd plugin to connect to tcp/5989 by default.

Comment 29 errata-xmlrpc 2015-03-05 10:38:59 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0458.html

Note You need to log in before you can comment on or make changes to this bug.