Bug 1104251 - `hammer ping` generates lot of SELinux AVCs
Summary: `hammer ping` generates lot of SELinux AVCs
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: SELinux
Version: Nightly
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: Unspecified
Assignee: Lukas Zapletal
QA Contact: Kedar Bidarkar
URL: http://projects.theforeman.org/issues...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-06-03 15:55 UTC by Jan Hutař
Modified: 2019-09-26 14:32 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-09-11 12:18:39 UTC
Target Upstream Version:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 5930 0 None None None 2016-04-22 17:00:06 UTC

Description Jan Hutař 2014-06-03 15:55:08 UTC 
Description of problem:
Command `hammer ping` generates lot of SELinux AVCs


Version-Release number of selected component (if applicable):
Satellite-6.0.3-RHEL-6-20140529.0


How reproducible:
sometimes


Steps to Reproduce:
1. # tail -f /var/log/audit/audit.log | grep -e AVC -e SYSCALL --color &
2. # hammer ping
type=AVC msg=audit(1401810620.485:4502): avc:  denied  { getattr } for  pid=19983 comm="service" path="/etc/rc.d/init.d/katello-jobs" dev=dm-0 ino=2889442 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1401810620.485:4502): arch=c000003e syscall=4 success=yes exit=0 a0=c84290 a1=7fffbcdf5f20 a2=7fffbcdf5f20 a3=8 items=0 ppid=14901 pid=19983 auid=4294967295 uid=497 gid=498 euid=497 suid=497 fsuid=497 egid=498 sgid=498 fsgid=498 tty=(none) ses=4294967295 comm="service" exe="/bin/bash" subj=system_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1401810620.486:4503): avc:  denied  { execute } for  pid=19987 comm="env" name="katello-jobs" dev=dm-0 ino=2889442 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file
type=AVC msg=audit(1401810620.486:4503): avc:  denied  { read open } for  pid=19987 comm="env" name="katello-jobs" dev=dm-0 ino=2889442 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file
type=AVC msg=audit(1401810620.486:4503): avc:  denied  { execute_no_trans } for  pid=19987 comm="env" path="/etc/rc.d/init.d/katello-jobs" dev=dm-0 ino=2889442 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1401810620.486:4503): arch=c000003e syscall=59 success=yes exit=0 a0=7fff90befd53 a1=7fff90beef38 a2=11ad060 a3=ffffff00 items=0 ppid=19983 pid=19987 auid=4294967295 uid=497 gid=498 euid=497 suid=497 fsuid=497 egid=498 sgid=498 fsgid=498 tty=(none) ses=4294967295 comm="katello-jobs" exe="/bin/bash" subj=system_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1401810620.487:4504): avc:  denied  { ioctl } for  pid=19987 comm="katello-jobs" path="/etc/rc.d/init.d/katello-jobs" dev=dm-0 ino=2889442 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1401810620.487:4504): arch=c000003e syscall=16 success=no exit=-25 a0=3 a1=5401 a2=7fffd16d8df0 a3=4 items=0 ppid=19983 pid=19987 auid=4294967295 uid=497 gid=498 euid=497 suid=497 fsuid=497 egid=498 sgid=498 fsgid=498 tty=(none) ses=4294967295 comm="katello-jobs" exe="/bin/bash" subj=system_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1401810620.487:4505): avc:  denied  { execute } for  pid=19989 comm="katello-jobs" name="consoletype" dev=dm-0 ino=1703944 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:consoletype_exec_t:s0 tclass=file
type=AVC msg=audit(1401810620.487:4505): avc:  denied  { read open } for  pid=19989 comm="katello-jobs" name="consoletype" dev=dm-0 ino=1703944 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:consoletype_exec_t:s0 tclass=file
type=AVC msg=audit(1401810620.487:4505): avc:  denied  { execute_no_trans } for  pid=19989 comm="katello-jobs" path="/sbin/consoletype" dev=dm-0 ino=1703944 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:consoletype_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1401810620.487:4505): arch=c000003e syscall=59 success=yes exit=0 a0=d26990 a1=d269f0 a2=d26a20 a3=10 items=0 ppid=19988 pid=19989 auid=4294967295 uid=497 gid=498 euid=497 suid=497 fsuid=497 egid=498 sgid=498 fsgid=498 tty=(none) ses=4294967295 comm="consoletype" exe="/sbin/consoletype" subj=system_u:system_r:passenger_t:s0 key=(null)
candlepin:      
    Status:          ok
    Server Response: Duration: 22ms
candlepin_auth: 
    Status:          ok
    Server Response: Duration: 36ms
pulp:           
    Status:          ok
    Server Response: Duration: 11ms
pulp_auth:      
    Status:          ok
    Server Response: Duration: 28ms
elasticsearch:  
    Status:          ok
    Server Response: Duration: 25ms
katello_jobs:   
    Status:          ok
    Server Response: Duration: 25ms


Actual results:
See above


Expected results:
No AVCs should be generated
Comment 2 Jan Hutař 2014-06-03 16:02:03 UTC 
Output in comment #0 was from system with SELinux in Enforcing. Adding output on system with SELinux in Permissive as well:

# hammer ping; hammer ping
type=AVC msg=audit(1401811222.957:4874): avc:  denied  { getattr } for  pid=27187 comm="service" path="/etc/rc.d/init.d/katello-jobs" dev=dm-0 ino=2889442 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1401811222.957:4874): arch=c000003e syscall=4 success=yes exit=0 a0=22e3290 a1=7fffe9996170 a2=7fffe9996170 a3=8 items=0 ppid=14901 pid=27187 auid=4294967295 uid=497 gid=498 euid=497 suid=497 fsuid=497 egid=498 sgid=498 fsgid=498 tty=(none) ses=4294967295 comm="service" exe="/bin/bash" subj=system_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1401811222.957:4875): avc:  denied  { execute } for  pid=27191 comm="env" name="katello-jobs" dev=dm-0 ino=2889442 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file
type=AVC msg=audit(1401811222.957:4875): avc:  denied  { read open } for  pid=27191 comm="env" name="katello-jobs" dev=dm-0 ino=2889442 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file
type=AVC msg=audit(1401811222.957:4875): avc:  denied  { execute_no_trans } for  pid=27191 comm="env" path="/etc/rc.d/init.d/katello-jobs" dev=dm-0 ino=2889442 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1401811222.957:4875): arch=c000003e syscall=59 success=yes exit=0 a0=7fff01f07d53 a1=7fff01f06218 a2=887060 a3=ffffff00 items=0 ppid=27187 pid=27191 auid=4294967295 uid=497 gid=498 euid=497 suid=497 fsuid=497 egid=498 sgid=498 fsgid=498 tty=(none) ses=4294967295 comm="katello-jobs" exe="/bin/bash" subj=system_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1401811222.959:4876): avc:  denied  { ioctl } for  pid=27191 comm="katello-jobs" path="/etc/rc.d/init.d/katello-jobs" dev=dm-0 ino=2889442 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1401811222.959:4876): arch=c000003e syscall=16 success=no exit=-25 a0=3 a1=5401 a2=7fff7b037f80 a3=4 items=0 ppid=27187 pid=27191 auid=4294967295 uid=497 gid=498 euid=497 suid=497 fsuid=497 egid=498 sgid=498 fsgid=498 tty=(none) ses=4294967295 comm="katello-jobs" exe="/bin/bash" subj=system_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1401811222.963:4877): avc:  denied  { execute } for  pid=27193 comm="katello-jobs" name="consoletype" dev=dm-0 ino=1703944 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:consoletype_exec_t:s0 tclass=file
type=AVC msg=audit(1401811222.963:4877): avc:  denied  { read open } for  pid=27193 comm="katello-jobs" name="consoletype" dev=dm-0 ino=1703944 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:consoletype_exec_t:s0 tclass=file
type=AVC msg=audit(1401811222.963:4877): avc:  denied  { execute_no_trans } for  pid=27193 comm="katello-jobs" path="/sbin/consoletype" dev=dm-0 ino=1703944 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:consoletype_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1401811222.963:4877): arch=c000003e syscall=59 success=yes exit=0 a0=f85990 a1=f859f0 a2=f85a20 a3=10 items=0 ppid=27192 pid=27193 auid=4294967295 uid=497 gid=498 euid=497 suid=497 fsuid=497 egid=498 sgid=498 fsgid=498 tty=(none) ses=4294967295 comm="consoletype" exe="/sbin/consoletype" subj=system_u:system_r:passenger_t:s0 key=(null)
candlepin:      
    Status:          ok
    Server Response: Duration: 32ms
candlepin_auth: 
    Status:          ok
    Server Response: Duration: 34ms
pulp:           
    Status:          ok
    Server Response: Duration: 19ms
pulp_auth:      
    Status:          ok
    Server Response: Duration: 23ms
elasticsearch:  
    Status:          ok
    Server Response: Duration: 43ms
katello_jobs:   
    Status:          ok
    Server Response: Duration: 67ms

type=AVC msg=audit(1401811229.804:4883): avc:  denied  { name_connect } for  pid=14925 comm="ruby" dest=9200 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1401811229.804:4883): arch=c000003e syscall=42 success=no exit=-111 a0=11 a1=7fc6b857e690 a2=1c a3=ff00 items=0 ppid=1 pid=14925 auid=4294967295 uid=497 gid=498 euid=497 suid=497 fsuid=497 egid=498 sgid=498 fsgid=498 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/ruby193/root/usr/bin/ruby" subj=system_u:system_r:passenger_t:s0 key=(null)
candlepin:      
    Status:          ok
    Server Response: Duration: 54ms
candlepin_auth: 
    Status:          ok
    Server Response: Duration: 69ms
pulp:           
    Status:          ok
    Server Response: Duration: 31ms
pulp_auth:      
    Status:          ok
    Server Response: Duration: 42ms
elasticsearch:  
    Status:          ok
    Server Response: Duration: 21ms
katello_jobs:   
    Status:          ok
    Server Response: Duration: 134ms
Comment 3 Jan Hutař 2014-06-03 16:02:55 UTC 
# rpm -qa | grep selinux | sort
candlepin-selinux-0.9.7-1.el6_5.noarch
foreman-selinux-1.6.0-3.el6sat.noarch
libselinux-2.0.94-5.3.el6_4.1.x86_64
libselinux-devel-2.0.94-5.3.el6_4.1.x86_64
libselinux-python-2.0.94-5.3.el6_4.1.x86_64
libselinux-ruby-2.0.94-5.3.el6_4.1.x86_64
libselinux-utils-2.0.94-5.3.el6_4.1.x86_64
pulp-selinux-2.4.0-0.18.beta.el6sat.noarch
selinux-policy-3.7.19-231.el6.noarch
selinux-policy-targeted-3.7.19-231.el6.noarch
Comment 5 Bryan Kearney 2014-06-19 12:04:06 UTC 
Moving to POST since upstream bug http://projects.theforeman.org/issues/5930 has been closed
Comment 7 Kedar Bidarkar 2014-08-11 11:36:31 UTC 
From a system in permissive mode, with sat6-GA-snap4 we get no AVC or SYSCALL denial messages.

[root@xxx ~]# hammer -u admin -p changeme -v organization add-subnet --id=1 --subnet-id=1
[root@xxx ~]# tail -f /var/log/audit/audit.log | grep -e AVC -e SYSCALL --color &
[1] 21922
[root@xxxx ~]# hammer ping
[Foreman] password for admin:
candlepin:
    Status:          ok
    Server Response: Duration: 35ms
candlepin_auth:
    Status:          ok
    Server Response: Duration: 42ms
pulp:
    Status:          ok
    Server Response: Duration: 192ms
pulp_auth:
    Status:          ok
    Server Response: Duration: 21ms
elasticsearch:
    Status:          ok
    Server Response: Duration: 101ms
katello_jobs:
    Status:          ok
    Server Response: Duration: 38ms
Comment 8 Jan Hutař 2014-08-11 12:14:34 UTC 
As per Kedar's idea tested in Enforcing as well (Satellite-6.0.4-RHEL-6-20140806.0 + selinux-policy-targeted-3.7.19-231.el6.noarch) and no AVCs observed.
Comment 9 Bryan Kearney 2014-09-11 12:18:39 UTC 
This was delivered with Satellite 6.0 which was released on 10 September 2014.
Note You need to log in before you can comment on or make changes to this bug.