Bug 1130086 - Daemon qpidd denial to read /etc/passwd
Summary: Daemon qpidd denial to read /etc/passwd
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.0
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks: 1131424
TreeView+ depends on / blocked
 
Reported: 2014-08-14 10:03 UTC by Lukas Zapletal
Modified: 2015-03-05 10:42 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.13.1-2.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-03-05 10:42:37 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:0458 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2015-03-05 15:17:00 UTC

Description Lukas Zapletal 2014-08-14 10:03:35 UTC
Hey,

RHEL 7.0 gold, started qpidd:

[root@seven ~]# audit2allow -R
type=SYSCALL msg=audit(1407962038.636:342): arch=c000003e syscall=4 success=no exit=-13 a0=7f61ea0809b6 a1=7fff1e15d7c0 a2=7fff1e15d7c0 a3=7fff1e15f660 items=0 ppid=1 pid=30846 auid=4294967295 uid=996 gid=996 euid=996 suid=996 fsuid=996 egid=996 sgid=996 fsgid=996 tty=(none) ses=4294967295 comm="qpidd" exe="/usr/sbin/qpidd" subj=system_u:system_r:qpidd_t:s0 key=(null)
type=AVC msg=audit(1407962038.636:342): avc:  denied  { getattr } for  pid=30846 comm="qpidd" path="/etc/passwd" dev="dm-0" ino=136247370 scontext=system_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file


require {
        type qpidd_t;
}

#============= qpidd_t ==============
auth_read_passwd(qpidd_t)

We configure it with x509 certificates, maybe this is the difference from the default setup:

cat /etc/qpidd.conf 
#
# WARNING: THIS CONFIGURATION WAS GENERATED BY KATELLO-CONFIGURE TOOL,
# CHANGES WILL LIKELY BE OVERWRITTEN.
#

#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements.  See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership.  The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License.  You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0 
#
# Unless required by applicable law or agreed to in writing, 
# software distributed under the License is distributed on an 
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 
# KIND, either express or implied. See the License for the 
# specific language governing permissions and limitations 
# under the License. 
#
# Configuration file for qpidd. Entries are of the form: 
# name=value 
#
# (Note: no spaces on either side of '='). Using default settings: 
# "qpidd --help" or "man qpidd" for more details. 
#cluster-mechanism=ANONYMOUS 
log-enable=error+
log-to-syslog=yes
auth=no
require-encryption=yes
ssl-require-client-authentication=yes
ssl-port=5671
ssl-cert-db=/etc/pki/katello/nssdb
ssl-cert-password-file=/etc/pki/katello/nssdb/nss_db_password-file
ssl-cert-name=broker

Comment 2 Milos Malik 2014-08-14 14:43:00 UTC
Actual results in permissive mode:
----
time->Thu Aug 14 16:39:10 2014
type=PATH msg=audit(1408027150.351:628): item=0 name="/etc/passwd" inode=9773183 dev=fd:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:passwd_file_t:s0 objtype=NORMAL
type=CWD msg=audit(1408027150.351:628):  cwd="/"
type=SYSCALL msg=audit(1408027150.351:628): arch=c000003e syscall=4 success=yes exit=0 a0=7f41096189b6 a1=7fffc54f3c70 a2=7fffc54f3c70 a3=7fffc54f5b10 items=1 ppid=1 pid=15694 auid=4294967295 uid=972 gid=968 euid=972 suid=972 fsuid=972 egid=968 sgid=968 fsgid=968 tty=(none) ses=4294967295 comm="qpidd" exe="/usr/sbin/qpidd" subj=system_u:system_r:qpidd_t:s0 key=(null)
type=AVC msg=audit(1408027150.351:628): avc:  denied  { getattr } for  pid=15694 comm="qpidd" path="/etc/passwd" dev="vda3" ino=9773183 scontext=system_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
----
time->Thu Aug 14 16:39:10 2014
type=PATH msg=audit(1408027150.351:629): item=0 name="/etc/passwd" inode=9773183 dev=fd:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:passwd_file_t:s0 objtype=NORMAL
type=CWD msg=audit(1408027150.351:629):  cwd="/"
type=SYSCALL msg=audit(1408027150.351:629): arch=c000003e syscall=2 success=yes exit=10 a0=7f41096189b6 a1=0 a2=1b6 a3=0 items=1 ppid=1 pid=15694 auid=4294967295 uid=972 gid=968 euid=972 suid=972 fsuid=972 egid=968 sgid=968 fsgid=968 tty=(none) ses=4294967295 comm="qpidd" exe="/usr/sbin/qpidd" subj=system_u:system_r:qpidd_t:s0 key=(null)
type=AVC msg=audit(1408027150.351:629): avc:  denied  { open } for  pid=15694 comm="qpidd" path="/etc/passwd" dev="vda3" ino=9773183 scontext=system_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
type=AVC msg=audit(1408027150.351:629): avc:  denied  { read } for  pid=15694 comm="qpidd" name="passwd" dev="vda3" ino=9773183 scontext=system_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
----

Comment 3 Lukas Vrabec 2014-08-15 11:21:34 UTC
commit 606f6e07b0cdf6765626f99019fe634da7171299
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Fri Aug 15 13:19:12 2014 +0200

    Allow qpid to read passwd files BZ (#1130086)


This will be back ported to RHEL7.

Comment 8 errata-xmlrpc 2015-03-05 10:42:37 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0458.html


Note You need to log in before you can comment on or make changes to this bug.