1154742 – xinetd cannot start /usr/sbin/sserver

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1154742 - xinetd cannot start /usr/sbin/sserver

Summary: xinetd cannot start /usr/sbin/sserver

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.1
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-10-20 16:27 UTC by Patrik Kis
Modified:	2015-03-05 10:46 UTC (History)
CC List:	6 users (show)
Fixed In Version:	selinux-policy-3.13.1-8.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-03-05 10:46:17 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:0458	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2015-03-05 15:17:00 UTC

Description Patrik Kis 2014-10-20 16:27:11 UTC

Description of problem:
Selinux-policy prevents xinetd to start sserver (from krb5 package). This used to work on RHEL-6 and RHEL-7.0 too.

type=SYSCALL msg=audit(1413821422.744:21218): arch=80000016 syscall=11 success=no exit=-13 a0=2aad8e02040 a1=2aad8e025e0 a2=2aad8df6890 a3=0 items=0 ppid=9732 pid=9860 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="xinetd" exe="/usr/sbin/xinetd" subj=system_u:system_r:inetd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1413821422.744:21218): avc:  denied  { entrypoint } for  pid=9860 comm="xinetd" path="/usr/sbin/sserver" dev="dm-1" ino=71377489 scontext=system_u:system_r:inetd_child_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-4.el7.noarch

How reproducible:
always

Comment 3 Milos Malik 2014-10-20 17:15:31 UTC

Here is the only AVC that appeared in permissive mode:
----
type=PATH msg=audit(10/20/2014 19:13:33.150:833) : item=1 name=(null) inode=33658149 dev=fd:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL 
type=PATH msg=audit(10/20/2014 19:13:33.150:833) : item=0 name=/usr/sbin/sserver inode=35800899 dev=fd:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 objtype=NORMAL 
type=CWD msg=audit(10/20/2014 19:13:33.150:833) :  cwd=/ 
type=EXECVE msg=audit(10/20/2014 19:13:33.150:833) : argc=1 a0=sserver 
type=SYSCALL msg=audit(10/20/2014 19:13:33.150:833) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x7f459ade8890 a1=0x7f459addd8d0 a2=0x7f459ade3230 a3=0x353a383965663a66 items=2 ppid=9066 pid=9214 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sserver exe=/usr/sbin/sserver subj=system_u:system_r:inetd_child_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(10/20/2014 19:13:33.150:833) : avc:  denied  { entrypoint } for  pid=9214 comm=xinetd path=/usr/sbin/sserver dev="vda2" ino=35800899 scontext=system_u:system_r:inetd_child_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file 
----

# rpm -qf /usr/sbin/sserver 
krb5-server-1.12.2-8.el7.x86_64
# matchpathcon /usr/sbin/sserver 
/usr/sbin/sserver	system_u:object_r:bin_t:s0
#

Comment 4 Miroslav Grepl 2014-11-03 10:24:10 UTC

Yes, this is caused by changes related to unconfined_services_t.

And now we have

corecmd_bin_domtrans(inetd_t, inetd_child_t)

optional_policy(`
    unconfined_domain(inetd_child_t)
').

Comment 5 Miroslav Grepl 2014-11-03 10:26:07 UTC

Either we confine sserver 

or we add general rule

corecmd_bin_entry_type(inetd_child_t)

for these cases.

QA guys,
could you try to test it with this rule to see how it works.

Comment 6 Patrik Kis 2014-11-04 11:08:37 UTC

Relabelling the sserver to inetd_child_exec_t helped; i.e. after 

# chcon -v --type inetd_child_exec_t /usr/sbin/sserver 

sserver was successfully started by xinetd and no AVC denials appeared.

Should I do a different test, please let me know.

Comment 7 Miroslav Grepl 2014-11-04 12:55:49 UTC

I meant a local policy with


corecmd_bin_entry_type(inetd_child_t)


# chcon -v --type inetd_child_exec_t /usr/sbin/sserver 

is not a good label for sserver. It should be more something related to kerberos.

Comment 8 Patrik Kis 2014-11-04 14:48:47 UTC

(In reply to Miroslav Grepl from comment #7)
> I meant a local policy with
> 
> 
> corecmd_bin_entry_type(inetd_child_t)
> 
Could you please specify exactly what policy should tested? Building a custom policy module just with the line above is failing. So it probably need something else, but I do not know what exactly.

Comment 9 Miroslav Grepl 2014-11-05 09:12:50 UTC

$ cat mypol.te
policy_module(mypol, 1.0)

require{
 type inetd_child_t;
}

corecmd_bin_entry_type(inetd_child_t)



and 

# make -f /usr/share/selinux/devel/Makefile mypol.pp
# semodule -i mypol.pp

Comment 10 Patrik Kis 2014-11-05 09:27:13 UTC

This policy module helped. The daemon sserver started and no AVC denials appeared.

Comment 11 Miroslav Grepl 2014-11-05 09:55:45 UTC

commit 0ae616507aa951f641b1362a91aee7df2e1f0cb9
Author: Miroslav Grepl <mgrepl>
Date:   Wed Nov 5 10:55:01 2014 +0100

    Allow inetd service without own policy to run in inetd_child_t which is unconfined domain.

Comment 15 errata-xmlrpc 2015-03-05 10:46:17 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0458.html

Note You need to log in before you can comment on or make changes to this bug.