1170775 – starting qpidd causes 5 different SELinux AVCs

Bug 1170775 - starting qpidd causes 5 different SELinux AVCs

Summary: starting qpidd causes 5 different SELinux AVCs

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise MRG
Classification:	Red Hat
Component:	qpid-cpp
Sub Component:
Version:	3.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	3.2
Target Release:	---
Assignee:	Irina Boverman
QA Contact:	Zdenek Kraus
Docs Contact:
URL:
Whiteboard:
Depends On:	1171275 1218323
Blocks:
TreeView+	depends on / blocked

Reported:	2014-12-04 20:19 UTC by Frantisek Reznicek
Modified:	2015-11-16 01:17 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-10-08 13:10:02 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1148984	1	None	None	None	2025-02-10 03:43:10 UTC
Red Hat Product Errata	RHEA-2015:1879	0	normal	SHIPPED_LIVE	Red Hat Enterprise MRG Messaging 3.2 Release	2015-10-08 17:07:53 UTC

Internal Links: 1148984

Description Frantisek Reznicek 2014-12-04 20:19:40 UTC

Description of problem:

Starting qpidd on RHEL 6.6 causes 5 different SELinux AVCs:

service qpidd stop
  -> no AVC

service qpidd start
  -> 5 new AVCs

Qpidd functionality doesn't seem to be affected.

type=AVC msg=audit(1417723790.708:134): avc:  denied  { read } for  pid=1407 comm="qpidd" path="/etc/rc.d/init.d/qpidd" dev=vda1 ino=392580 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:qpidd_initrc_exec_t:s0 tclass=file
type=AVC msg=audit(1417723790.752:135): avc:  denied  { read } for  pid=1407 comm="qpidd" name="psched" dev=proc ino=4026531986 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=AVC msg=audit(1417723790.918:138): avc:  denied  { read } for  pid=1415 comm="restorecon" path="/etc/rc.d/init.d/qpidd" dev=vda1 ino=392580 scontext=unconfined_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:qpidd_initrc_exec_t:s0 tclass=file
type=AVC msg=audit(1417723791.116:141): avc:  denied  { read } for  pid=1428 comm="qpidd" path="/etc/rc.d/init.d/qpidd" dev=vda1 ino=392580 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:qpidd_initrc_exec_t:s0 tclass=file
type=AVC msg=audit(1417723791.169:142): avc:  denied  { read } for  pid=1428 comm="qpidd" name="psched" dev=proc ino=4026531986 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file

Version-Release number of selected component (if applicable):
perl-qpid-0.22-13.el6.x86_64
perl-qpid-debuginfo-0.22-13.el6.x86_64
python-qpid-0.22-18.el6.noarch
python-qpid-proton-doc-0.6-2.el6.noarch
python-qpid-qmf-0.22-39.el6.x86_64
qpid-cpp-client-0.22-49.el6.x86_64
qpid-cpp-client-devel-0.22-49.el6.x86_64
qpid-cpp-client-devel-docs-0.22-49.el6.noarch
qpid-cpp-client-rdma-0.22-49.el6.x86_64
qpid-cpp-debuginfo-0.22-49.el6.x86_64
qpid-cpp-server-0.22-49.el6.x86_64
qpid-cpp-server-devel-0.22-49.el6.x86_64
qpid-cpp-server-ha-0.22-49.el6.x86_64
qpid-cpp-server-linearstore-0.22-49.el6.x86_64
qpid-cpp-server-rdma-0.22-49.el6.x86_64
qpid-cpp-server-xml-0.22-49.el6.x86_64
qpid-java-client-0.22-6.el6.noarch
qpid-java-common-0.22-6.el6.noarch
qpid-java-example-0.22-6.el6.noarch
qpid-jca-0.22-2.el6.noarch
qpid-jca-xarecovery-0.22-2.el6.noarch
qpid-jca-zip-0.22-2.el6.noarch
qpid-proton-c-0.7-4.el6.x86_64
qpid-proton-c-devel-0.7-4.el6.x86_64
qpid-proton-c-devel-doc-0.6-2.el6.noarch
qpid-proton-debuginfo-0.7-4.el6.x86_64
qpid-qmf-0.22-39.el6.x86_64
qpid-qmf-debuginfo-0.22-39.el6.x86_64
qpid-qmf-devel-0.22-39.el6.x86_64
qpid-snmpd-1.0.0-16.el6.x86_64
qpid-snmpd-debuginfo-1.0.0-16.el6.x86_64
qpid-tests-0.22-16.el6.noarch
qpid-tools-0.22-16.el6.noarch
ruby-qpid-0.7.946106-2.el6.x86_64
ruby-qpid-qmf-0.22-39.el6.x86_64

selinux-policy-3.7.19-260.el6.noarch
selinux-policy-targeted-3.7.19-260.el6.noarch
libselinux-2.0.94-5.8.el6.x86_64
libselinux-utils-2.0.94-5.8.el6.x86_64

# rpm -V qpid-cpp-server
# 

How reproducible:
100%

Steps to Reproduce:
1. tailf /var/log/audit/audit.log | grep AVC (terminal A)
2. service qpidd restart (terminal B)
3. terminal detects above listed AVCs

Actual results:
  Qpidd when starting triggers AVCs.

Expected results:
  Qpidd when starting/stopping should not trigger any AVCs.

Additional info:

Comment 1 Frantisek Reznicek 2014-12-04 20:21:53 UTC

It's detected that at least following two releases are affected:
  qpid-cpp-client-0.22-49.el6.*
  qpid-cpp-client-0.22-50.el6.*

Comment 2 Justin Ross 2014-12-04 20:27:57 UTC

Darryl, please assess.

Comment 4 Darryl L. Pierce 2014-12-05 14:38:17 UTC

(In reply to Justin Ross from comment #2)
> Darryl, please assess.

I installed and ran the r49 qpid-cpp-server and verified that the AVC errors are happening. I discussed this with some people in the #selinux channel on Freenode, who said it's possibly due to a leaked file descriptor and pointed me to an article [1] by Dan Walsh as a possible cause.

[1] https://danwalsh.livejournal.com/53603.html

Comment 6 Zdenek Kraus 2015-03-26 09:50:24 UTC

These AVC errors are also present on RHEL 7, and with qpid-cpp-0.30.
Also the AVC errors occurs when upgrading/downgrading qpid.

Comment 9 Irina Boverman 2015-05-04 15:35:11 UTC

RHEL 7 bz: 1218323

Comment 10 Otavio Piske 2015-07-17 07:18:57 UTC

These AVC errors are also present on RHEL 6 and 7 with qpid-cpp-0.32.

Comment 14 Zdenek Kraus 2015-08-04 14:38:37 UTC

on RHEL 6
qpid-cpp-server-0.34-1.el6.x86_64
(also with qpid-cpp-server-0.30-8.el6.x86_64)
selinux-policy-3.7.19-279.el6.noarch (this should be currently available via regular channels)

or RHEL 7
qpid-cpp-server-0.34-1.el6.x86_64
selinux-policy-3.13.1-30.el7.noarch
selinux-policy-3.13.1-37.el7.noarch

Restarting broker does not cause above mentioned and/or new AVC errors.

Comment 16 Zdenek Kraus 2015-09-14 08:47:51 UTC

MRG 3.1 and MRG 3.2:
qpid-cpp-server-0.30-8
qpid-cpp-server-0.34-3

current:
selinux-policy-3.7.19-279.el6_7.5.noarch
.. PASS

selinux-policy-3.13.1-23.el7_1.17.noarch
.. FAIL
type=AVC msg=audit(1441900864.281:388): avc:  denied  { read } for  pid=2775 comm="qpidd" name="psched" dev="proc" ino=4026531980 scontext=system_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=AVC msg=audit(1441900865.374:391): avc:  denied  { read } for  pid=2798 comm="qpidd" name="psched" dev="proc" ino=4026531980 scontext=system_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file


new packages:
selinux-policy-3.7.19-279.el6_7.6.noarch
.. PASS

selinux-policy-3.13.1-23.el7_1.18.noarch
.. PASS

Comment 18 Zdenek Kraus 2015-09-30 12:53:38 UTC

Since all blocking bugs are resolved, marking as VERIFIED

Comment 20 errata-xmlrpc 2015-10-08 13:10:02 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2015-1879.html

Note You need to log in before you can comment on or make changes to this bug.