Bug 1196555 - avc in mod_passenger "rm /" { getattr }
Summary: avc in mod_passenger "rm /" { getattr }
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.1
Hardware: All
OS: Linux
high
medium
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks: 1208765 1217188
TreeView+ depends on / blocked
 
Reported: 2015-02-26 09:39 UTC by Ondřej Pták
Modified: 2015-11-19 10:28 UTC (History)
9 users (show)

Fixed In Version: selinux-policy-3.13.1-47.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1217188 (view as bug list)
Environment:
Last Closed: 2015-11-19 10:28:07 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:2300 normal SHIPPED_LIVE selinux-policy bug fix update 2015-11-19 09:55:26 UTC

Description Ondřej Pták 2015-02-26 09:39:53 UTC
Description of problem:
I have one strange avc generated by test for rh-passenger40 && httpd24 (RHSCL).

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.13.1-14.el7.noarch
rh-passenger40-passenger-doc-4.0.50-8.el7.noarch
rh-passenger40-mod_passenger-4.0.50-8.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. run test: http://pkgs.devel.redhat.com/cgit/tests/passenger/tree/Sanity/basic
   scl enable rh-passenger40 rh-ruby22 ruby193 ruby200 httpd24 'COLLECTIONS="rh-passenger40 rh-ruby22 ruby193 ruby200 httpd24" PACKAGES=rh-passenger40 make'


Actual results:
type=SYSCALL msg=audit(02/26/2015 09:35:56.520:1862) : arch=x86_64 syscall=fstatfs success=no exit=-13(Permission denied) a0=0x4 a1=0x7ffff1211cd0 a2=0x1b07730 a3=0x7ffff1211a80 items=0 ppid=16475 pid=16576 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rm exe=/usr/bin/rm subj=system_u:system_r:passenger_t:s0 key=(null) 
type=AVC msg=audit(02/26/2015 09:35:56.520:1862) : avc:  denied  { getattr } for  pid=16576 comm=rm name=/ dev="dm-0" ino=128 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem

Expected results:


Additional info:
"rm /" issue is discussed in foreman bug, they allow this access:
http://projects.theforeman.org/issues/6013

Comment 1 Ondřej Pták 2015-02-26 14:18:38 UTC
this is what passenger try to do:

rm -rf /var/run/rh-passenger40/passenger.1.0.16997/generation-0
rm -rf /var/run/rh-passenger40/passenger.1.0.16997

Comment 2 Jan Kaluža 2015-02-27 07:20:50 UTC
According to my tests, this is the minimal SELinux policy module needed by passenger to work in RHEL7 without AVCs:

module test 1.0;

require {
        type fs_t;
        type passenger_t;
        type httpd_t;
        class unix_stream_socket { read write getattr };
        class process getsession;
        class capability2 block_suspend;
        class tcp_socket accept;
        class filesystem getattr;
}

allow passenger_t self:capability2 block_suspend;
allow passenger_t self:process getsession;
allow passenger_t fs_t:filesystem getattr;
allow passenger_t self:tcp_socket accept;
allow passenger_t httpd_t:unix_stream_socket { getattr read write };

Comment 3 Ondřej Pták 2015-02-27 11:13:35 UTC
(In reply to Jan Kaluža from comment #2)
> According to my tests, this is the minimal SELinux policy module needed by
> passenger to work in RHEL7 without AVCs:
> 
> module test 1.0;
> 
> require {
>         type fs_t;
>         type passenger_t;
>         type httpd_t;
>         class unix_stream_socket { read write getattr };
>         class process getsession;
>         class capability2 block_suspend;
>         class tcp_socket accept;
>         class filesystem getattr;
> }
> 
> allow passenger_t self:capability2 block_suspend;
> allow passenger_t self:process getsession;
> allow passenger_t fs_t:filesystem getattr;
> allow passenger_t self:tcp_socket accept;
> allow passenger_t httpd_t:unix_stream_socket { getattr read write };

My test pass with this module and Enforcing mode. Test is about running passenger with mod_passenger and 3 ruby collection (ruby193,ruby200,rh-ruby22) as interpret.

Comment 7 Lukas Vrabec 2015-09-01 16:11:49 UTC
commit 972c57ac37720defc8b6bd7e100ce9dcb4bb9309
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Tue Sep 1 18:01:36 2015 +0200

    Allow passenger to getattr filesystem xattr
    Resolves: #1196555

Comment 11 errata-xmlrpc 2015-11-19 10:28:07 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2300.html


Note You need to log in before you can comment on or make changes to this bug.