1209518 – redis-server runs as unconfined_service_t because file context pattern is incorrect

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1209518 - redis-server runs as unconfined_service_t because file context pattern is incorrect

Summary: redis-server runs as unconfined_service_t because file context pattern is inc...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.1
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-04-07 14:35 UTC by Milos Malik
Modified:	2017-07-24 17:03 UTC (History)
CC List:	7 users (show)
Fixed In Version:	selinux-policy-3.13.1-32.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1531032 (view as bug list)
Environment:
Last Closed:	2015-11-19 10:31:12 UTC
Target Upstream Version:
Embargoed:
Flags:	lvrabec: needinfo- lvrabec: needinfo-

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:2300	0	normal	SHIPPED_LIVE	selinux-policy bug fix update	2015-11-19 09:55:26 UTC

Description Milos Malik 2015-04-07 14:35:07 UTC

Description of problem:

Version-Release number of selected component (if applicable):
redis-2.8.19-1.el7.x86_64
selinux-policy-3.13.1-24.el7.noarch
selinux-policy-devel-3.13.1-24.el7.noarch
selinux-policy-doc-3.13.1-24.el7.noarch
selinux-policy-minimum-3.13.1-24.el7.noarch
selinux-policy-mls-3.13.1-24.el7.noarch
selinux-policy-sandbox-3.13.1-24.el7.noarch
selinux-policy-targeted-3.13.1-24.el7.noarch

How reproducible:
always

Steps to Reproduce:
# rpm -ql redis | grep redis-server
/usr/bin/redis-server
# matchpathcon /usr/bin/redis-server
/usr/bin/redis-server	system_u:object_r:bin_t:s0
# matchpathcon /usr/sbin/redis-server
/usr/sbin/redis-server	system_u:object_r:redis_exec_t:s0
# ls -l /usr/sbin/redis-server
ls: cannot access /usr/sbin/redis-server: No such file or directory
# service redis start
Redirecting to /bin/systemctl start  redis.service
# service redis status
Redirecting to /bin/systemctl status  redis.service
redis.service - Redis persistent key-value database
   Loaded: loaded (/usr/lib/systemd/system/redis.service; disabled)
  Drop-In: /etc/systemd/system/redis.service.d
           └─limit.conf
   Active: active (running) since Tue 2015-04-07 16:33:53 CEST; 2s ago
 Main PID: 23298 (redis-server)
   CGroup: /system.slice/redis.service
           └─23298 /usr/bin/redis-server 127.0.0.1:6379

Apr 07 16:33:53 rhel71.localdomain systemd[1]: Starting Redis persistent key-value database...
Apr 07 16:33:53 rhel71.localdomain systemd[1]: Started Redis persistent key-value database.
# ps -efZ | grep redis
system_u:system_r:unconfined_service_t:s0 redis 23298 1  0 16:33 ?     00:00:00 /usr/bin/redis-server 127.0.0.1:6379
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 23313 21580  0 16:34 pts/0 00:00:00 grep --color=auto redis
# 

Actual results:
 * /usr/bin/redis-server is labeled bin_t

Expected results:
 * /usr/bin/redis-server is labeled redis_exec_t

Comment 1 Milos Malik 2015-04-07 14:41:06 UTC

When correct label is set on the /usr/bin/redis-server file then the redis process triggers an AVC in enforcing mode:

# ls -Z /usr/bin/redis-server
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/redis-server
# chcon -t redis_exec_t /usr/bin/redis-server
# service redis start
Redirecting to /bin/systemctl start  redis.service
# service redis status
Redirecting to /bin/systemctl status  redis.service
redis.service - Redis persistent key-value database
   Loaded: loaded (/usr/lib/systemd/system/redis.service; disabled)
  Drop-In: /etc/systemd/system/redis.service.d
           └─limit.conf
   Active: active (running) since Tue 2015-04-07 16:36:17 CEST; 1s ago
 Main PID: 23403 (redis-server)
   CGroup: /system.slice/redis.service
           └─23403 /usr/bin/redis-server 127.0.0.1:6379

Apr 07 16:36:17 rhel71.localdomain systemd[1]: Started Redis persistent key-value database.
# ps -efZ | grep redis
system_u:system_r:redis_t:s0    redis    23403     1  0 16:36 ?        00:00:00 /usr/bin/redis-server 127.0.0.1:6379
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 23470 21580  0 16:38 pts/0 00:00:00 grep --color=auto redis
#

----
type=PATH msg=audit(04/07/2015 16:19:46.167:2355) : item=0 name=/proc/sys/net/core/somaxconn objtype=UNKNOWN 
type=CWD msg=audit(04/07/2015 16:19:46.167:2355) :  cwd=/var/lib/redis 
type=SYSCALL msg=audit(04/07/2015 16:19:46.167:2355) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7fda9c92957b a1=O_RDONLY a2=0x1b6 a3=0x16f items=1 ppid=1 pid=22044 auid=unset uid=redis gid=redis euid=redis suid=redis fsuid=redis egid=redis sgid=redis fsgid=redis tty=(none) ses=unset comm=redis-server exe=/usr/bin/redis-server subj=system_u:system_r:redis_t:s0 key=(null) 
type=AVC msg=audit(04/07/2015 16:19:46.167:2355) : avc:  denied  { search } for  pid=22044 comm=redis-server name=net dev="proc" ino=6869 scontext=system_u:system_r:redis_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir 
----

Comment 2 Milos Malik 2015-04-07 14:44:26 UTC

Following AVCs appear in permissive mode:
----
type=PATH msg=audit(04/07/2015 16:43:24.339:2493) : item=0 name=/proc/sys/net/core/somaxconn inode=123603 dev=00:03 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_net_t:s0 objtype=NORMAL 
type=CWD msg=audit(04/07/2015 16:43:24.339:2493) :  cwd=/var/lib/redis 
type=SYSCALL msg=audit(04/07/2015 16:43:24.339:2493) : arch=x86_64 syscall=open success=yes exit=5 a0=0x7fd892c4e57b a1=O_RDONLY a2=0x1b6 a3=0x16f items=1 ppid=1 pid=23589 auid=unset uid=redis gid=redis euid=redis suid=redis fsuid=redis egid=redis sgid=redis fsgid=redis tty=(none) ses=unset comm=redis-server exe=/usr/bin/redis-server subj=system_u:system_r:redis_t:s0 key=(null) 
type=AVC msg=audit(04/07/2015 16:43:24.339:2493) : avc:  denied  { open } for  pid=23589 comm=redis-server path=/proc/sys/net/core/somaxconn dev="proc" ino=123603 scontext=system_u:system_r:redis_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file 
type=AVC msg=audit(04/07/2015 16:43:24.339:2493) : avc:  denied  { read } for  pid=23589 comm=redis-server name=somaxconn dev="proc" ino=123603 scontext=system_u:system_r:redis_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file 
type=AVC msg=audit(04/07/2015 16:43:24.339:2493) : avc:  denied  { search } for  pid=23589 comm=redis-server name=net dev="proc" ino=6869 scontext=system_u:system_r:redis_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir 
----
type=SYSCALL msg=audit(04/07/2015 16:43:24.339:2494) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x5 a1=0x7fff4017df10 a2=0x7fff4017df10 a3=0x0 items=0 ppid=1 pid=23589 auid=unset uid=redis gid=redis euid=redis suid=redis fsuid=redis egid=redis sgid=redis fsgid=redis tty=(none) ses=unset comm=redis-server exe=/usr/bin/redis-server subj=system_u:system_r:redis_t:s0 key=(null) 
type=AVC msg=audit(04/07/2015 16:43:24.339:2494) : avc:  denied  { getattr } for  pid=23589 comm=redis-server path=/proc/sys/net/core/somaxconn dev="proc" ino=123603 scontext=system_u:system_r:redis_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file 
----

Comment 3 Milos Malik 2015-04-14 07:45:27 UTC

unixsocket /var/run/redis/redis.sock
unixsocketperm 700

If /etc/redis.conf contains above-mentioned options then following AVC appears in enforcing mode:

----
type=PATH msg=audit(04/14/2015 09:36:38.695:193) : item=2 name=(null) objtype=CREATE 
type=PATH msg=audit(04/14/2015 09:36:38.695:193) : item=1 name=(null) inode=19611 dev=00:12 mode=dir,755 ouid=redis ogid=redis rdev=00:00 obj=system_u:object_r:redis_var_run_t:s0 objtype=PARENT 
type=PATH msg=audit(04/14/2015 09:36:38.695:193) : item=0 name=(null) inode=19611 dev=00:12 mode=dir,755 ouid=redis ogid=redis rdev=00:00 obj=system_u:object_r:redis_var_run_t:s0 objtype=PARENT 
type=SOCKADDR msg=audit(04/14/2015 09:36:38.695:193) : saddr=local /var/run/redis/redis.sock 
type=SYSCALL msg=audit(04/14/2015 09:36:38.695:193) : arch=x86_64 syscall=bind success=no exit=-13(Permission denied) a0=0x6 a1=0x7fffc0687b20 a2=0x6e a3=0x4 items=3 ppid=1 pid=24236 auid=unset uid=redis gid=redis euid=redis suid=redis fsuid=redis egid=redis sgid=redis fsgid=redis tty=(none) ses=unset comm=redis-server exe=/usr/bin/redis-server subj=system_u:system_r:redis_t:s0 key=(null) 
type=AVC msg=audit(04/14/2015 09:36:38.695:193) : avc:  denied  { create } for  pid=24236 comm=redis-server name=redis.sock scontext=system_u:system_r:redis_t:s0 tcontext=system_u:object_r:redis_var_run_t:s0 tclass=sock_file 
----

Comment 4 Milos Malik 2015-04-14 07:48:52 UTC

Following AVCs appear in permissive mode:
----
type=PATH msg=audit(04/14/2015 09:46:10.268:234) : item=4 name=(null) inode=97450 dev=00:12 mode=socket,755 ouid=redis ogid=redis rdev=00:00 obj=system_u:object_r:redis_var_run_t:s0 objtype=CREATE 
type=PATH msg=audit(04/14/2015 09:46:10.268:234) : item=3 name=(null) inode=19611 dev=00:12 mode=dir,755 ouid=redis ogid=redis rdev=00:00 obj=system_u:object_r:redis_var_run_t:s0 objtype=PARENT 
type=PATH msg=audit(04/14/2015 09:46:10.268:234) : item=2 name=(null) objtype=CREATE 
type=PATH msg=audit(04/14/2015 09:46:10.268:234) : item=1 name=(null) inode=19611 dev=00:12 mode=dir,755 ouid=redis ogid=redis rdev=00:00 obj=system_u:object_r:redis_var_run_t:s0 objtype=PARENT 
type=PATH msg=audit(04/14/2015 09:46:10.268:234) : item=0 name=(null) inode=19611 dev=00:12 mode=dir,755 ouid=redis ogid=redis rdev=00:00 obj=system_u:object_r:redis_var_run_t:s0 objtype=PARENT 
type=SOCKADDR msg=audit(04/14/2015 09:46:10.268:234) : saddr=local /var/run/redis/redis.sock 
type=SYSCALL msg=audit(04/14/2015 09:46:10.268:234) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x6 a1=0x7fff812c2900 a2=0x6e a3=0x4 items=5 ppid=1 pid=2337 auid=unset uid=redis gid=redis euid=redis suid=redis fsuid=redis egid=redis sgid=redis fsgid=redis tty=(none) ses=unset comm=redis-server exe=/usr/bin/redis-server subj=system_u:system_r:redis_t:s0 key=(null) 
type=AVC msg=audit(04/14/2015 09:46:10.268:234) : avc:  denied  { create } for  pid=2337 comm=redis-server name=redis.sock scontext=system_u:system_r:redis_t:s0 tcontext=system_u:object_r:redis_var_run_t:s0 tclass=sock_file 
----
type=PATH msg=audit(04/14/2015 09:46:10.269:235) : item=0 name=/var/run/redis/redis.sock inode=97450 dev=00:12 mode=socket,755 ouid=redis ogid=redis rdev=00:00 obj=system_u:object_r:redis_var_run_t:s0 objtype=NORMAL 
type=CWD msg=audit(04/14/2015 09:46:10.269:235) :  cwd=/var/lib/redis 
type=SYSCALL msg=audit(04/14/2015 09:46:10.269:235) : arch=x86_64 syscall=chmod success=yes exit=0 a0=0x7fff812c2902 a1=0700 a2=0x6e a3=0x4 items=1 ppid=1 pid=2337 auid=unset uid=redis gid=redis euid=redis suid=redis fsuid=redis egid=redis sgid=redis fsgid=redis tty=(none) ses=unset comm=redis-server exe=/usr/bin/redis-server subj=system_u:system_r:redis_t:s0 key=(null) 
type=AVC msg=audit(04/14/2015 09:46:10.269:235) : avc:  denied  { setattr } for  pid=2337 comm=redis-server name=redis.sock dev="tmpfs" ino=97450 scontext=system_u:system_r:redis_t:s0 tcontext=system_u:object_r:redis_var_run_t:s0 tclass=sock_file 
----
type=PATH msg=audit(04/14/2015 09:46:16.279:238) : item=1 name=/var/run/redis/redis.sock inode=97450 dev=00:12 mode=socket,700 ouid=redis ogid=redis rdev=00:00 obj=system_u:object_r:redis_var_run_t:s0 objtype=DELETE 
type=PATH msg=audit(04/14/2015 09:46:16.279:238) : item=0 name=/var/run/redis/ inode=19611 dev=00:12 mode=dir,755 ouid=redis ogid=redis rdev=00:00 obj=system_u:object_r:redis_var_run_t:s0 objtype=PARENT 
type=CWD msg=audit(04/14/2015 09:46:16.279:238) :  cwd=/var/lib/redis 
type=SYSCALL msg=audit(04/14/2015 09:46:16.279:238) : arch=x86_64 syscall=unlink success=yes exit=0 a0=0x7f3f90858ce0 a1=0x7f3f920fd090 a2=0x51 a3=0x4000 items=2 ppid=1 pid=2337 auid=unset uid=redis gid=redis euid=redis suid=redis fsuid=redis egid=redis sgid=redis fsgid=redis tty=(none) ses=unset comm=redis-server exe=/usr/bin/redis-server subj=system_u:system_r:redis_t:s0 key=(null) 
type=AVC msg=audit(04/14/2015 09:46:16.279:238) : avc:  denied  { unlink } for  pid=2337 comm=redis-server name=redis.sock dev="tmpfs" ino=97450 scontext=system_u:system_r:redis_t:s0 tcontext=system_u:object_r:redis_var_run_t:s0 tclass=sock_file 
----

Comment 5 Miroslav Grepl 2015-06-09 15:49:27 UTC

commit 72793c18baf117b6c5d9fd717d0f4c42e1342423
Author: Miroslav Grepl <mgrepl>
Date:   Tue Apr 14 11:05:56 2015 +0200

    Allow redis to create /var/run/redis/redis.sock.

Comment 8 Lukas Vrabec 2015-07-09 12:40:53 UTC

commit eb6f33583015868a0f0b3baf53e04b26d709c421
Author: Lukas Vrabec <lvrabec>
Date:   Thu Jul 9 14:34:18 2015 +0200

    Fix path from /usr/sbin/redis-server to /usr/bin/redis-server.

Comment 11 Lukas Vrabec 2015-07-18 21:08:25 UTC

What about permissive mode?

Comment 12 Lukas Vrabec 2015-07-23 14:20:01 UTC

Hi,
Could you check if is really neded rule, that redis-server is searching in "/proc/sys/net/core/"? 

Thank you

Comment 14 Lukas Vrabec 2015-07-28 14:03:15 UTC

commit 568513ffa2dbeeb031979f1883f780d7e53b2454
Author: Lukas Vrabec <lvrabec>
Date:   Tue Jul 28 16:00:25 2015 +0200

    Allow redis to read kernel parameters.
    Resolves: #1209518

Comment 18 errata-xmlrpc 2015-11-19 10:31:12 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2300.html

Note You need to log in before you can comment on or make changes to this bug.