1220763 – please add default labels for /var/tmp/kadmin_0 and /var/tmp/kiprop_0

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1220763 - please add default labels for /var/tmp/kadmin_0 and /var/tmp/kiprop_0

Summary: please add default labels for /var/tmp/kadmin_0 and /var/tmp/kiprop_0

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.1
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-05-12 11:25 UTC by Milos Malik
Modified:	2015-11-19 10:33 UTC (History)
CC List:	7 users (show)
Fixed In Version:	selinux-policy-3.13.1-34.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:	1210421
Environment:
Last Closed:	2015-11-19 10:33:43 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1220691	0	medium	CLOSED	/usr/sbin/kpropd is labeled bin_t instead of kpropd_exec_t	2021-02-22 00:41:40 UTC
Red Hat Product Errata	RHBA-2015:2300	0	normal	SHIPPED_LIVE	selinux-policy bug fix update	2015-11-19 09:55:26 UTC

Internal Links: 1220691

Description Milos Malik 2015-05-12 11:25:54 UTC

Description:
 * it seems like a bug that following files can be left around and not relabeled by an autolabel

NVRs:
selinux-policy-mls-3.13.1-24.el7.noarch
selinux-policy-sandbox-3.13.1-24.el7.noarch
selinux-policy-minimum-3.13.1-24.el7.noarch
selinux-policy-devel-3.13.1-24.el7.noarch
selinux-policy-doc-3.13.1-24.el7.noarch
selinux-policy-targeted-3.13.1-24.el7.noarch
selinux-policy-3.13.1-24.el7.noarch

Actual results:
# matchpathcon /var/tmp/kadmin_0
/var/tmp/kadmin_0	<<none>>
# matchpathcon /var/tmp/kiprop_0
/var/tmp/kiprop_0	<<none>>
# 

Expected results:
# matchpathcon /var/tmp/kadmin_0
/var/tmp/kadmin_0	system_u:object_r:kadmind_tmp_t:s0
# matchpathcon /var/tmp/kiprop_0
/var/tmp/kiprop_0	system_u:object_r:krb5kdc_tmp_t:s0
#

This bug is a clone of BZ#1210421. It was created because kadmind and kpropd use them in the same way as on RHEL-6.

Comment 2 Patrik Kis 2015-05-22 11:29:57 UTC

Note:
/var/tmp/kiprop_0	system_u:object_r:krb5kdc_tmp_t:s0
is not good label for kiprop_0; it should be kadmind_tmp_t

See the details in:
https://bugzilla.redhat.com/show_bug.cgi?id=1220691#c4

Comment 3 Patrik Kis 2015-05-22 13:20:45 UTC

There are missing policies related to this bug report. My incremental propagation test case was executed in permissive mode and the following AVC denials were logged:

MASTER:
----
type=SYSCALL msg=audit(05/22/2015 15:16:47.279:3214) : arch=x86_64 syscall=fcntl success=yes exit=0 a0=0x3 a1=F_SETLKW a2=0x7fffd6c05640 a3=0x7fffd6c05420 items=0 ppid=16885 pid=16923 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=kprop exe=/usr/sbin/kprop subj=system_u:system_r:kadmind_t:s0 key=(null) 
type=AVC msg=audit(05/22/2015 15:16:47.279:3214) : avc:  denied  { lock } for  pid=16923 comm=kprop path=/etc/krb5.keytab dev="dm-0" ino=35329465 scontext=system_u:system_r:kadmind_t:s0 tcontext=unconfined_u:object_r:krb5_keytab_t:s0 tclass=file 
----
type=PATH msg=audit(05/22/2015 15:16:47.279:3213) : item=0 name=/etc/krb5.keytab inode=35329465 dev=fd:00 mode=file,600 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:krb5_keytab_t:s0 objtype=NORMAL 
type=CWD msg=audit(05/22/2015 15:16:47.279:3213) :  cwd=/ 
type=SYSCALL msg=audit(05/22/2015 15:16:47.279:3213) : arch=x86_64 syscall=open success=yes exit=3 a0=0x7f32869fde40 a1=O_RDONLY a2=0x1b6 a3=0x0 items=1 ppid=16885 pid=16923 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=kprop exe=/usr/sbin/kprop subj=system_u:system_r:kadmind_t:s0 key=KEYTAB 
type=AVC msg=audit(05/22/2015 15:16:47.279:3213) : avc:  denied  { open } for  pid=16923 comm=kprop path=/etc/krb5.keytab dev="dm-0" ino=35329465 scontext=system_u:system_r:kadmind_t:s0 tcontext=unconfined_u:object_r:krb5_keytab_t:s0 tclass=file 
type=AVC msg=audit(05/22/2015 15:16:47.279:3213) : avc:  denied  { read } for  pid=16923 comm=kprop name=krb5.keytab dev="dm-0" ino=35329465 scontext=system_u:system_r:kadmind_t:s0 tcontext=unconfined_u:object_r:krb5_keytab_t:s0 tclass=file 


SLAVE:
----
type=SYSCALL msg=audit(05/22/2015 15:16:47.189:1103) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x4 a1=0x7f4bf90e9070 a2=0x10 a3=0x7fff5292d320 items=0 ppid=1 pid=10252 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=kpropd exe=/usr/sbin/kpropd subj=system_u:system_r:kpropd_t:s0 key=(null) 
type=AVC msg=audit(05/22/2015 15:16:47.189:1103) : avc:  denied  { name_connect } for  pid=10252 comm=kpropd dest=272 scontext=system_u:system_r:kpropd_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket 


The following module make the test pass in enforcing mode too:

# cat kpropd.te 
policy_module(kpropd,1.0)

require {
       type kpropd_t;
       type reserved_port_t;
       type kadmind_t;
       type krb5_keytab_t;
       class tcp_socket name_connect;
       class file { ioctl read getattr lock open };
}
allow kpropd_t reserved_port_t:tcp_socket name_connect;
allow kadmind_t krb5_keytab_t : file { ioctl read getattr lock open } ;


The above policies exists on RHEL-6 too, so please create them here as well.

Comment 5 Patrik Kis 2015-06-16 10:02:58 UTC

My test is still failing with
selinux-policy-3.13.1-28.el7.noarch

It passes only in permissive mode. The following AVC denials are still logged:

----
type=SYSCALL msg=audit(06/16/2015 06:00:03.243:538) : arch=ppc64 syscall=open success=yes exit=3 a0=0x1001b3e3750 a1=O_RDONLY a2=0x1b6 a3=0x0 items=0 ppid=18365 pid=18403 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=kprop exe=/usr/sbin/kprop subj=system_u:system_r:kadmind_t:s0 key=(null) 
type=AVC msg=audit(06/16/2015 06:00:03.243:538) : avc:  denied  { open } for  pid=18403 comm=kprop path=/etc/krb5.keytab dev="dm-1" ino=136156885 scontext=system_u:system_r:kadmind_t:s0 tcontext=unconfined_u:object_r:krb5_keytab_t:s0 tclass=file 
type=AVC msg=audit(06/16/2015 06:00:03.243:538) : avc:  denied  { read } for  pid=18403 comm=kprop name=krb5.keytab dev="dm-1" ino=136156885 scontext=system_u:system_r:kadmind_t:s0 tcontext=unconfined_u:object_r:krb5_keytab_t:s0 tclass=file 
----
type=SYSCALL msg=audit(06/16/2015 06:00:03.243:539) : arch=ppc64 syscall=fcntl success=yes exit=0 a0=0x3 a1=F_SETLKW a2=0x3fffc0f6d788 a3=0x0 items=0 ppid=18365 pid=18403 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=kprop exe=/usr/sbin/kprop subj=system_u:system_r:kadmind_t:s0 key=(null) 
type=AVC msg=audit(06/16/2015 06:00:03.243:539) : avc:  denied  { lock } for  pid=18403 comm=kprop path=/etc/krb5.keytab dev="dm-1" ino=136156885 scontext=system_u:system_r:kadmind_t:s0 tcontext=unconfined_u:object_r:krb5_keytab_t:s0 tclass=file 


----
type=SYSCALL msg=audit(06/16/2015 06:01:03.242:324) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x4 a1=0x7ffe0cf429b0 a2=0x1c a3=0x7ffe0cf5c290 items=0 ppid=1 pid=61091 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=kpropd exe=/usr/sbin/kpropd subj=system_u:system_r:kpropd_t:s0 key=(null) 
type=AVC msg=audit(06/16/2015 06:01:03.242:324) : avc:  denied  { name_connect } for  pid=61091 comm=kpropd dest=754 scontext=system_u:system_r:kpropd_t:s0 tcontext=system_u:object_r:kprop_port_t:s0 tclass=tcp_socket

Comment 13 Patrik Kis 2015-08-05 12:19:13 UTC

There are still AVC denials there:

MASTER:

type=SYSCALL msg=audit(08/05/2015 08:14:15.350:1267) : arch=ppc64 syscall=open success=yes exit=35 a0=0x100014784c0 a1=O_WRONLY|O_CREAT|O_EXCL|O_TRUNC a2=0600 a3=0x0 items=0 ppid=1 pid=22060 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=kadmind exe=/usr/sbin/kadmind subj=system_u:system_r:kadmind_t:s0 key=(null) 
type=AVC msg=audit(08/05/2015 08:14:15.350:1267) : avc:  denied  { write open } for  pid=22060 comm=kadmind path=/var/tmp/kiprop_0 dev="dm-0" ino=205144507 scontext=system_u:system_r:kadmind_t:s0 tcontext=system_u:object_r:krb5kdc_tmp_t:s0 tclass=file 
type=AVC msg=audit(08/05/2015 08:14:15.350:1267) : avc:  denied  { create } for  pid=22060 comm=kadmind name=kiprop_0 scontext=system_u:system_r:kadmind_t:s0 tcontext=system_u:object_r:krb5kdc_tmp_t:s0 tclass=file 


SLAVE:

type=SYSCALL msg=audit(08/05/2015 08:14:15.351:814) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x4 a1=0x7f341490ae20 a2=0x10 a3=0x7fff55893230 items=0 ppid=1 pid=23605 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=kpropd exe=/usr/sbin/kpropd subj=system_u:system_r:kpropd_t:s0 key=(null) 
type=AVC msg=audit(08/05/2015 08:14:15.351:814) : avc:  denied  { name_connect } for  pid=23605 comm=kpropd dest=754 scontext=system_u:system_r:kpropd_t:s0 tcontext=system_u:object_r:kprop_port_t:s0 tclass=tcp_socket

Comment 15 Lukas Vrabec 2015-08-10 11:53:28 UTC

commit 54424ce034d8b8fa57a63663a8193e0b90148511
Author: Lukas Vrabec <lvrabec>
Date:   Mon Aug 10 13:51:12 2015 +0200

    Allow kpropd to connect to kropd tcp port.
    Resolves: #1220763

Comment 16 Lukas Vrabec 2015-08-10 15:03:58 UTC

I think labels are OK (check https://bugzilla.redhat.com/show_bug.cgi?id=1210421)
We should add allow rules to kadmind_t could manage krb5kdc_tmp_t. 
Patrick do you agree?

Comment 17 Patrik Kis 2015-08-11 07:41:37 UTC

(In reply to Lukas Vrabec from comment #16)
> I think labels are OK (check
> https://bugzilla.redhat.com/show_bug.cgi?id=1210421)
> We should add allow rules to kadmind_t could manage krb5kdc_tmp_t. 
> Patrick do you agree?

I believe the label of /var/tmp/kiprop_0 should be changed to kadmind_tmp_t, like as it is on RHEL-6. The file is used by kadmin and kiprop processes so this label is more suitable than krb5kdc_t, what of for krb5kdc process.

Comment 18 Patrik Kis 2015-08-11 16:07:02 UTC

To let the test pass I had to add two things:

# semanage fcontext -a -t kadmind_tmp_t /var/tmp/kiprop_0

and add policy:

allow kpropd_t kprop_port_t:tcp_socket name_connect;

These corresponds also what is in bug 1210421 for RHEL-6. Please add them to the the selinux-policy for RHEL-7 too.

Comment 23 errata-xmlrpc 2015-11-19 10:33:43 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2300.html

Note You need to log in before you can comment on or make changes to this bug.