1238061 – libStorageMgmt: SELinux is preventing /usr/bin/lsmd check user `libstoragemgmt`

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1238061 - libStorageMgmt: SELinux is preventing /usr/bin/lsmd check user `libstoragemgmt`

Summary: libStorageMgmt: SELinux is preventing /usr/bin/lsmd check user `libstoragemgmt`

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.2
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-07-01 06:25 UTC by Gris Ge
Modified:	2015-11-19 10:38 UTC (History)
CC List:	8 users (show)
Fixed In Version:	selinux-policy-3.13.1-39.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-11-19 10:38:29 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:2300	0	normal	SHIPPED_LIVE	selinux-policy bug fix update	2015-11-19 09:55:26 UTC

Description Gris Ge 2015-07-01 06:25:00 UTC

Description of problem:
The daemon (lsmd) of libstoragemgmt require to check existence of
'libstoragemgmt' user and group before droping privilege to it.

SELinux is preventing this action:
===============
SELinux is preventing /usr/bin/lsmd from read access on the file passwd.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that lsmd should be allowed read access on the passwd file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep lsmd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:lsmd_t:s0
Target Context                system_u:object_r:passwd_file_t:s0
Target Objects                passwd [ file ]
Source                        lsmd
Source Path                   /usr/bin/lsmd
Port                          <Unknown>
Host                          ibm-ls22-01.rhts.eng.nay.redhat.com
Source RPM Packages           libstoragemgmt-1.2.3-2.el7.x86_64
Target RPM Packages
Policy RPM                    selinux-policy-3.13.1-23.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ibm-ls22-01.rhts.eng.nay.redhat.com
Platform                      Linux ibm-ls22-01.rhts.eng.nay.redhat.com
                              3.10.0-229.el7.x86_64 #1 SMP Thu Jan 29 18:37:38
                              EST 2015 x86_64 x86_64
Alert Count                   6
First Seen                    2015-07-01 13:58:54 CST
Last Seen                     2015-07-01 14:15:21 CST
Local ID                      e54cea0c-64d9-487e-bed5-ad86c960abb0

Raw Audit Messages
type=AVC msg=audit(1435731321.1:108): avc:  denied  { read } for  pid=1846 comm="lsmd" name="passwd" dev="dm-0" ino=135853418 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file


type=SYSCALL msg=audit(1435731321.1:108): arch=x86_64 syscall=open success=no exit=EACCES a0=7ff431caad8a a1=80000 a2=1b6 a3=0 items=0 ppid=1 pid=1846 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=lsmd exe=/usr/bin/lsmd subj=system_u:system_r:lsmd_t:s0 key=(null)

Hash: lsmd,lsmd_t,passwd_file_t,file,read
===============

If sssd is installed, extra error will be found:
===============
SELinux is preventing /usr/bin/lsmd from search access on the directory sss.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that lsmd should be allowed search access on the sss directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep lsmd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:lsmd_t:s0
Target Context                system_u:object_r:sssd_var_lib_t:s0
Target Objects                sss [ dir ]
Source                        lsmd
Source Path                   /usr/bin/lsmd
Port                          <Unknown>
Host                          ibm-ls22-01.rhts.eng.nay.redhat.com
Source RPM Packages           libstoragemgmt-1.2.3-2.el7.x86_64
Target RPM Packages
Policy RPM                    selinux-policy-3.13.1-23.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ibm-ls22-01.rhts.eng.nay.redhat.com
Platform                      Linux ibm-ls22-01.rhts.eng.nay.redhat.com
                              3.10.0-229.el7.x86_64 #1 SMP Thu Jan 29 18:37:38
                              EST 2015 x86_64 x86_64
Alert Count                   2
First Seen                    2015-07-01 14:15:21 CST
Last Seen                     2015-07-01 14:15:21 CST
Local ID                      7407bf13-c481-459f-8576-56155ceafe8e

Raw Audit Messages
type=AVC msg=audit(1435731321.2:110): avc:  denied  { search } for  pid=1846 comm="lsmd" name="sss" dev="dm-0" ino=1486846 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir


type=SYSCALL msg=audit(1435731321.2:110): arch=x86_64 syscall=connect success=no exit=EACCES a0=3 a1=7fff43088cf0 a2=6e a3=7fff43088a10 items=0 ppid=1 pid=1846 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=lsmd exe=/usr/bin/lsmd subj=system_u:system_r:lsmd_t:s0 key=(null)

Hash: lsmd,lsmd_t,sssd_var_lib_t,dir,search
===============


Version-Release number of selected component (if applicable):
libstoragemgmt-1.2.3-2.el7.x86_64
selinux-policy-targeted-3.13.1-23.el7.noarch
selinux-policy-3.13.1-23.el7.noarch

How reproducible:
100%

Steps to Reproduce:
1. Install libstoragemgmt-1.2.3-2.el7
2. Start libstoragemgmt daemon via `systemctl start libstoragemgmt.service`
3. Execute this command `lsmcli ls -u sim://`

Actual results:
Got SELinux error and daemon failed to drop privilege to normal user. 

Expected results:
No SELinux error.

Additional info:
This also cause TPS of libstoragemgmt failed:
https://errata.devel.redhat.com/tps/errata_results/23300

Comment 1 Lukas Vrabec 2015-07-16 13:09:27 UTC

commit 7fb226b0124bcc8a241a4d3f17c0cd0630734d5f
Author: Lukas Vrabec <lvrabec>
Date:   Thu Jul 16 15:05:51 2015 +0200

    Add lsmd_t to nsswitch_domain. Resolves: #1238061

Comment 3 Bruno Goncalves 2015-08-06 11:42:35 UTC

It seems this problem is still present on 7.2 alpha (selinux-policy-3.13.1-37.el7).

time->Thu Aug  6 04:18:28 2015
type=SYSCALL msg=audit(1438849108.898:62): arch=c000003e syscall=105 success=no exit=-1 a0=3e2 a1=7f6a06478274 a2=0 a3=7ffc6c277d60 items=0 ppid=1 pid=1937 auid=4294967295 uid=0 gid=991 euid=0 suid=0 fsuid=0 egid=991 sgid=991 fsgid=991 tty=(none) ses=4294967295 comm="lsmd" exe="/usr/bin/lsmd" subj=system_u:system_r:lsmd_t:s0 key=(null)
type=AVC msg=audit(1438849108.898:62): avc:  denied  { setuid } for  pid=1937 comm="lsmd" capability=7  scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:system_r:lsmd_t:s0 tclass=capability
Fail: AVC messages found.
Checking for errors...
Using stronger AVC checks.
	Define empty RHTS_OPTION_STRONGER_AVC parameter if this causes any problems.
Running 'cat /mnt/testarea/tmp.rhts-db-submit-result.FfRgI4 | /sbin/ausearch -m AVC -m SELINUX_ERR'
Fail: AVC messages found.
Running 'cat %s | /sbin/ausearch -m USER_AVC >/mnt/testarea/tmp.rhts-db-submit-result.QXAsM9 2>&1'
Info: No AVC messages found.
/bin/grep 'avc: ' /mnt/testarea/dmesg.log | /bin/grep --invert-match TESTOUT.log
No AVC messages found in dmesg
Running '/usr/sbin/sestatus'
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
Running 'rpm -q selinux-policy || true'
selinux-policy-3.13.1-37.el7.noarch

Comment 4 Milos Malik 2015-08-06 12:03:17 UTC

The AVC is mentioned in BZ#1247114. But I have to agree with you, the automated TC still triggers the AVC on my VMs.

Comment 5 Lukas Vrabec 2015-08-10 12:17:10 UTC

This AVC is fixed in -39.el7.noarch version.

Comment 8 errata-xmlrpc 2015-11-19 10:38:29 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2300.html

Note You need to log in before you can comment on or make changes to this bug.