Bug 1255047 - xinetd cannot execute commands in MLS policy
xinetd cannot execute commands in MLS policy
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.1
All Linux
medium Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Jiri Jaburek
:
Depends On:
Blocks: 1218420
  Show dependency treegraph
 
Reported: 2015-08-19 09:36 EDT by Jiri Jaburek
Modified: 2015-08-19 10:58 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-08-19 10:58:15 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
avc log, in enforcing (connection reset) (1.28 KB, text/plain)
2015-08-19 09:36 EDT, Jiri Jaburek
no flags Details
avc log, in permissive (server binary executed) (1.15 KB, text/plain)
2015-08-19 09:38 EDT, Jiri Jaburek
no flags Details

  None (edit)
Description Jiri Jaburek 2015-08-19 09:36:13 EDT
Description of problem:

Like bug 1255030 and bug 1254698, xinetd cannot read /etc it seems:

type=SYSCALL msg=audit(08/19/2015 15:30:11.596:924) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7f57c3e5dab2 a1=O_RDONLY|O_CLOEXEC a2=0x1 a3=0x7f57c40543a8 items=0 ppid=1055 pid=3147 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=xinetd exe=/usr/sbin/xinetd subj=system_u:system_r:inetd_t:s0-s15:c0.c1023 key=(null) 
type=AVC msg=audit(08/19/2015 15:30:11.596:924) : avc:  denied  { search } for  pid=3147 comm=xinetd name=etc dev="dm-0" ino=133 scontext=system_u:system_r:inetd_t:s0-s15:c0.c1023 tcontext=system_u:object_r:etc_t:s15:c0.c1023 tclass=dir 


Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-42.el7

How reproducible:
always

Steps to Reproduce:
1. set up a simple service in /etc/xinetd.d (see examples there)
2. try to invoke it using ie. netcat
3. get connection reset, observe AVCs
Comment 1 Jiri Jaburek 2015-08-19 09:36:54 EDT
Created attachment 1064868 [details]
avc log, in enforcing (connection reset)
Comment 2 Jiri Jaburek 2015-08-19 09:38:04 EDT
Created attachment 1064869 [details]
avc log, in permissive (server binary executed)

Note that there are no AVCs related to xinetd, the only visible one is from the actual command executed by xinetd.
Comment 3 Jiri Jaburek 2015-08-19 10:58:15 EDT
The issue was incorrect /etc context,

restorecon reset /etc context system_u:object_r:etc_t:s15:c0.c1023->system_u:object_r:etc_t:s0

and while it's still unclear what gave it c0.c1023 (SystemHigh) instead of s0 (SystemLow), the issues reported in comment #0 are a result/symptom of this change, not its cause.

Note You need to log in before you can comment on or make changes to this bug.