1282860 – oddjobd stopped by SELinux policy with interaction with syslog

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1282860 - oddjobd stopped by SELinux policy with interaction with syslog

Summary: oddjobd stopped by SELinux policy with interaction with syslog

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.7
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-11-17 16:22 UTC by Robert Patt-Corner
Modified:	2020-10-13 12:55 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-11-02 17:27:13 UTC
Target Upstream Version:
Embargoed:
Flags:	robert.patt-corner: needinfo-

Attachments	(Terms of Use)

Description Robert Patt-Corner 2015-11-17 16:22:52 UTC

Description of problem:


SELinux prevents start of oddjobd


How reproducible:

100%


Steps to Reproduce:
1. setenforce 1
2. service oddjobd start [failure]
3. setenforce 0
4. service oddjobd start [success]


Additional info:

type=AVC msg=audit(1447777247.585:2122): avc:  denied  { dac_override } for  pid=15783 comm="oddjobd" capability=1  scontext=unconfined_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=capability
        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.



and

#============= oddjob_t ==============
allow oddjob_t initrc_t:dbus send_msg;
allow oddjob_t self:capability dac_override;

#============= setfiles_t ==============
allow setfiles_t admin_home_t:file write;

#============= sshd_t ==============
allow sshd_t admin_home_t:file write;

#============= syslogd_t ==============
#!!!! The source type 'syslogd_t' can write to a 'dir' of the following types:
# var_log_t, var_run_t, syslogd_tmp_t, syslogd_var_lib_t, syslogd_var_run_t, innd_log_t, device_t, tmp_t, logfile, cluster_var_lib_t, cluster_var_run_t, root_t, krb5_host_rcache_t, cluster_conf_t, tmp_t

allow syslogd_t default_t:dir { write add_name };
allow syslogd_t default_t:file { create open ioctl append getattr };

Comment 2 Milos Malik 2015-11-18 07:58:04 UTC

Based on the rules recommended by audit2why / audit2allow, it seems that some files / directories on your machine are mislabeled. There shouldn't be any default_t labels.

Could you find out, which processes are running as initrc_t? Apparently, oddjobd wants to communicate via D-bus with one of those processes.

Could you collect AVCs and attach them here? It will help us to resolve the problems you see.

Comment 3 Robert Patt-Corner 2015-12-21 12:41:51 UTC

Here you go (see below).  On collecting AVCs, I'm not too familiar with SELinux, and a concrete suggestion or example might help me send what is needed.

The processes below containing 'opscode' are various Chef processes...

[root@egt-labs-prod-mu-master ~]# ps axZ | grep initrc_t
system_u:system_r:initrc_t:s0     847 ?        S      0:13 /opt/opscode/embedded/service/opscode-chef-mover/erts-5.10.4/bin/epmd -daemon
system_u:system_r:initrc_t:s0    2223 ?        Ss     5:01 /usr/sbin/nagios -d /etc/nagios/nagios.cfg
system_u:system_r:initrc_t:s0    2232 ?        S      2:12 /usr/sbin/nagios -d /etc/nagios/nagios.cfg
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 3444 pts/0 S+   0:00 grep initrc_t
system_u:system_r:initrc_t:s0   15160 ?        Ss     0:11 /opt/opscode/embedded/service/bookshelf/lib/exec-1.0+build.149.refb3548d6/priv/x86_64-unknown-linux-gnu/exec-port -n
system_u:system_r:initrc_t:s0   15277 ?        Ss     0:05 inet_gethost 4
system_u:system_r:initrc_t:s0   15305 ?        S      0:02 inet_gethost 4
system_u:system_r:initrc_t:s0   15478 ?        Ss     0:07 inet_gethost 4
system_u:system_r:initrc_t:s0   15479 ?        S      0:02 inet_gethost 4
system_u:system_r:initrc_t:s0   15501 ?        Ss     0:00 inet_gethost 4
system_u:system_r:initrc_t:s0   15504 ?        S      0:00 inet_gethost 4
system_u:system_r:initrc_t:s0   15557 ?        Ssl    0:00 ruby /opt/opscode/embedded/service/opscode-erchef/lib/chef_objects-12.2.0/priv/depselector_rb/depselector.rb
system_u:system_r:initrc_t:s0   15569 ?        Ssl    0:00 ruby /opt/opscode/embedded/service/opscode-erchef/lib/chef_objects-12.2.0/priv/depselector_rb/depselector.rb
system_u:system_r:initrc_t:s0   15583 ?        Ssl    0:00 ruby /opt/opscode/embedded/service/opscode-erchef/lib/chef_objects-12.2.0/priv/depselector_rb/depselector.rb
system_u:system_r:initrc_t:s0   15623 ?        Ssl    0:00 ruby /opt/opscode/embedded/service/opscode-erchef/lib/chef_objects-12.2.0/priv/depselector_rb/depselector.rb
system_u:system_r:initrc_t:s0   15651 ?        Ssl    0:05 ruby /opt/opscode/embedded/service/opscode-erchef/lib/chef_objects-12.2.0/priv/depselector_rb/depselector.rb
system_u:system_r:initrc_t:s0   15699 ?        Ss     0:00 inet_gethost 4
system_u:system_r:initrc_t:s0   15700 ?        S      0:00 inet_gethost 4
unconfined_u:system_r:initrc_t:s0 20267 ?      Ssl   26:41 /usr/lib/jvm/java/bin/java -Dcom.sun.akuma.Daemon=daemonized -Djava.awt.headless=true -DJENKINS_HOME=/home/jenkins -jar /usr/lib/jenkins/jenkins.war --logfile=/var/log/jenkins/jenkins.log --webroot=/var/cache/jenkins/war --daemon --httpPort=8080 --httpListenAddress=0.0.0.0 --ajp13Port=8009 --debug=5 --handlerCountMax=100 --handlerCountMaxIdle=20 --prefix=/jenkins

Comment 4 Milos Malik 2016-02-26 12:53:00 UTC

# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today

Comment 5 Lukas Vrabec 2016-10-31 12:37:59 UTC

Hi, 

What is state of this issue? Could you reproduce it and attach output from comment#4 ? 

Thank you.

Comment 6 Lukas Vrabec 2016-11-02 17:27:13 UTC

Red Hat Enterprise Linux version 6 is entering the Production 2 phase of its
lifetime and this bug doesn't meet the criteria for it, i.e. only high severity
issues will be fixed. Please see
https://access.redhat.com/support/policy/updates/errata/ for further
information.

Feel free to clone this bug to RHEL-7 if it is still a problem for you.

Note You need to log in before you can comment on or make changes to this bug.