Bug 1282860 - oddjobd stopped by SELinux policy with interaction with syslog [NEEDINFO]
oddjobd stopped by SELinux policy with interaction with syslog
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.7
x86_64 Linux
unspecified Severity medium
: rc
: ---
Assigned To: Lukas Vrabec
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-17 11:22 EST by Robert Patt-Corner
Modified: 2016-11-02 13:27 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-11-02 13:27:13 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
lvrabec: needinfo? (robert.patt-corner)


Attachments (Terms of Use)

  None (edit)
Description Robert Patt-Corner 2015-11-17 11:22:52 EST
Description of problem:


SELinux prevents start of oddjobd


How reproducible:

100%


Steps to Reproduce:
1. setenforce 1
2. service oddjobd start [failure]
3. setenforce 0
4. service oddjobd start [success]


Additional info:

type=AVC msg=audit(1447777247.585:2122): avc:  denied  { dac_override } for  pid=15783 comm="oddjobd" capability=1  scontext=unconfined_u:system_r:oddjob_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:oddjob_t:s0-s0:c0.c1023 tclass=capability
        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.



and

#============= oddjob_t ==============
allow oddjob_t initrc_t:dbus send_msg;
allow oddjob_t self:capability dac_override;

#============= setfiles_t ==============
allow setfiles_t admin_home_t:file write;

#============= sshd_t ==============
allow sshd_t admin_home_t:file write;

#============= syslogd_t ==============
#!!!! The source type 'syslogd_t' can write to a 'dir' of the following types:
# var_log_t, var_run_t, syslogd_tmp_t, syslogd_var_lib_t, syslogd_var_run_t, innd_log_t, device_t, tmp_t, logfile, cluster_var_lib_t, cluster_var_run_t, root_t, krb5_host_rcache_t, cluster_conf_t, tmp_t

allow syslogd_t default_t:dir { write add_name };
allow syslogd_t default_t:file { create open ioctl append getattr };
Comment 2 Milos Malik 2015-11-18 02:58:04 EST
Based on the rules recommended by audit2why / audit2allow, it seems that some files / directories on your machine are mislabeled. There shouldn't be any default_t labels.

Could you find out, which processes are running as initrc_t? Apparently, oddjobd wants to communicate via D-bus with one of those processes.

Could you collect AVCs and attach them here? It will help us to resolve the problems you see.
Comment 3 Robert Patt-Corner 2015-12-21 07:41:51 EST
Here you go (see below).  On collecting AVCs, I'm not too familiar with SELinux, and a concrete suggestion or example might help me send what is needed.

The processes below containing 'opscode' are various Chef processes...

[root@egt-labs-prod-mu-master ~]# ps axZ | grep initrc_t
system_u:system_r:initrc_t:s0     847 ?        S      0:13 /opt/opscode/embedded/service/opscode-chef-mover/erts-5.10.4/bin/epmd -daemon
system_u:system_r:initrc_t:s0    2223 ?        Ss     5:01 /usr/sbin/nagios -d /etc/nagios/nagios.cfg
system_u:system_r:initrc_t:s0    2232 ?        S      2:12 /usr/sbin/nagios -d /etc/nagios/nagios.cfg
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 3444 pts/0 S+   0:00 grep initrc_t
system_u:system_r:initrc_t:s0   15160 ?        Ss     0:11 /opt/opscode/embedded/service/bookshelf/lib/exec-1.0+build.149.refb3548d6/priv/x86_64-unknown-linux-gnu/exec-port -n
system_u:system_r:initrc_t:s0   15277 ?        Ss     0:05 inet_gethost 4
system_u:system_r:initrc_t:s0   15305 ?        S      0:02 inet_gethost 4
system_u:system_r:initrc_t:s0   15478 ?        Ss     0:07 inet_gethost 4
system_u:system_r:initrc_t:s0   15479 ?        S      0:02 inet_gethost 4
system_u:system_r:initrc_t:s0   15501 ?        Ss     0:00 inet_gethost 4
system_u:system_r:initrc_t:s0   15504 ?        S      0:00 inet_gethost 4
system_u:system_r:initrc_t:s0   15557 ?        Ssl    0:00 ruby /opt/opscode/embedded/service/opscode-erchef/lib/chef_objects-12.2.0/priv/depselector_rb/depselector.rb
system_u:system_r:initrc_t:s0   15569 ?        Ssl    0:00 ruby /opt/opscode/embedded/service/opscode-erchef/lib/chef_objects-12.2.0/priv/depselector_rb/depselector.rb
system_u:system_r:initrc_t:s0   15583 ?        Ssl    0:00 ruby /opt/opscode/embedded/service/opscode-erchef/lib/chef_objects-12.2.0/priv/depselector_rb/depselector.rb
system_u:system_r:initrc_t:s0   15623 ?        Ssl    0:00 ruby /opt/opscode/embedded/service/opscode-erchef/lib/chef_objects-12.2.0/priv/depselector_rb/depselector.rb
system_u:system_r:initrc_t:s0   15651 ?        Ssl    0:05 ruby /opt/opscode/embedded/service/opscode-erchef/lib/chef_objects-12.2.0/priv/depselector_rb/depselector.rb
system_u:system_r:initrc_t:s0   15699 ?        Ss     0:00 inet_gethost 4
system_u:system_r:initrc_t:s0   15700 ?        S      0:00 inet_gethost 4
unconfined_u:system_r:initrc_t:s0 20267 ?      Ssl   26:41 /usr/lib/jvm/java/bin/java -Dcom.sun.akuma.Daemon=daemonized -Djava.awt.headless=true -DJENKINS_HOME=/home/jenkins -jar /usr/lib/jenkins/jenkins.war --logfile=/var/log/jenkins/jenkins.log --webroot=/var/cache/jenkins/war --daemon --httpPort=8080 --httpListenAddress=0.0.0.0 --ajp13Port=8009 --debug=5 --handlerCountMax=100 --handlerCountMaxIdle=20 --prefix=/jenkins
Comment 4 Milos Malik 2016-02-26 07:53:00 EST
# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today
Comment 5 Lukas Vrabec 2016-10-31 08:37:59 EDT
Hi, 

What is state of this issue? Could you reproduce it and attach output from comment#4 ? 

Thank you.
Comment 6 Lukas Vrabec 2016-11-02 13:27:13 EDT
Red Hat Enterprise Linux version 6 is entering the Production 2 phase of its
lifetime and this bug doesn't meet the criteria for it, i.e. only high severity
issues will be fixed. Please see
https://access.redhat.com/support/policy/updates/errata/ for further
information.

Feel free to clone this bug to RHEL-7 if it is still a problem for you.

Note You need to log in before you can comment on or make changes to this bug.