Bug 1283134 - SELinux interferes with a logrotate job which uses su
SELinux interferes with a logrotate job which uses su
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
x86_64 Linux
medium Severity medium
: rc
: ---
Assigned To: Lukas Vrabec
Milos Malik
: 1298523 (view as bug list)
Depends On:
Blocks: 1295396
  Show dependency treegraph
Reported: 2015-11-18 06:06 EST by Milos Malik
Modified: 2016-11-03 22:24 EDT (History)
14 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-93.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-11-03 22:24:40 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Milos Malik 2015-11-18 06:06:02 EST
Following line appears in the journal:
Nov 18 10:48:03 rhel72.localdomain runuser[6492]: pam_systemd(runuser-l:session): Failed to create session: Access denied

Version-Release number of selected component (if applicable):

How reproducible:
 * when crond executes the logrotate job located in /etc/cron.daily directory

Actual results (enforcing mode):
type=USER_AVC msg=audit(11/18/2015 10:48:03.618:278) : pid=535 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.login1.Manager member=CreateSession dest=org.freedesktop.login1 spid=6492 tpid=606 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
type=USER_AVC msg=audit(11/18/2015 10:48:04.034:283) : pid=6562 uid=root auid=root ses=5 subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 msg='avc:  can't open netlink socket: 13 (Permission denied)  exe=/usr/bin/su sauid=root hostname=? addr=? terminal=?' 
type=SYSCALL msg=audit(11/18/2015 10:48:04.034:282) : arch=x86_64 syscall=socket success=no exit=-13(Permission denied) a0=netlink a1=SOCK_RAW a2=cbt a3=0x1 items=0 ppid=6551 pid=6562 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=5 comm=su exe=/usr/bin/su subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/18/2015 10:48:04.034:282) : avc:  denied  { create } for  pid=6562 comm=su scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=netlink_selinux_socket 

Expected results:
 * no SELinux denials
Comment 1 Miroslav Grepl 2015-12-18 10:01:56 EST
We need to back port also crond changes form the latest upstream cron fixes.
Comment 2 Miroslav Grepl 2016-01-18 04:53:41 EST
*** Bug 1298523 has been marked as a duplicate of this bug. ***
Comment 3 Thom Carlin 2016-02-14 07:38:47 EST
Also seen in RHCI 6.0 TP2 RC9

su: avc.c:74: avc_context_to_sid_raw: Assertion `avc_running' failed.
/usr/sbin/rabbitmqctl: line 44: 17441 Aborted                 su rabbitmq -s /bin/sh -c "/usr/lib/rabbitmq/bin/${SCRIPT} ${CMDLINE}"
error: error running shared postrotate script for '/var/log/rabbitmq/*.log '

type=SYSCALL msg=audit(1455438965.205:86034): arch=c000003e syscall=41 success=no exit=-13 a0=10 a1=80003 a2=7 a3=1 items=0 ppid=17430 pid=17441 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=48 comm="su" exe="/usr/bin/su" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
Comment 4 Robert Scheck 2016-03-17 08:49:02 EDT
Can we get this somehow forward, given there is a ticket on the Red Hat
customer portal?
Comment 5 Miroslav Grepl 2016-03-17 09:01:17 EDT
It is going to be addressed in rhel-7.3.0.
Comment 6 Lukas Vrabec 2016-06-14 09:32:07 EDT
Do you know why is logrotate trying to communicate with systemd-logind service via dbus? 

Thank you.
Comment 7 Joe Orton 2016-06-14 09:49:21 EDT
Isn't it the postrotate scriptlet for rabbitmq which is trying to talk to logind?

/usr/sbin/rabbitmqctl: line 44: 17441 Aborted                 su rabbitmq -s /bin/sh -c "/usr/lib/rabbitmq/bin/${SCRIPT} ${CMDLINE}"

... this comes from rabbitmq not logrotate.
Comment 14 Milos Malik 2016-08-04 07:38:30 EDT
I'm afraid this bug is not completely fixed. Some logrotate scripts run su and then su runs unix_chkpwd. Therefore you can see SELinux denials like:

type=USER_AVC msg=audit(08/04/2016 11:45:06.141:735) : pid=31279 uid=root auid=root ses=23 subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 msg='avc:  denied  { passwd } for  scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=passwd  exe=/usr/bin/su sauid=root hostname=? addr=? terminal=?' 
type=PATH msg=audit(08/04/2016 11:45:06.143:736) : item=0 name=/etc/shadow inode=17847672 dev=fd:03 mode=file,000 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shadow_t:s0 objtype=NORMAL 
type=CWD msg=audit(08/04/2016 11:45:06.143:736) :  cwd=/var/lib/rabbitmq 
type=SYSCALL msg=audit(08/04/2016 11:45:06.143:736) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x7f7d31b32453 a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x24 items=1 ppid=31279 pid=31280 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=23 comm=unix_chkpwd exe=/usr/sbin/unix_chkpwd subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(08/04/2016 11:45:06.143:736) : avc:  denied  { read } for  pid=31280 comm=unix_chkpwd name=shadow dev="vda3" ino=17847672 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file 
Comment 19 errata-xmlrpc 2016-11-03 22:24:40 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.