Bug 1349356 - [Hyper-v][RHEL7.3] Selinux AVC: avc: denied { getattr } for pid=2627 comm="restorecon" name="/" in audit log.
Summary: [Hyper-v][RHEL7.3] Selinux AVC: avc: denied { getattr } for pid=2627 comm="re...
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.3
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
Mirek Jahoda
URL:
Whiteboard:
Keywords:
Depends On:
Blocks: 1362179
TreeView+ depends on / blocked
 
Reported: 2016-06-23 10:07 UTC by xuli
Modified: 2016-11-04 02:32 UTC (History)
16 users (show)

(edit)
_selinux-policy_ now allows _hypervkvpd_ to "getattr" on all filesystem types

Previously, an SELinux denial occurred during the execution of the "restorecon" command after an IP injection on the virtual machine with the `Data Exchange` option enabled. The _selinux-policy_ packages have been updated, and an IP injection now finishes correctly both in SELinux permissive and enforcing mode.
Clone Of:
(edit)
Last Closed: 2016-11-04 02:32:28 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2283 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2016-11-03 13:36:25 UTC

Description xuli 2016-06-23 10:07:42 UTC
Description of problem:

Power off VM and disable "Data Exchange", then power on VM and enable "Data Exchange", then do kvp-ip-injection, there is avc: denied  { getattr } for  pid=2627 comm="restorecon" name="/" in the audit log.

Per Vitaly's comment of bug https://bugzilla.redhat.com/show_bug.cgi?id=1347659#c6, file new bug.


Version-Release number of selected component (if applicable):
Kernel: 3.10.0-438.e17.x86_64
Host: Windows 2012R2

How reproducible: 30%

Steps to Reproduce:
        
1. Update the selinux, hyperv-daemons, kernel as below version.

a. selinux-policy-3.13.1-80.el7
b. hyperv-daemons-0-0.28.20160216git.el7.x86_64
c. kernel version 3.10.0-438.e17.x86_64

2. Power off VM, go to Hyper-V manager -> Integration Services -> Disable "Data Exchange".
3. Start VM, and check selinux mode is Enforcing.
4. Check the log by # ausearch -m avc
<no matches>, no any  avc:  denied information, which is expected result.
5. Go to Hyper-V manager -> Integration Services -> Enable "Data Exchange", make sure hypervkvpd are running.
6. check the log # ausearch -m avc.
7. run kvp-ip-injection
8. check the log # ausearch -m avc.

Actual results:
Observe that selinux denied  { getattr } for  pid=2627 comm="restorecon" name="/"
Expected results:
No avc: denied log for "restorecon".

Log information:
Detailed Log:

time->Thu Jun 23 11:46:54 2016
type=SYSCALL msg=audit(1466653614.813:356): arch=c000003e syscall=137 success=no exit=-13 a0=7fc1dcc03296 a1=7ffd08f031a0 a2=7fc1dcc03296 a3=75736f6e2c6c6562 items=0 ppid=2522 pid=2627 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecon" exe="/usr/sbin/setfiles" subj=system_u:system_r:hypervkvp_t:s0 key=(null)
type=AVC msg=audit(1466653614.813:356): avc:  denied  { getattr } for  pid=2627 comm="restorecon" name="/" dev="sysfs" ino=1 scontext=system_u:system_r:hypervkvp_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem
----
time->Thu Jun 23 11:46:54 2016
type=SYSCALL msg=audit(1466653614.813:357): arch=c000003e syscall=137 success=no exit=-13 a0=7fc1dcc03299 a1=7ffd08f031a0 a2=7fc1dcc03299 a3=3035353531313d73 items=0 ppid=2522 pid=2627 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecon" exe="/usr/sbin/setfiles" subj=system_u:system_r:hypervkvp_t:s0 key=(null)
type=AVC msg=audit(1466653614.813:357): avc:  denied  { getattr } for  pid=2627 comm="restorecon" name="/" dev="devtmpfs" ino=1025 scontext=system_u:system_r:hypervkvp_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem
----
time->Thu Jun 23 11:46:54 2016
type=SYSCALL msg=audit(1466653614.813:358): arch=c000003e syscall=137 success=no exit=-13 a0=7fc1dcc03296 a1=7ffd08f031a0 a2=7fc1dcc03296 a3=6f6e2c6c6562616c items=0 ppid=2522 pid=2627 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecon" exe="/usr/sbin/setfiles" subj=system_u:system_r:hypervkvp_t:s0 key=(null)
type=AVC msg=audit(1466653614.813:358): avc:  denied  { getattr } for  pid=2627 comm="restorecon" name="/" dev="tmpfs" ino=9220 scontext=system_u:system_r:hypervkvp_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem
----
time->Thu Jun 23 11:46:54 2016
type=SYSCALL msg=audit(1466653614.814:359): arch=c000003e syscall=137 success=no exit=-13 a0=7fc1dcc03297 a1=7ffd08f031a0 a2=7fc1dcc03297 a3=6d2c353d6469672c items=0 ppid=2522 pid=2627 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecon" exe="/usr/sbin/setfiles" subj=system_u:system_r:hypervkvp_t:s0 key=(null)
type=AVC msg=audit(1466653614.814:359): avc:  denied  { getattr } for  pid=2627 comm="restorecon" name="/" dev="devpts" ino=1 scontext=system_u:system_r:hypervkvp_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=filesystem
----
time->Thu Jun 23 11:46:54 2016
type=SYSCALL msg=audit(1466653614.814:360): arch=c000003e syscall=137 success=no exit=-13 a0=7fc1dcc03296 a1=7ffd08f031a0 a2=7fc1dcc03296 a3=646f6e2c64697573 items=0 ppid=2522 pid=2627 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecon" exe="/usr/sbin/setfiles" subj=system_u:system_r:hypervkvp_t:s0 key=(null)
type=AVC msg=audit(1466653614.814:360): avc:  denied  { getattr } for  pid=2627 comm="restorecon" name="/" dev="tmpfs" ino=9222 scontext=system_u:system_r:hypervkvp_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem
----
time->Thu Jun 23 11:46:54 2016
type=SYSCALL msg=audit(1466653614.814:361): arch=c000003e syscall=137 success=no exit=-13 a0=7fc1dcc03296 a1=7ffd08f031a0 a2=7fc1dcc03296 a3=3d65646f6d2c6365 items=0 ppid=2522 pid=2627 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecon" exe="/usr/sbin/setfiles" subj=system_u:system_r:hypervkvp_t:s0 key=(null)
type=AVC msg=audit(1466653614.814:361): avc:  denied  { getattr } for  pid=2627 comm="restorecon" name="/" dev="tmpfs" ino=9223 scontext=system_u:system_r:hypervkvp_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem
----
time->Thu Jun 23 11:46:54 2016
type=SYSCALL msg=audit(1466653614.814:362): arch=c000003e syscall=137 success=no exit=-13 a0=7fc1dcc0337a a1=7ffd08f031a0 a2=7fc1dcc0337a a3=7fc1dba3a4e0 items=0 ppid=2522 pid=2627 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecon" exe="/usr/sbin/setfiles" subj=system_u:system_r:hypervkvp_t:s0 key=(null)
type=AVC msg=audit(1466653614.814:362): avc:  denied  { getattr } for  pid=2627 comm="restorecon" name="/" dev="sda1" ino=192 scontext=system_u:system_r:hypervkvp_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
----
time->Thu Jun 23 11:46:54 2016
type=SYSCALL msg=audit(1466653614.814:363): arch=c000003e syscall=137 success=no exit=-13 a0=7fc1dcc0337a a1=7ffd08f031a0 a2=7fc1dcc0337a a3=7fc1dba3a4e0 items=0 ppid=2522 pid=2627 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecon" exe="/usr/sbin/setfiles" subj=system_u:system_r:hypervkvp_t:s0 key=(null)
type=AVC msg=audit(1466653614.814:363): avc:  denied  { getattr } for  pid=2627 comm="restorecon" name="/" dev="hugetlbfs" ino=1765 scontext=system_u:system_r:hypervkvp_t:s0 tcontext=system_u:object_r:hugetlbfs_t:s0 tclass=filesystem
----
time->Thu Jun 23 11:46:54 2016
type=SYSCALL msg=audit(1466653614.814:364): arch=c000003e syscall=137 success=no exit=-13 a0=7fc1dcc03377 a1=7ffd08f031a0 a2=7fc1dcc03377 a3=7fc1dba3a750 items=0 ppid=2522 pid=2627 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecon" exe="/usr/sbin/setfiles" subj=system_u:system_r:hypervkvp_t:s0 key=(null)
type=AVC msg=audit(1466653614.814:364): avc:  denied  { getattr } for  pid=2627 comm="restorecon" name="/" dev="mqueue" ino=1140 scontext=system_u:system_r:hypervkvp_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem

Comment 4 xuli 2016-07-12 09:03:44 UTC
Verify Failed on selinux-policy-3.13.1-85.el7 and selinux-policy-3.13.1-87.el7 with kernel version 3.10.0-461.e17.x86_64.
Reproduce steps:
Follow the case steps exactly, after do ip-injection, still has selinux deny log, comm="restorecon", name="/dev/hugepages" in audit log, so reopen this bug.


time->Tue Jul 12 16:46:46 2016
type=SYSCALL msg=audit(1468313206.741:94): arch=c000003e syscall=4 success=no exit=-13 a0=7f157df8137a a1=7ffc344d4ec0 a2=7ffc344d4ec0 a3=7f157b4f0a50 items=0 ppid=2952 pid=3083 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecon" exe="/usr/sbin/setfiles" subj=system_u:system_r:hypervkvp_t:s0 key=(null)
type=AVC msg=audit(1468313206.741:94): avc:  denied  { getattr } for  pid=3083 comm="restorecon" path="/dev/hugepages" dev="hugetlbfs" ino=12468 scontext=system_u:system_r:hypervkvp_t:s0 tcontext=system_u:object_r:hugetlbfs_t:s0 tclass=dir

Comment 5 xuli 2016-07-14 09:32:59 UTC
Add more comment here:

If do ip injection with replication, will get following logs.

Build info: selinux-policy-3.13.1-85.el7 with kernel version 3.10.0-461.e17.x86_64.

time->Thu Jul 14 17:18:47 2016
type=SYSCALL msg=audit(1468487927.025:25): arch=c000003e syscall=4 success=no exit=-13 a0=7ffd16f931a0 a1=7ffd16f93110 a2=7ffd16f93110 a3=3 items=0 ppid=853 pid=970 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pidof" exe="/usr/sbin/killall5" subj=system_u:system_r:hypervkvp_t:s0 key=(null)
type=AVC msg=audit(1468487927.025:25): avc:  denied  { getattr } for  pid=970 comm="pidof" path=2F7573722F7362696E2F706C796D6F75746864202864656C6574656429 dev="rootfs" ino=6559 scontext=system_u:system_r:hypervkvp_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file
----
time->Thu Jul 14 17:18:55 2016
type=SYSCALL msg=audit(1468487935.669:34): arch=c000003e syscall=4 success=no exit=-13 a0=7f389018037a a1=7ffc48a70110 a2=7ffc48a70110 a3=7f388db17a50 items=0 ppid=1175 pid=1436 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecon" exe="/usr/sbin/setfiles" subj=system_u:system_r:hypervkvp_t:s0 key=(null)
type=AVC msg=audit(1468487935.669:34): avc:  denied  { getattr } for  pid=1436 comm="restorecon" path="/dev/hugepages" dev="hugetlbfs" ino=14621 scontext=system_u:system_r:hypervkvp_t:s0 tcontext=system_u:object_r:hugetlbfs_t:s0 tclass=dir
[root@rhel7 ~]#

Comment 6 HuijingHei 2016-07-28 06:15:22 UTC
Test result is failed on selinux-policy-3.13.1-89.el7 and selinux-policy-3.13.1-91.el7 with kernel version 3.10.0-470.el7.x86_64

Reproduce steps:
Follow the case steps exactly, after do ip-injection, still has selinux deny log, comm="restorecon", name="/dev/hugepages" in audit log, so reopen this bug.


type=AVC msg=audit(1469686121.462:194): avc:  denied  { getattr } for  pid=4738 comm="restorecon" path="/dev/hugepages" dev="hugetlbfs" ino=13465 scontext=system_u:system_r:hypervkvp_t:s0 tcontext=system_u:object_r:hugetlbfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1469686121.462:194): arch=c000003e syscall=4 success=no exit=-13 a0=7ff54d35237a a1=7ffdb21b6a70 a2=7ffdb21b6a70 a3=7ff54c160a50 items=0 ppid=4609 pid=4738 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecon" exe="/usr/sbin/setfiles" subj=system_u:system_r:hypervkvp_t:s0 key=(null)
type=USER_AVC msg=audit(1469686121.836:195): pid=682 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { 0x2 } for msgtype=method_call interface=org.freedesktop.DBus.Introspectable member=Introspect dest=:1.3 spid=4741 tpid=721 scontext=system_u:system_r:hypervkvp_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=(null)  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Comment 7 HuijingHei 2016-07-28 06:19:05 UTC
Sorry for change to wrong statue, update status to "assigned"

Comment 8 Lukas Vrabec 2016-08-05 11:49:37 UTC
OK, policy is updates moving to POST.

Comment 11 xuli 2016-08-11 05:40:02 UTC
Test result is failed on selinux-policy-3.13.1-93.el7 and with kernel version 3.10.0-489.el7.x86_64


After do ip-injection, there is no audit log, this issue has been fixed, but still has audit log after do IP injection with Hyper-V Replication, even the audit log different, reopen this bug to keep tracking this issue.


Reproduce steps:

1. HostA is a Hyper-V Replication Server, will have replicated VM from other host, you should configure hostA by 'Hyper-V Settings' - '
Replication Configuration' -> Enable this computer as a Replica Server. Same config for Host B.

2. HostB has a VM
1)configure hostB by 'Hyper-V Settings' - 'Replication Configuration' -> Enable this computer as a Replica Server.

2)check the VM with hypervkvpd service start
# service hypervkvpd status

3)configure the VM, right click, select "Enable Replication" - Before you Begin ->Next->Replica Server as Host A-> Next, view that sending Initial Replica progress showings.

4)you can see HostA with a replicated VM as the same on HostB

Note: if cannot do replica, go to host to disable firewall:  netsh firewall set opmode disable
	
3. HostA, choose the replicated VM, set ip injection by  editing 'Settings' -
'Network Adapter' - 'Failover TCP/IP', setting the IPv4/IPv6 address, subnet,
gateway, DNS

e.g. IPV4: 192.168.1.15
NETMASK: 255.255.255.0
GATEWAY: 192.168.1.1
DNS: 192.168.1.2

IPV6:2001::de45:1234:de00:9876
prifix len: 64	
4. On hostB, turn off the VM, and right click the VM - 'Replication' - 'Planned Failover'	
5. Check the VM ip status on hostA after boot up by ifconfig.	

6. Do ausearch -m avc on VM of host A, observe that avc: denied pops up as following logs.

type=SYSCALL msg=audit(1470892273.995:29): arch=c000003e syscall=4 success=no exit=-13 a0=7ffcc129e270 a1=7ffcc129e1e0 a2=7ffcc129e1e0 a3=3 items=0 ppid=955 pid=1072 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pidof" exe="/usr/sbin/killall5" subj=system_u:system_r:hypervkvp_t:s0 key=(null)
type=AVC msg=audit(1470892273.995:29): avc:  denied  { getattr } for  pid=1072 comm="pidof" path=2F7573722F7362696E2F706C796D6F75746864202864656C6574656429 dev="rootfs" ino=5641 scontext=system_u:system_r:hypervkvp_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file

Comment 18 xuli 2016-08-18 05:46:39 UTC
Verify pass on selinux-policy-3.13.1-94.el7 and kernel 3.10.0-493.el7.x86_64, after do ip-injection to VM by script directly, and  ip-injection with replication.

1) no AVC audit log after ip-injection in enforcing and permissive mode.
2) "systemctl status hypervkvpd" running without error.
3) ifconfig can show injected ip correctly.

Comment 20 errata-xmlrpc 2016-11-04 02:32:28 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html


Note You need to log in before you can comment on or make changes to this bug.