1349356 – [Hyper-v][RHEL7.3] Selinux AVC: avc: denied { getattr } for pid=2627 comm="restorecon" name="/" in audit log.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1349356 - [Hyper-v][RHEL7.3] Selinux AVC: avc: denied { getattr } for pid=2627 comm="restorecon" name="/" in audit log.

Summary: [Hyper-v][RHEL7.3] Selinux AVC: avc: denied { getattr } for pid=2627 comm="re...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.3
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:	Mirek Jahoda
URL:
Whiteboard:
Depends On:
Blocks:	1362179
TreeView+	depends on / blocked

Reported:	2016-06-23 10:07 UTC by xuli
Modified:	2016-11-04 02:32 UTC (History)
CC List:	16 users (show)
Fixed In Version:	selinux-policy-3.13.1-94.el7
Doc Type:	Bug Fix
Doc Text:	_selinux-policy_ now allows _hypervkvpd_ to "getattr" on all filesystem types Previously, an SELinux denial occurred during the execution of the "restorecon" command after an IP injection on the virtual machine with the `Data Exchange` option enabled. The _selinux-policy_ packages have been updated, and an IP injection now finishes correctly both in SELinux permissive and enforcing mode.
Clone Of:
Environment:
Last Closed:	2016-11-04 02:32:28 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:2283	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2016-11-03 13:36:25 UTC

Description xuli 2016-06-23 10:07:42 UTC

Description of problem:

Power off VM and disable "Data Exchange", then power on VM and enable "Data Exchange", then do kvp-ip-injection, there is avc: denied  { getattr } for  pid=2627 comm="restorecon" name="/" in the audit log.

Per Vitaly's comment of bug https://bugzilla.redhat.com/show_bug.cgi?id=1347659#c6, file new bug.


Version-Release number of selected component (if applicable):
Kernel: 3.10.0-438.e17.x86_64
Host: Windows 2012R2

How reproducible: 30%

Steps to Reproduce:
        
1. Update the selinux, hyperv-daemons, kernel as below version.

a. selinux-policy-3.13.1-80.el7
b. hyperv-daemons-0-0.28.20160216git.el7.x86_64
c. kernel version 3.10.0-438.e17.x86_64

2. Power off VM, go to Hyper-V manager -> Integration Services -> Disable "Data Exchange".
3. Start VM, and check selinux mode is Enforcing.
4. Check the log by # ausearch -m avc
<no matches>, no any  avc:  denied information, which is expected result.
5. Go to Hyper-V manager -> Integration Services -> Enable "Data Exchange", make sure hypervkvpd are running.
6. check the log # ausearch -m avc.
7. run kvp-ip-injection
8. check the log # ausearch -m avc.

Actual results:
Observe that selinux denied  { getattr } for  pid=2627 comm="restorecon" name="/"
Expected results:
No avc: denied log for "restorecon".

Log information:
Detailed Log:

time->Thu Jun 23 11:46:54 2016
type=SYSCALL msg=audit(1466653614.813:356): arch=c000003e syscall=137 success=no exit=-13 a0=7fc1dcc03296 a1=7ffd08f031a0 a2=7fc1dcc03296 a3=75736f6e2c6c6562 items=0 ppid=2522 pid=2627 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecon" exe="/usr/sbin/setfiles" subj=system_u:system_r:hypervkvp_t:s0 key=(null)
type=AVC msg=audit(1466653614.813:356): avc:  denied  { getattr } for  pid=2627 comm="restorecon" name="/" dev="sysfs" ino=1 scontext=system_u:system_r:hypervkvp_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=filesystem
----
time->Thu Jun 23 11:46:54 2016
type=SYSCALL msg=audit(1466653614.813:357): arch=c000003e syscall=137 success=no exit=-13 a0=7fc1dcc03299 a1=7ffd08f031a0 a2=7fc1dcc03299 a3=3035353531313d73 items=0 ppid=2522 pid=2627 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecon" exe="/usr/sbin/setfiles" subj=system_u:system_r:hypervkvp_t:s0 key=(null)
type=AVC msg=audit(1466653614.813:357): avc:  denied  { getattr } for  pid=2627 comm="restorecon" name="/" dev="devtmpfs" ino=1025 scontext=system_u:system_r:hypervkvp_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem
----
time->Thu Jun 23 11:46:54 2016
type=SYSCALL msg=audit(1466653614.813:358): arch=c000003e syscall=137 success=no exit=-13 a0=7fc1dcc03296 a1=7ffd08f031a0 a2=7fc1dcc03296 a3=6f6e2c6c6562616c items=0 ppid=2522 pid=2627 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecon" exe="/usr/sbin/setfiles" subj=system_u:system_r:hypervkvp_t:s0 key=(null)
type=AVC msg=audit(1466653614.813:358): avc:  denied  { getattr } for  pid=2627 comm="restorecon" name="/" dev="tmpfs" ino=9220 scontext=system_u:system_r:hypervkvp_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem
----
time->Thu Jun 23 11:46:54 2016
type=SYSCALL msg=audit(1466653614.814:359): arch=c000003e syscall=137 success=no exit=-13 a0=7fc1dcc03297 a1=7ffd08f031a0 a2=7fc1dcc03297 a3=6d2c353d6469672c items=0 ppid=2522 pid=2627 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecon" exe="/usr/sbin/setfiles" subj=system_u:system_r:hypervkvp_t:s0 key=(null)
type=AVC msg=audit(1466653614.814:359): avc:  denied  { getattr } for  pid=2627 comm="restorecon" name="/" dev="devpts" ino=1 scontext=system_u:system_r:hypervkvp_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=filesystem
----
time->Thu Jun 23 11:46:54 2016
type=SYSCALL msg=audit(1466653614.814:360): arch=c000003e syscall=137 success=no exit=-13 a0=7fc1dcc03296 a1=7ffd08f031a0 a2=7fc1dcc03296 a3=646f6e2c64697573 items=0 ppid=2522 pid=2627 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecon" exe="/usr/sbin/setfiles" subj=system_u:system_r:hypervkvp_t:s0 key=(null)
type=AVC msg=audit(1466653614.814:360): avc:  denied  { getattr } for  pid=2627 comm="restorecon" name="/" dev="tmpfs" ino=9222 scontext=system_u:system_r:hypervkvp_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem
----
time->Thu Jun 23 11:46:54 2016
type=SYSCALL msg=audit(1466653614.814:361): arch=c000003e syscall=137 success=no exit=-13 a0=7fc1dcc03296 a1=7ffd08f031a0 a2=7fc1dcc03296 a3=3d65646f6d2c6365 items=0 ppid=2522 pid=2627 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecon" exe="/usr/sbin/setfiles" subj=system_u:system_r:hypervkvp_t:s0 key=(null)
type=AVC msg=audit(1466653614.814:361): avc:  denied  { getattr } for  pid=2627 comm="restorecon" name="/" dev="tmpfs" ino=9223 scontext=system_u:system_r:hypervkvp_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem
----
time->Thu Jun 23 11:46:54 2016
type=SYSCALL msg=audit(1466653614.814:362): arch=c000003e syscall=137 success=no exit=-13 a0=7fc1dcc0337a a1=7ffd08f031a0 a2=7fc1dcc0337a a3=7fc1dba3a4e0 items=0 ppid=2522 pid=2627 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecon" exe="/usr/sbin/setfiles" subj=system_u:system_r:hypervkvp_t:s0 key=(null)
type=AVC msg=audit(1466653614.814:362): avc:  denied  { getattr } for  pid=2627 comm="restorecon" name="/" dev="sda1" ino=192 scontext=system_u:system_r:hypervkvp_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
----
time->Thu Jun 23 11:46:54 2016
type=SYSCALL msg=audit(1466653614.814:363): arch=c000003e syscall=137 success=no exit=-13 a0=7fc1dcc0337a a1=7ffd08f031a0 a2=7fc1dcc0337a a3=7fc1dba3a4e0 items=0 ppid=2522 pid=2627 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecon" exe="/usr/sbin/setfiles" subj=system_u:system_r:hypervkvp_t:s0 key=(null)
type=AVC msg=audit(1466653614.814:363): avc:  denied  { getattr } for  pid=2627 comm="restorecon" name="/" dev="hugetlbfs" ino=1765 scontext=system_u:system_r:hypervkvp_t:s0 tcontext=system_u:object_r:hugetlbfs_t:s0 tclass=filesystem
----
time->Thu Jun 23 11:46:54 2016
type=SYSCALL msg=audit(1466653614.814:364): arch=c000003e syscall=137 success=no exit=-13 a0=7fc1dcc03377 a1=7ffd08f031a0 a2=7fc1dcc03377 a3=7fc1dba3a750 items=0 ppid=2522 pid=2627 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecon" exe="/usr/sbin/setfiles" subj=system_u:system_r:hypervkvp_t:s0 key=(null)
type=AVC msg=audit(1466653614.814:364): avc:  denied  { getattr } for  pid=2627 comm="restorecon" name="/" dev="mqueue" ino=1140 scontext=system_u:system_r:hypervkvp_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem

Comment 4 xuli 2016-07-12 09:03:44 UTC

Verify Failed on selinux-policy-3.13.1-85.el7 and selinux-policy-3.13.1-87.el7 with kernel version 3.10.0-461.e17.x86_64.
Reproduce steps:
Follow the case steps exactly, after do ip-injection, still has selinux deny log, comm="restorecon", name="/dev/hugepages" in audit log, so reopen this bug.


time->Tue Jul 12 16:46:46 2016
type=SYSCALL msg=audit(1468313206.741:94): arch=c000003e syscall=4 success=no exit=-13 a0=7f157df8137a a1=7ffc344d4ec0 a2=7ffc344d4ec0 a3=7f157b4f0a50 items=0 ppid=2952 pid=3083 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecon" exe="/usr/sbin/setfiles" subj=system_u:system_r:hypervkvp_t:s0 key=(null)
type=AVC msg=audit(1468313206.741:94): avc:  denied  { getattr } for  pid=3083 comm="restorecon" path="/dev/hugepages" dev="hugetlbfs" ino=12468 scontext=system_u:system_r:hypervkvp_t:s0 tcontext=system_u:object_r:hugetlbfs_t:s0 tclass=dir

Comment 5 xuli 2016-07-14 09:32:59 UTC

Add more comment here:

If do ip injection with replication, will get following logs.

Build info: selinux-policy-3.13.1-85.el7 with kernel version 3.10.0-461.e17.x86_64.

time->Thu Jul 14 17:18:47 2016
type=SYSCALL msg=audit(1468487927.025:25): arch=c000003e syscall=4 success=no exit=-13 a0=7ffd16f931a0 a1=7ffd16f93110 a2=7ffd16f93110 a3=3 items=0 ppid=853 pid=970 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pidof" exe="/usr/sbin/killall5" subj=system_u:system_r:hypervkvp_t:s0 key=(null)
type=AVC msg=audit(1468487927.025:25): avc:  denied  { getattr } for  pid=970 comm="pidof" path=2F7573722F7362696E2F706C796D6F75746864202864656C6574656429 dev="rootfs" ino=6559 scontext=system_u:system_r:hypervkvp_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file
----
time->Thu Jul 14 17:18:55 2016
type=SYSCALL msg=audit(1468487935.669:34): arch=c000003e syscall=4 success=no exit=-13 a0=7f389018037a a1=7ffc48a70110 a2=7ffc48a70110 a3=7f388db17a50 items=0 ppid=1175 pid=1436 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecon" exe="/usr/sbin/setfiles" subj=system_u:system_r:hypervkvp_t:s0 key=(null)
type=AVC msg=audit(1468487935.669:34): avc:  denied  { getattr } for  pid=1436 comm="restorecon" path="/dev/hugepages" dev="hugetlbfs" ino=14621 scontext=system_u:system_r:hypervkvp_t:s0 tcontext=system_u:object_r:hugetlbfs_t:s0 tclass=dir
[root@rhel7 ~]#

Comment 6 HuijingHei 2016-07-28 06:15:22 UTC

Test result is failed on selinux-policy-3.13.1-89.el7 and selinux-policy-3.13.1-91.el7 with kernel version 3.10.0-470.el7.x86_64

Reproduce steps:
Follow the case steps exactly, after do ip-injection, still has selinux deny log, comm="restorecon", name="/dev/hugepages" in audit log, so reopen this bug.


type=AVC msg=audit(1469686121.462:194): avc:  denied  { getattr } for  pid=4738 comm="restorecon" path="/dev/hugepages" dev="hugetlbfs" ino=13465 scontext=system_u:system_r:hypervkvp_t:s0 tcontext=system_u:object_r:hugetlbfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1469686121.462:194): arch=c000003e syscall=4 success=no exit=-13 a0=7ff54d35237a a1=7ffdb21b6a70 a2=7ffdb21b6a70 a3=7ff54c160a50 items=0 ppid=4609 pid=4738 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecon" exe="/usr/sbin/setfiles" subj=system_u:system_r:hypervkvp_t:s0 key=(null)
type=USER_AVC msg=audit(1469686121.836:195): pid=682 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { 0x2 } for msgtype=method_call interface=org.freedesktop.DBus.Introspectable member=Introspect dest=:1.3 spid=4741 tpid=721 scontext=system_u:system_r:hypervkvp_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=(null)  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Comment 7 HuijingHei 2016-07-28 06:19:05 UTC

Sorry for change to wrong statue, update status to "assigned"

Comment 8 Lukas Vrabec 2016-08-05 11:49:37 UTC

OK, policy is updates moving to POST.

Comment 11 xuli 2016-08-11 05:40:02 UTC

Test result is failed on selinux-policy-3.13.1-93.el7 and with kernel version 3.10.0-489.el7.x86_64


After do ip-injection, there is no audit log, this issue has been fixed, but still has audit log after do IP injection with Hyper-V Replication, even the audit log different, reopen this bug to keep tracking this issue.


Reproduce steps:

1. HostA is a Hyper-V Replication Server, will have replicated VM from other host, you should configure hostA by 'Hyper-V Settings' - '
Replication Configuration' -> Enable this computer as a Replica Server. Same config for Host B.

2. HostB has a VM
1)configure hostB by 'Hyper-V Settings' - 'Replication Configuration' -> Enable this computer as a Replica Server.

2)check the VM with hypervkvpd service start
# service hypervkvpd status

3)configure the VM, right click, select "Enable Replication" - Before you Begin ->Next->Replica Server as Host A-> Next, view that sending Initial Replica progress showings.

4)you can see HostA with a replicated VM as the same on HostB

Note: if cannot do replica, go to host to disable firewall:  netsh firewall set opmode disable
	
3. HostA, choose the replicated VM, set ip injection by  editing 'Settings' -
'Network Adapter' - 'Failover TCP/IP', setting the IPv4/IPv6 address, subnet,
gateway, DNS

e.g. IPV4: 192.168.1.15
NETMASK： 255.255.255.0
GATEWAY： 192.168.1.1
DNS： 192.168.1.2

IPV6：2001::de45:1234:de00:9876
prifix len: 64	
4. On hostB, turn off the VM, and right click the VM - 'Replication' - 'Planned Failover'	
5. Check the VM ip status on hostA after boot up by ifconfig.	

6. Do ausearch -m avc on VM of host A, observe that avc: denied pops up as following logs.

type=SYSCALL msg=audit(1470892273.995:29): arch=c000003e syscall=4 success=no exit=-13 a0=7ffcc129e270 a1=7ffcc129e1e0 a2=7ffcc129e1e0 a3=3 items=0 ppid=955 pid=1072 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pidof" exe="/usr/sbin/killall5" subj=system_u:system_r:hypervkvp_t:s0 key=(null)
type=AVC msg=audit(1470892273.995:29): avc:  denied  { getattr } for  pid=1072 comm="pidof" path=2F7573722F7362696E2F706C796D6F75746864202864656C6574656429 dev="rootfs" ino=5641 scontext=system_u:system_r:hypervkvp_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file

Comment 18 xuli 2016-08-18 05:46:39 UTC

Verify pass on selinux-policy-3.13.1-94.el7 and kernel 3.10.0-493.el7.x86_64, after do ip-injection to VM by script directly, and  ip-injection with replication.

1) no AVC audit log after ip-injection in enforcing and permissive mode.
2) "systemctl status hypervkvpd" running without error.
3) ifconfig can show injected ip correctly.

Comment 20 errata-xmlrpc 2016-11-04 02:32:28 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html

Note You need to log in before you can comment on or make changes to this bug.