RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1349798 - Denial AVC's related to dbus daemon is seen in audit.logs
Summary: Denial AVC's related to dbus daemon is seen in audit.logs
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.2
Hardware: x86_64
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
Mirek Jahoda
URL:
Whiteboard:
Depends On:
Blocks: 1393494
TreeView+ depends on / blocked
 
Reported: 2016-06-24 09:42 UTC by Shashank Raj
Modified: 2017-08-01 15:12 UTC (History)
18 users (show)

Fixed In Version: selinux-policy-3.13.1-107.el7
Doc Type: Bug Fix
Doc Text:
Cause: Configuring ganesha(2.3.1-8). Consequence: SELinux denials appeared in audit.log. These AVC's blocking communication between cluster_t domain and fprintd_t domain via dbus. Fix: Allow communication between cluster_t and fprintd_t via dbus in Security SELinux policy. Result: cluster_t and fprintd_t domains can communicatate via dbus and there are no denials in audit.log
Clone Of: 1349796
: 1393494 (view as bug list)
Environment:
Last Closed: 2017-08-01 15:12:40 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:1861 0 normal SHIPPED_LIVE selinux-policy bug fix update 2017-08-01 17:50:24 UTC

Comment 4 Shashank Raj 2016-09-30 11:22:39 UTC 
This issue is seen with RHEL 7 in recent testing because of which pcs cluster authentication sometimes fails and results in failure of setting up nfs-ganesha cluster.

Mostly seen while we install RHGS using ISO.

We will be needing a fix for this in RHEL 7 next update
Comment 6 surabhi 2016-11-08 18:42:40 UTC 
I tried setting up ganesha on RHGS ISO based on RHEL7.3 and encountered following avc's:

type=USER_AVC msg=audit(1478610842.335:9956): pid=700 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.955 spid=27072 tpid=26238 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:system_r:cluster_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'


and the pcs cluster auth fails with following error

:failed: [10.70.47.161] (item=10.70.46.128) => {"changed": true, "cmd": "pcs cluster auth -u hacluster -p hacluster 10.70.46.128", "delta": "0:00:55.672225", "end": "2016-11-08 08:44:01.921278", "failed": true, "item": "10.70.46.128", "rc": 1, "start": "2016-11-08 08:43:06.249053", "stderr": "Error: Unable to communicate with 10.70.46.128", "stdout": "", "stdout_lines": [], "warnings": []}

This needs to be fixed sooner as nfs-ganesha setup will fail on 7.3 based RHGS ISO.
Comment 7 surabhi 2016-11-09 08:15:41 UTC 
Please suggest the workaround or local policy for this issue.
Comment 8 Milos Malik 2016-11-09 09:20:01 UTC 
# cat bz1349798.te 
policy_module(bz1349798,1.0)

require {
  type fprintd_t;
  type cluster_t;
  class dbus { send_msg };
}

allow fprintd_t cluster_t : dbus { send_msg };
allow cluster_t fprintd_t : dbus { send_msg };

# make -f /usr/share/selinux/devel/Makefile 
Compiling targeted bz1349798 module
/usr/bin/checkmodule:  loading policy configuration from tmp/bz1349798.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 17) to tmp/bz1349798.mod
Creating targeted bz1349798.pp policy package
rm tmp/bz1349798.mod tmp/bz1349798.mod.fc
# semodule -i bz1349798.pp
#
Comment 9 surabhi 2016-11-09 09:49:55 UTC 
Verified above policy and it works fine.The hacluster error is not seen and there are no AVC's.
Comment 10 Soumya Koduri 2016-11-09 10:12:53 UTC 
Milos,
Do you have any insights on why these AVCs are seen with only ISO but not with layered install of RHGS server on RHEL7?
Comment 11 Milos Malik 2016-11-09 10:59:54 UTC 
The D-bus communication, which was denied, involves two processes (not counting the system D-bus server). One of them is running under cluster_t and second of them as fprintd_t. The fact that we don't see the SELinux denials could be caused by:
* fprintd package was not installed or there was no process running under fprintd_t context
* there was no process running under cluster_t
* audit daemon (which collects SELinux denials) was not running
Comment 12 Bipin Kunal 2016-11-09 11:34:20 UTC 
With the last comment(C#11) It seems that it is possible to see the issue even with layered install if we meet above criteria. 

May be QE team should test layered install with above scenario(C#11) as well. 

This will help us in documenting issue properly till the time issue gets fixed in RHEL.
Comment 13 Bipin Kunal 2016-11-09 11:37:14 UTC 
I obviously meant above comment for Gluster team.
Comment 19 surabhi 2016-11-18 09:21:11 UTC 
https://bugzilla.redhat.com/show_bug.cgi?id=1349796 is verified on RHGS with latest selinux build.

selinux-policy-3.13.1-102.el7_3.6
Comment 22 errata-xmlrpc 2017-08-01 15:12:40 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861
Note You need to log in before you can comment on or make changes to this bug.