1389191 – psad fails to start due to SELinux denials

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1389191 - psad fails to start due to SELinux denials

Summary: psad fails to start due to SELinux denials

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.2
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1281755
TreeView+	depends on / blocked

Reported:	2016-10-27 07:20 UTC by Dominik 'Rathann' Mierzejewski
Modified:	2017-10-12 12:21 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-10-12 12:19:32 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
SELinux denials caught in enforcing mode (169.39 KB, text/plain) 2016-10-27 08:40 UTC, Milos Malik	no flags	Details
SELinux denials caught in permissive mode (148.88 KB, text/plain) 2016-10-27 08:41 UTC, Milos Malik	no flags	Details
View All

Description Dominik 'Rathann' Mierzejewski 2016-10-27 07:20:27 UTC

Description of problem:
psad fails to start due to SELinux denials.

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-60.el7_2.9.noarch

How reproducible:
Always.

Steps to Reproduce:
1. wget -O /etc/yum.repos.d/rathann-psad-epel-7.repo https://copr.fedorainfracloud.org/coprs/rathann/psad/repo/epel-7/rathann-psad-epel-7.repo
2. yum install psad
3. semodule -r psad-rpm # remove policy bits installed by the above package
4. systemctl start psad.service

Actual results:
psad fails to start due to SELinux denials:
type=AVC msg=audit(1477510658.428:28855): avc:  denied  { write } for  pid=27489 comm="sh" path="/var/log/psad/psad_iptout.CVQLM3" dev="dm-0" ino=33621377 scontext=system_u:system_r:psad_t:s0 tcontext=system_u:object_r:psad_var_log_t:s0 tclass=file
type=AVC msg=audit(1477510658.604:28857): avc:  denied  { read } for  pid=27486 comm="psad" name="psad_iptout.CVQLM3" dev="dm-0" ino=33621377 scontext=system_u:system_r:psad_t:s0 tcontext=system_u:object_r:psad_var_log_t:s0 tclass=file
type=AVC msg=audit(1477510658.644:28858): avc:  denied  { unlink } for  pid=27486 comm="psad" name="psad_iptout.CVQLM3" dev="dm-0" ino=33621377 scontext=system_u:system_r:psad_t:s0 tcontext=system_u:object_r:psad_var_log_t:s0 tclass=file
type=AVC msg=audit(1477510658.922:28860): avc:  denied  { execute } for  pid=27522 comm="psad" name="journalctl" dev="dm-0" ino=33584123 scontext=system_u:system_r:psad_t:s0 tcontext=system_u:object_r:journalctl_exec_t:s0 tclass=file
type=AVC msg=audit(1477510658.922:28860): avc:  denied  { read open } for  pid=27522 comm="psad" path="/usr/bin/journalctl" dev="dm-0" ino=33584123 scontext=system_u:system_r:psad_t:s0 tcontext=system_u:object_r:journalctl_exec_t:s0 tclass=file
type=AVC msg=audit(1477510658.922:28860): avc:  denied  { execute_no_trans } for  pid=27522 comm="psad" path="/usr/bin/journalctl" dev="dm-0" ino=33584123 scontext=system_u:system_r:psad_t:s0 tcontext=system_u:object_r:journalctl_exec_t:s0 tclass=file
type=AVC msg=audit(1477510658.985:28862): avc:  denied  { getattr } for  pid=27522 comm="journalctl" path="/proc/1/environ" dev="proc" ino=281127 scontext=system_u:system_r:psad_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file
type=AVC msg=audit(1477510658.985:28863): avc:  denied  { sys_resource } for  pid=27522 comm="journalctl" capability=24  scontext=system_u:system_r:psad_t:s0 tcontext=system_u:system_r:psad_t:s0 tclass=capability
type=AVC msg=audit(1477510658.985:28864): avc:  denied  { read } for  pid=27522 comm="journalctl" name="journal" dev="tmpfs" ino=12340 scontext=system_u:system_r:psad_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=dir
type=AVC msg=audit(1477510658.986:28865): avc:  denied  { read } for  pid=27522 comm="journalctl" name="system.journal" dev="tmpfs" ino=12342 scontext=system_u:system_r:psad_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=file
type=AVC msg=audit(1477510658.986:28865): avc:  denied  { open } for  pid=27522 comm="journalctl" path="/run/log/journal/c86086bcec664c19b7a5f75f9bdf9651/system.journal" dev="tmpfs" ino=12342 scontext=system_u:system_r:psad_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=file
type=AVC msg=audit(1477510658.986:28866): avc:  denied  { getattr } for  pid=27522 comm="journalctl" path="/run/log/journal/c86086bcec664c19b7a5f75f9bdf9651/system.journal" dev="tmpfs" ino=12342 scontext=system_u:system_r:psad_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=file
type=AVC msg=audit(1477510658.987:28867): avc:  denied  { rename } for  pid=27520 comm="psad" name="top_ports.tmp" dev="dm-0" ino=33621384 scontext=system_u:system_r:psad_t:s0 tcontext=system_u:object_r:psad_var_log_t:s0 tclass=file
type=AVC msg=audit(1477510659.511:28898): avc:  denied  { write } for  pid=27520 comm="psad" path="/var/log/psad/top_ports.tmp" dev="dm-0" ino=33621381 scontext=system_u:system_r:psad_t:s0 tcontext=system_u:object_r:psad_var_log_t:s0 tclass=file
type=AVC msg=audit(1477510659.511:28899): avc:  denied  { rename } for  pid=27520 comm="psad" name="top_ports.tmp" dev="dm-0" ino=33621381 scontext=system_u:system_r:psad_t:s0 tcontext=system_u:object_r:psad_var_log_t:s0 tclass=file
type=AVC msg=audit(1477510659.511:28899): avc:  denied  { unlink } for  pid=27520 comm="psad" name="top_ports" dev="dm-0" ino=33621384 scontext=system_u:system_r:psad_t:s0 tcontext=system_u:object_r:psad_var_log_t:s0 tclass=file

Expected results:
psad starts and works.

Additional info:
Here are the missing policy bits (added by my copr package):

module psad-rpm 1.0;

require {
    type psad_t;
    type psad_var_log_t;
    type init_t;
    type journalctl_exec_t;
    type syslogd_var_run_t;
    class file { read execute open execute_no_trans getattr rename unlink write };
    class dir { read };
    class capability { sys_resource };
}
 
#============= psad_t ==============
allow psad_t init_t:file getattr;
allow psad_t journalctl_exec_t:file { read execute open execute_no_trans };
allow psad_t psad_var_log_t:file { write read rename unlink };
allow psad_t self:capability sys_resource;
allow psad_t syslogd_var_run_t:dir read;
allow psad_t syslogd_var_run_t:file { read getattr open };

Comment 2 Milos Malik 2016-10-27 08:34:04 UTC

Seen in permissive mode:

# ausearch -m avc -m user_avc -i -ts 04:29 | audit2allow
allow psad_t NetworkManager_t:dir { getattr search };
allow psad_t NetworkManager_t:file { open read };
allow psad_t auditd_t:dir { getattr search };
allow psad_t auditd_t:file { open read };
allow psad_t avahi_t:dir { getattr search };
allow psad_t avahi_t:file { open read };
allow psad_t crond_t:dir { getattr search };
allow psad_t crond_t:file { open read };
allow psad_t dhcpc_t:dir { getattr search };
allow psad_t dhcpc_t:file { open read };
allow psad_t getty_t:dir { getattr search };
allow psad_t getty_t:file { open read };
allow psad_t getty_t:lnk_file read;
allow psad_t gssproxy_t:dir { getattr search };
allow psad_t gssproxy_t:file { open read };
allow psad_t init_t:file { getattr open read };
allow psad_t journalctl_exec_t:file { execute execute_no_trans open read };
allow psad_t kernel_t:dir { getattr search };
allow psad_t kernel_t:file { open read };
allow psad_t lvm_t:dir { getattr search };
allow psad_t lvm_t:file { open read };
allow psad_t modemmanager_t:dir { getattr search };
allow psad_t modemmanager_t:file { open read };
allow psad_t nfsd_t:dir { getattr search };
allow psad_t nfsd_t:file { open read };
allow psad_t policykit_t:dir { getattr search };
allow psad_t policykit_t:file { open read };
allow psad_t psad_var_log_t:file { read rename unlink write };
allow psad_t rhnsd_t:dir { getattr search };
allow psad_t rhnsd_t:file { open read };
allow psad_t rhsmcertd_t:dir { getattr search };
allow psad_t rhsmcertd_t:file { open read };
allow psad_t rpcbind_t:dir { getattr search };
allow psad_t rpcbind_t:file { open read };
allow psad_t rpcd_t:dir { getattr search };
allow psad_t rpcd_t:file { open read };
allow psad_t self:capability sys_resource;
allow psad_t self:process setrlimit;
allow psad_t sendmail_t:dir { getattr search };
allow psad_t sendmail_t:file { open read };
allow psad_t sshd_t:dir { getattr search };
allow psad_t sshd_t:file { open read };
allow psad_t syslogd_t:dir { getattr search };
allow psad_t syslogd_t:file { open read };
allow psad_t syslogd_var_run_t:dir read;
allow psad_t syslogd_var_run_t:file { getattr open read };
allow psad_t system_cronjob_t:dir { getattr search };
allow psad_t system_cronjob_t:file { open read };
allow psad_t system_dbusd_t:dbus send_msg;
allow psad_t system_dbusd_t:dir { getattr search };
allow psad_t system_dbusd_t:file { open read };
allow psad_t system_dbusd_t:unix_stream_socket connectto;
allow psad_t system_mail_t:dir { getattr search };
allow psad_t system_mail_t:file { open read };
allow psad_t systemd_logind_t:dir { getattr search };
allow psad_t systemd_logind_t:file { open read };
allow psad_t tuned_t:dir { getattr search };
allow psad_t tuned_t:file { open read };
allow psad_t udev_t:dir { getattr search };
allow psad_t udev_t:file { open read };
allow psad_t unconfined_t:dir { getattr search };
allow psad_t unconfined_t:file { open read };
allow psad_t unconfined_t:lnk_file read;

Raw SELinux denials will be attached soon.

Comment 3 Milos Malik 2016-10-27 08:40:56 UTC

Created attachment 1214523 [details]
SELinux denials caught in enforcing mode

Comment 4 Milos Malik 2016-10-27 08:41:44 UTC

Created attachment 1214524 [details]
SELinux denials caught in permissive mode

Comment 5 Frank Crawford 2016-11-27 10:15:19 UTC

Note, that while this has been reported against RHEL7.2, I've seen similar issues with Fedora 24,

Also, the actual SELinux denials seem to come from searches of /proc, and so will depend on what processes are actually running.

Comment 6 Dominik 'Rathann' Mierzejewski 2016-11-27 17:39:11 UTC

Fedora issue is fixed already.

I believe the /proc denials are the result of psad trying to find out which process is listening on which port and do not actually prevent it from running.

Comment 7 Frank Crawford 2016-11-28 10:18:26 UTC

I wasn't sure if the issue was fixed in Fedora yet, as I run in permissive mode, however the denials in /proc are a major issue, as they cause setroubleshoot to run almost continuously, pretty much using an entire CPU.

Comment 8 Dominik 'Rathann' Mierzejewski 2016-11-28 22:41:41 UTC

(In reply to Frank Crawford from comment #7)
> I wasn't sure if the issue was fixed in Fedora yet,

I meant that only the non-proc denials are fixed in Fedora. They're temporarily fixed in the psad package, selinux update is still pending.

> as I run in permissive
> mode, however the denials in /proc are a major issue, as they cause
> setroubleshoot to run almost continuously, pretty much using an entire CPU.

Ah. I don't run setroubleshoot, so I'm not seeing this. In your case it looks like a real issue, then.

Comment 10 Lukas Vrabec 2017-10-12 12:19:32 UTC

We're going to close this bug as WONTFIX because

 * of limited capacity of selinux-policy developers
 * the bug is related to EPEL component or 3rd party SW only
 * the bug appears in unsupported configuration 

We believe this bug can be fixed via a local policy module.
For more information please see: 

 * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow

If you disagree, please re-open the bug.

Comment 11 Lukas Vrabec 2017-10-12 12:21:26 UTC

We're going to close this bug as WONTFIX because

 * of limited capacity of selinux-policy developers
 * the bug is related to EPEL component or 3rd party SW only
 * the bug appears in unsupported configuration 

We believe this bug can be fixed via a local policy module.
For more information please see: 

 * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow

If you disagree, please re-open the bug.

Note You need to log in before you can comment on or make changes to this bug.