1415960 – cimserver is blocked by selinux with sblim-sfcb service

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1415960 - cimserver is blocked by selinux with sblim-sfcb service

Summary: cimserver is blocked by selinux with sblim-sfcb service

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.4
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1393066
TreeView+	depends on / blocked

Reported:	2017-01-24 09:04 UTC by Jingjing Shao
Modified:	2018-10-30 10:00 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-10-30 09:59:46 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:3111	0	None	None	None	2018-10-30 10:00:50 UTC

Description Jingjing Shao 2017-01-24 09:04:34 UTC

Description of problem:
cimserver is blocked  with sblim-sfcb  service  by selinux

Version-Release number of selected component (if applicable):
3.10.0-534.el7.x86_64
selinux-policy-3.13.1-114.el7.noarch
libvirt-cim-0.6.3-19.el7.x86_64
tog-pegasus-2.14.1-3.el7.x86_64
sblim-sfcb-1.3.16-12.el7_0.x86_64
libvirt-2.5.0-1.virtcov.el7.x86_64
qemu-kvm-rhev-2.8.0-2.el7.x86_64


How reproducible100
100%

Steps to Reproduce:
1. test tog-pegasus with selinux disable
[root@ucs2-b200-6 cimtest]# getenforce
Permissive

[root@ucs2-b200-6 cimtest]# CIM_NS=root/virt CIM_USER=root CIM_PASS=qum5net ./runtests libvirt-cim -v KVM localhost -g ComputerSystem -t 03_defineVS.py
Enter passphrase: 
Starting test suite: libvirt-cim

Testing KVM hypervisor
--------------------------------------------------------------------
ComputerSystem - 03_defineVS.py: PASS
--------------------------------------------------------------------



2. test tog-pegasus with selinux enable
[root@ucs2-b200-6 cimtest]# getenforce
Enforcing

[root@ucs2-b200-6 cimtest]# CIM_NS=root/virt CIM_USER=root CIM_PASS=qum5net ./runtests libvirt-cim -v KVM localhost -g ComputerSystem -t 03_defineVS.py
Enter passphrase: 
Starting test suite: libvirt-cim

Testing KVM hypervisor
--------------------------------------------------------------------
ComputerSystem - 03_defineVS.py: PASS
--------------------------------------------------------------------


3. test sblim-sfcb with selinux disable
[root@ucs2-b200-6 cimtest]# getenforce
Permissive

[root@ucs2-b200-6 cimtest]# service  sblim-sfcb start
Redirecting to /bin/systemctl start  sblim-sfcb.service

# CIM_NS=root/virt CIM_USER=root CIM_PASS=qum5net ./runtests libvirt-cim -v KVM localhost -g ComputerSystem -t 03_defineVS.py
Enter passphrase: 
Starting test suite: libvirt-cim

Testing KVM hypervisor
--------------------------------------------------------------------
ComputerSystem - 03_defineVS.py: PASS
--------------------------------------------------------------------

4. test sblim-sfcb with selinux enable
[root@ucs2-b200-6 audit]# getenforce 
Enforcing

# CIM_NS=root/virt CIM_USER=root CIM_PASS=qum5net ./runtests libvirt-cim -v KVM localhost -g ComputerSystem -t 03_defineVS.py
Enter passphrase: 
Starting test suite: libvirt-cim

Testing KVM hypervisor
--------------------------------------------------------------------
ComputerSystem - 03_defineVS.py: FAIL
ERROR 	- Got CIM error SystemSettings Error with return code 1
ERROR 	- Failed to define a domain with the name domU1 from virsh
InvokeMethod(DefineSystem): SystemSettings Error
--------------------------------------------------------------------


Expected results:
Step 4 should pass

Actual results:
Step 4  fail


Additional info:
# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today
----
type=USER_AVC msg=audit(24/01/17 10:55:14.312:89) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=1)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=SYSCALL msg=audit(24/01/17 10:55:51.465:142) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x7f254c0b45b0 a1=0x7f2559806220 a2=0x7f2559806220 a3=0x2 items=0 ppid=8008 pid=8290 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sfcbd exe=/usr/sbin/sfcbd subj=system_u:system_r:sblim_sfcbd_t:s0 key=(null) 
type=AVC msg=audit(24/01/17 10:55:51.465:142) : avc:  denied  { getattr } for  pid=8290 comm=sfcbd path=/usr/libexec/qemu-kvm dev="dm-0" ino=279800 scontext=system_u:system_r:sblim_sfcbd_t:s0 tcontext=system_u:object_r:qemu_exec_t:s0 tclass=file 
----
type=USER_AVC msg=audit(24/01/17 10:56:11.451:182) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=0)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=SYSCALL msg=audit(24/01/17 10:56:11.768:187) : arch=x86_64 syscall=stat success=yes exit=0 a0=0x7f254c089000 a1=0x7f2559806220 a2=0x7f2559806220 a3=0x7f255d89cc70 items=0 ppid=8008 pid=8629 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sfcbd exe=/usr/sbin/sfcbd subj=system_u:system_r:sblim_sfcbd_t:s0 key=(null) 
type=AVC msg=audit(24/01/17 10:56:11.768:187) : avc:  denied  { getattr } for  pid=8629 comm=sfcbd path=/usr/libexec/qemu-kvm dev="dm-0" ino=279800 scontext=system_u:system_r:sblim_sfcbd_t:s0 tcontext=system_u:object_r:qemu_exec_t:s0 tclass=file 
----
type=USER_AVC msg=audit(24/01/17 10:58:20.238:231) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=2)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=SYSCALL msg=audit(24/01/17 10:58:20.252:232) : arch=x86_64 syscall=open success=yes exit=3 a0=0x7ffe75dd3060 a1=O_RDWR|O_CREAT a2=0666 a3=0x211d items=0 ppid=8915 pid=8921 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=libvirt_leasesh exe=/usr/libexec/libvirt_leaseshelper subj=system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(24/01/17 10:58:20.252:232) : avc:  denied  { open } for  pid=8921 comm=libvirt_leasesh path=/mnt/coverage/BUILD/libvirt-2.5.0/src/util/.libs/libvirt_util_la-viruuid.gcda dev="dm-0" ino=399131 scontext=system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file 
type=AVC msg=audit(24/01/17 10:58:20.252:232) : avc:  denied  { write } for  pid=8921 comm=libvirt_leasesh name=libvirt_util_la-viruuid.gcda dev="dm-0" ino=399131 scontext=system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file 
----
type=SYSCALL msg=audit(24/01/17 10:58:20.253:233) : arch=x86_64 syscall=open success=yes exit=3 a0=0x7ffe75dd3060 a1=O_RDWR|O_CREAT a2=0666 a3=0x314 items=0 ppid=8915 pid=8921 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=libvirt_leasesh exe=/usr/libexec/libvirt_leaseshelper subj=system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(24/01/17 10:58:20.253:233) : avc:  denied  { open } for  pid=8921 comm=libvirt_leasesh path=/mnt/coverage/BUILD/libvirt-2.5.0/src/network/libvirt_leaseshelper-leaseshelper.gcda dev="dm-0" ino=401685 scontext=system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mnt_t:s0 tclass=file 
type=AVC msg=audit(24/01/17 10:58:20.253:233) : avc:  denied  { read write } for  pid=8921 comm=libvirt_leasesh name=libvirt_leaseshelper-leaseshelper.gcda dev="dm-0" ino=401685 scontext=system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mnt_t:s0 tclass=file 
----
type=SYSCALL msg=audit(24/01/17 10:58:20.253:234) : arch=x86_64 syscall=fcntl success=yes exit=0 a0=0x3 a1=F_SETLKW a2=0x7ffe75dd2f90 a3=0x314 items=0 ppid=8915 pid=8921 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=libvirt_leasesh exe=/usr/libexec/libvirt_leaseshelper subj=system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(24/01/17 10:58:20.253:234) : avc:  denied  { lock } for  pid=8921 comm=libvirt_leasesh path=/mnt/coverage/BUILD/libvirt-2.5.0/src/network/libvirt_leaseshelper-leaseshelper.gcda dev="dm-0" ino=401685 scontext=system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mnt_t:s0 tclass=file 
----
type=SYSCALL msg=audit(24/01/17 10:58:20.253:235) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x3 a1=0x7ffe75dd2fb0 a2=0x7ffe75dd2fb0 a3=0x24 items=0 ppid=8915 pid=8921 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=libvirt_leasesh exe=/usr/libexec/libvirt_leaseshelper subj=system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(24/01/17 10:58:20.253:235) : avc:  denied  { getattr } for  pid=8921 comm=libvirt_leasesh path=/mnt/coverage/BUILD/libvirt-2.5.0/src/network/libvirt_leaseshelper-leaseshelper.gcda dev="dm-0" ino=401685 scontext=system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mnt_t:s0 tclass=file 
----
type=SYSCALL msg=audit(24/01/17 10:58:20.552:240) : arch=x86_64 syscall=stat success=yes exit=0 a0=0x7f254c028410 a1=0x7f2552b28220 a2=0x7f2552b28220 a3=0xfffffffffffff5a5 items=0 ppid=8008 pid=9047 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sfcbd exe=/usr/sbin/sfcbd subj=system_u:system_r:sblim_sfcbd_t:s0 key=(null) 
type=AVC msg=audit(24/01/17 10:58:20.552:240) : avc:  denied  { getattr } for  pid=9047 comm=sfcbd path=/usr/libexec/qemu-kvm dev="dm-0" ino=279800 scontext=system_u:system_r:sblim_sfcbd_t:s0 tcontext=system_u:object_r:qemu_exec_t:s0 tclass=file

Comment 6 errata-xmlrpc 2018-10-30 09:59:46 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111

Note You need to log in before you can comment on or make changes to this bug.