Red Hat Bugzilla – Bug 1428568
AVC denials for ldap-agent from 389-ds-base-snmp
Last modified: 2018-04-10 08:29:13 EDT
Description of problem: ldap-agent from 389-ds-base-snmp can't be executed because of denials. Version-Release number of selected component (if applicable): selinux-policy-3.13.1-123.el7.noarch 389-ds-base-snmp-1.3.5.10-18.el7_3.x86_64 How reproducible: always Steps to Reproduce: 1. Install 389-ds-base-snmp 2. semodule --disable_dontaudit --build 3. ldap-agent Actual results: # ldap-agent (no output is produced) # ausearch -m AVC ---- time->Thu Mar 2 15:38:40 2017 type=SYSCALL msg=audit(1488487120.219:295): arch=c000003e syscall=59 success=yes exit=0 a0=17c66d0 a1=17c62a0 a2=17c33c0 a3=7fff2e8b96f0 items=0 ppid=14385 pid=14386 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="ldap-agent-bin" exe="/usr/sbin/ldap-agent-bin" subj=unconfined_u:system_r:dirsrv_snmp_t:s0 key=(null) type=AVC msg=audit(1488487120.219:295): avc: denied { read append } for pid=14386 comm="ldap-agent-bin" path="/dev/pts/0" dev="devpts" ino=3 scontext=unconfined_u:system_r:dirsrv_snmp_t:s0 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file type=AVC msg=audit(1488487120.219:295): avc: denied { read append } for pid=14386 comm="ldap-agent-bin" path="/dev/pts/0" dev="devpts" ino=3 scontext=unconfined_u:system_r:dirsrv_snmp_t:s0 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file type=AVC msg=audit(1488487120.219:295): avc: denied { read append } for pid=14386 comm="ldap-agent-bin" path="/dev/pts/0" dev="devpts" ino=3 scontext=unconfined_u:system_r:dirsrv_snmp_t:s0 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file type=AVC msg=audit(1488487120.219:295): avc: denied { read write } for pid=14386 comm="ldap-agent-bin" path="/dev/pts/0" dev="devpts" ino=3 scontext=unconfined_u:system_r:dirsrv_snmp_t:s0 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file Expected results: # ldap-agent Usage: ldap-agent [-D] configfile -D Enable debug logging Additional info:
Following SELinux denials appear in permissive mode after disabling dontaudit rules: ---- type=PATH msg=audit(03/03/2017 01:40:58.273:295) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=9646 dev=fd:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL type=PATH msg=audit(03/03/2017 01:40:58.273:295) : item=0 name=/usr/sbin/ldap-agent-bin inode=23130 dev=fd:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:dirsrv_snmp_exec_t:s0 objtype=NORMAL type=CWD msg=audit(03/03/2017 01:40:58.273:295) : cwd=/root type=EXECVE msg=audit(03/03/2017 01:40:58.273:295) : argc=1 a0=/usr/sbin/ldap-agent-bin type=SYSCALL msg=audit(03/03/2017 01:40:58.273:295) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x226f3b0 a1=0x226efa0 a2=0x226c030 a3=0x7ffebb4b4af0 items=2 ppid=1484 pid=1485 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=ldap-agent-bin exe=/usr/sbin/ldap-agent-bin subj=unconfined_u:system_r:dirsrv_snmp_t:s0 key=(null) type=AVC msg=audit(03/03/2017 01:40:58.273:295) : avc: denied { append } for pid=1485 comm=ldap-agent-bin path=/dev/pts/0 dev="devpts" ino=3 scontext=unconfined_u:system_r:dirsrv_snmp_t:s0 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file type=AVC msg=audit(03/03/2017 01:40:58.273:295) : avc: denied { read write } for pid=1485 comm=ldap-agent-bin path=/dev/pts/0 dev="devpts" ino=3 scontext=unconfined_u:system_r:dirsrv_snmp_t:s0 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file ---- type=SYSCALL msg=audit(03/03/2017 01:40:58.278:296) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x1 a1=0x7ffe65725a90 a2=0x7ffe65725a90 a3=0x7ffe65725a50 items=0 ppid=1484 pid=1485 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=ldap-agent-bin exe=/usr/sbin/ldap-agent-bin subj=unconfined_u:system_r:dirsrv_snmp_t:s0 key=(null) type=AVC msg=audit(03/03/2017 01:40:58.278:296) : avc: denied { getattr } for pid=1485 comm=ldap-agent-bin path=/dev/pts/0 dev="devpts" ino=3 scontext=unconfined_u:system_r:dirsrv_snmp_t:s0 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file ---- In permissive mode the output contains what's expected: # ldap-agent Usage: ldap-agent [-D] configfile -D Enable debug logging #
# matchpathcon /usr/sbin/ldap-agent /usr/sbin/ldap-agent system_u:object_r:initrc_exec_t:s0 # matchpathcon /usr/sbin/ldap-agent-bin /usr/sbin/ldap-agent-bin system_u:object_r:dirsrv_snmp_exec_t:s0 # ls -l /usr/sbin/ldap-agent -rwxr-xr-x. 1 root root 32600 Jan 26 10:16 /usr/sbin/ldap-agent # ls -l /usr/sbin/ldap-agent-bin ls: cannot access /usr/sbin/ldap-agent-bin: No such file or directory # Is it expected that ldap-agent-bin is missing? yum and repoquery do not help.
# matchpathcon /usr/sbin/ldap-agent /usr/sbin/ldap-agent system_u:object_r:initrc_exec_t:s0 # ls -l /usr/sbin/ldap-agent -rwxr-xr-x. 1 root root 32600 Jan 26 10:16 /usr/sbin/ldap-agent # matchpathcon /usr/sbin/ldap-agent-bin /usr/sbin/ldap-agent-bin system_u:object_r:dirsrv_snmp_exec_t:s0 # ls -l /usr/sbin/ldap-agent-bin ls: cannot access /usr/sbin/ldap-agent-bin: No such file or directory # The fact that wrappers were removed and binaries were renamed means that file context pattern in selinux-policy needs to be improved. With the latest selinux-policy installed the ldap-agent process runs as initrc_t (output from the automated TC proves it) , but it should run as dirsrv_snmp_t. :: [ 02:48:26 ] :: [ BEGIN ] :: Running 'service dirsrv-snmp start' Redirecting to /bin/systemctl start dirsrv-snmp.service :: [ 02:48:31 ] :: [ PASS ] :: Command 'service dirsrv-snmp start' (Expected 0, got 0) :: [ 02:48:32 ] :: [ BEGIN ] :: Running 'ps -efZ | grep -v " grep " | grep -E "ldap-agent"' system_u:system_r:initrc_t:s0 root 22523 1 0 02:48 ? 00:00:00 /usr/sbin/ldap-agent /etc/dirsrv/config/ldap-agent.conf :: [ 02:48:32 ] :: [ PASS ] :: Command 'ps -efZ | grep -v " grep " | grep -E "ldap-agent"' (Expected 0, got 0) :: [ 02:48:32 ] :: [ BEGIN ] :: Running 'ps -efZ | grep -v " grep " | grep -E "dirsrv_snmp_t.*ldap-agent"' :: [ 02:48:32 ] :: [ FAIL ] :: Command 'ps -efZ | grep -v " grep " | grep -E "dirsrv_snmp_t.*ldap-agent"' (Expected 0, got 1) :: [ 02:48:33 ] :: [ BEGIN ] :: Running 'service dirsrv-snmp status' Redirecting to /bin/systemctl status dirsrv-snmp.service ● dirsrv-snmp.service - 389 Directory Server SNMP Subagent. Loaded: loaded (/usr/lib/systemd/system/dirsrv-snmp.service; disabled; vendor preset: disabled) Active: active (running) since Wed 2018-02-07 02:48:31 EST; 2s ago Process: 22521 ExecStart=/usr/sbin/ldap-agent /etc/dirsrv/config/ldap-agent.conf (code=exited, status=0/SUCCESS) Main PID: 22523 (ldap-agent) CGroup: /system.slice/dirsrv-snmp.service └─22523 /usr/sbin/ldap-agent /etc/dirsrv/config/ldap-agent.conf Feb 07 02:48:26 qeos-17.lab.eng.rdu2.redhat.com systemd[1]: Starting 389 Dire... Feb 07 02:48:31 qeos-17.lab.eng.rdu2.redhat.com ldap-agent[22521]: ldap-agent... Feb 07 02:48:31 qeos-17.lab.eng.rdu2.redhat.com systemd[1]: Started 389 Direc... Hint: Some lines were ellipsized, use -l to show in full. :: [ 02:48:33 ] :: [ PASS ] :: Command 'service dirsrv-snmp status' (Expected 0,1,3, got 0)
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0763