Bug 1444955 - SELinux prevents sssd/selinux_child from using net_admin capability
Summary: SELinux prevents sssd/selinux_child from using net_admin capability
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.3
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-04-24 15:31 UTC by Orion Poplawski
Modified: 2017-08-01 15:24 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-3.13.1-148.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 15:24:23 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:1861 0 normal SHIPPED_LIVE selinux-policy bug fix update 2017-08-01 17:50:24 UTC

Description Orion Poplawski 2017-04-24 15:31:53 UTC
Description of problem:

I get lots of these during authentication events:

avc:  denied  { net_admin } for  pid=27174 comm="selinux_child" capability=12  scontext=system_u:system_r:sssd_selinux_manager_t:s0 tcontext=system_u:system_r:sssd_selinux_manager_t:s0 tclass=capability

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-102.el7_3.16.noarch
sssd-1.14.0-43.el7_3.14.x86_64

Comment 2 Lukas Vrabec 2017-04-25 20:57:05 UTC
Issue will be fixed in next Minor release.

Comment 3 Milos Malik 2017-04-26 06:45:32 UTC
Please do not close bugs as NEXTRELEASE if QE hasn't tested them yet.

# rpm -qa selinux-policy\*
selinux-policy-doc-3.13.1-144.el7.noarch
selinux-policy-mls-3.13.1-144.el7.noarch
selinux-policy-3.13.1-144.el7.noarch
selinux-policy-devel-3.13.1-144.el7.noarch
selinux-policy-minimum-3.13.1-144.el7.noarch
selinux-policy-targeted-3.13.1-144.el7.noarch
# sesearch -s sssd_selinux_manager_t -t sssd_selinux_manager_t -c capability -A -C -p net_admin

# sesearch -s sssd_selinux_manager_t -t sssd_selinux_manager_t -c capability -D -C -p net_admin

#

Comment 4 Lukas Slebodnik 2017-04-26 11:57:30 UTC
I cannot see anything n code why selinux_child would require the capability net_admin. It is mostly wrapper around libsemanage.

Could you provide also syscall which triggered this AVC?
I think ideal would be to provide the output. 

It would also be good see selinux_child.log with high debug_level(10) in related ipa domain section.

Comment 5 Orion Poplawski 2017-04-26 15:15:52 UTC
I think this is the syscall:

type=SYSCALL msg=audit(1493219351.703:228): arch=c000003e syscall=54 success=no exit=-1 a0=3 a1=1 a2=20 a3=7ffef9637c08 items=0 ppid=26935 pid=27558 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="selinux_child" exe="/usr/libexec/sssd/selinux_child" subj=system_u:system_r:sssd_selinux_manager_t:s0 key=(null)

Combined journal output which might help with timing:

Apr 26 08:44:15 barry.cora.nwra.com selinux_child[18712]: SELinux user for orion: unconfined_u
Apr 26 08:44:15 barry.cora.nwra.com selinux_child[18712]: SELinux range for orion: s0-s0:c0.c1023
Apr 26 08:44:17 barry.cora.nwra.com setroubleshoot[18714]: SELinux is preventing /usr/libexec/sssd/selinux_child from using the net_admin capability. For complete SELinux messages. run sealert -l 5669ed4a-6a18-4322-a780-166573e2e94b
Apr 26 09:05:02 barry.cora.nwra.com sssd_be[26935]: Using [ipa] provider for [selinux]
Apr 26 09:05:02 barry.cora.nwra.com sssd_be[26935]: Option ipa_selinux_search_base has no value
Apr 26 09:05:02 barry.cora.nwra.com sssd_be[26935]: Option ipa_selinux_refresh has value 5
Apr 26 09:05:02 barry.cora.nwra.com sssd_be[26935]: Option ipa_selinux_search_base set to cn=selinux,dc=nwra,dc=com
Apr 26 09:05:02 barry.cora.nwra.com sssd_be[26935]: Search base added: [IPA_SELINUX][cn=selinux,dc=nwra,dc=com][SUBTREE][]
Apr 26 09:05:02 barry.cora.nwra.com sssd_be[26935]: Option ipa_selinux_usermap_object_class has value ipaselinuxusermap
Apr 26 09:05:02 barry.cora.nwra.com sssd_be[26935]: Option ipa_selinux_usermap_name has value cn
Apr 26 09:05:02 barry.cora.nwra.com sssd_be[26935]: Option ipa_selinux_usermap_member_user has value memberUser
Apr 26 09:05:02 barry.cora.nwra.com sssd_be[26935]: Option ipa_selinux_usermap_member_host has value memberHost
Apr 26 09:05:02 barry.cora.nwra.com sssd_be[26935]: Option ipa_selinux_usermap_see_also has value seeAlso
Apr 26 09:05:02 barry.cora.nwra.com sssd_be[26935]: Option ipa_selinux_usermap_selinux_user has value ipaSELinuxUser
Apr 26 09:05:02 barry.cora.nwra.com sssd_be[26935]: Option ipa_selinux_usermap_enabled has value ipaEnabledFlag
Apr 26 09:05:02 barry.cora.nwra.com sssd_be[26935]: Option ipa_selinux_usermap_user_category has value userCategory
Apr 26 09:05:02 barry.cora.nwra.com sssd_be[26935]: Option ipa_selinux_usermap_host_category has value hostCategory
Apr 26 09:05:02 barry.cora.nwra.com sssd_be[26935]: Option ipa_selinux_usermap_uuid has value ipaUniqueID
Apr 26 09:05:02 barry.cora.nwra.com sssd_be[26935]: Option ipa_selinux_search_base has value cn=selinux,dc=nwra,dc=com
Apr 26 09:05:02 barry.cora.nwra.com sssd_be[26935]: Option ipa_selinux_refresh has value 5
Apr 26 09:05:02 barry.cora.nwra.com sssd_be[26935]: Option ipa_selinux_search_base has value cn=selinux,dc=nwra,dc=com
Apr 26 09:05:02 barry.cora.nwra.com sssd_be[26935]: Option ipa_selinux_refresh has value 5
Apr 26 09:05:02 barry.cora.nwra.com sssd_be[26935]: Initializing target [selinux] with module [ipa]
Apr 26 09:05:02 barry.cora.nwra.com sssd_be[26935]: Executing target [selinux] constructor
Apr 26 09:09:11 barry.cora.nwra.com sssd_be[26935]: Trying to fetch SELinux maps with following parameters: [2][(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=nwra,dc=com]
Apr 26 09:09:11 barry.cora.nwra.com sssd_be[26935]: calling ldap_search_ext with [(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=nwra,dc=com].
Apr 26 09:09:11 barry.cora.nwra.com sssd_be[26935]: Trying to delete [cn=selinux,cn=nwra.com,cn=sysdb].
Apr 26 09:09:11 barry.cora.nwra.com selinux_child[27558]: selinux_child started.
Apr 26 09:09:11 barry.cora.nwra.com selinux_child[27558]: Running with effective IDs: [0][0].
Apr 26 09:09:11 barry.cora.nwra.com selinux_child[27558]: Running with real IDs [0][0].
Apr 26 09:09:11 barry.cora.nwra.com selinux_child[27558]: context initialized
Apr 26 09:09:11 barry.cora.nwra.com selinux_child[27558]: seuser length: 12
Apr 26 09:09:11 barry.cora.nwra.com selinux_child[27558]: seuser: unconfined_u
Apr 26 09:09:11 barry.cora.nwra.com selinux_child[27558]: mls_range length: 14
Apr 26 09:09:11 barry.cora.nwra.com selinux_child[27558]: mls_range: s0-s0:c0.c1023
Apr 26 09:09:11 barry.cora.nwra.com selinux_child[27558]: username length: 5
Apr 26 09:09:11 barry.cora.nwra.com selinux_child[27558]: username: orion
Apr 26 09:09:11 barry.cora.nwra.com selinux_child[27558]: performing selinux operations
Apr 26 09:09:11 barry.cora.nwra.com selinux_child[27558]: SELinux user for orion: unconfined_u
Apr 26 09:09:11 barry.cora.nwra.com selinux_child[27558]: SELinux range for orion: s0-s0:c0.c1023
Apr 26 09:09:11 barry.cora.nwra.com selinux_child[27558]: get_seuser: ret: 0 seuser: unconfined_u mls: s0-s0:c0.c1023
Apr 26 09:09:11 barry.cora.nwra.com selinux_child[27558]: result [0]
Apr 26 09:09:11 barry.cora.nwra.com selinux_child[27558]: r->size: 4
Apr 26 09:09:11 barry.cora.nwra.com selinux_child[27558]: selinux_child completed successfully
Apr 26 09:09:13 barry.cora.nwra.com setroubleshoot[27560]: SELinux is preventing /usr/libexec/sssd/selinux_child from using the net_admin capability. For complete SELinux messages. run sealert -l 5669ed4a-6a18-4322-a780-166573e2e94b


/var/log/sssd/selinux_child.log:
(Wed Apr 26 09:14:24 2017) [[sssd[selinux_child[28597]]]] [main] (0x0400): selinux_child started.
(Wed Apr 26 09:14:24 2017) [[sssd[selinux_child[28597]]]] [main] (0x2000): Running with effective IDs: [0][0].
(Wed Apr 26 09:14:24 2017) [[sssd[selinux_child[28597]]]] [main] (0x2000): Running with real IDs [0][0].
(Wed Apr 26 09:14:24 2017) [[sssd[selinux_child[28597]]]] [main] (0x0400): context initialized
(Wed Apr 26 09:14:24 2017) [[sssd[selinux_child[28597]]]] [unpack_buffer] (0x2000): seuser length: 12
(Wed Apr 26 09:14:24 2017) [[sssd[selinux_child[28597]]]] [unpack_buffer] (0x2000): seuser: unconfined_u
(Wed Apr 26 09:14:24 2017) [[sssd[selinux_child[28597]]]] [unpack_buffer] (0x2000): mls_range length: 14
(Wed Apr 26 09:14:24 2017) [[sssd[selinux_child[28597]]]] [unpack_buffer] (0x2000): mls_range: s0-s0:c0.c1023
(Wed Apr 26 09:14:24 2017) [[sssd[selinux_child[28597]]]] [unpack_buffer] (0x2000): username length: 5
(Wed Apr 26 09:14:24 2017) [[sssd[selinux_child[28597]]]] [unpack_buffer] (0x2000): username: orion
(Wed Apr 26 09:14:24 2017) [[sssd[selinux_child[28597]]]] [main] (0x0400): performing selinux operations
(Wed Apr 26 09:14:24 2017) [[sssd[selinux_child[28597]]]] [get_seuser] (0x0040): SELinux user for orion: unconfined_u
(Wed Apr 26 09:14:24 2017) [[sssd[selinux_child[28597]]]] [get_seuser] (0x0040): SELinux range for orion: s0-s0:c0.c1023
(Wed Apr 26 09:14:24 2017) [[sssd[selinux_child[28597]]]] [seuser_needs_update] (0x2000): get_seuser: ret: 0 seuser: unconfined_u mls: s0-s0:c0.c1023
(Wed Apr 26 09:14:24 2017) [[sssd[selinux_child[28597]]]] [pack_buffer] (0x0400): result [0]
(Wed Apr 26 09:14:24 2017) [[sssd[selinux_child[28597]]]] [prepare_response] (0x4000): r->size: 4
(Wed Apr 26 09:14:24 2017) [[sssd[selinux_child[28597]]]] [main] (0x0400): selinux_child completed successfully

Perhaps just an inherited permission from the spawning process?

Comment 6 Lukas Slebodnik 2017-04-26 15:44:23 UTC
(In reply to Orion Poplawski from comment #5)
> I think this is the syscall:
> 
> type=SYSCALL msg=audit(1493219351.703:228): arch=c000003e syscall=54
> success=no exit=-1 a0=3 a1=1 a2=20 a3=7ffef9637c08 items=0 ppid=26935
> pid=27558 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=4294967295 comm="selinux_child"
> exe="/usr/libexec/sssd/selinux_child"
> subj=system_u:system_r:sssd_selinux_manager_t:s0 key=(null)
>
syscall 54 should be:
sh$ ausyscall 54
setsockopt

> Combined journal output which might help with timing:
> 
> Apr 26 08:44:15 barry.cora.nwra.com selinux_child[18712]: SELinux user for
> orion: unconfined_u
> Apr 26 08:44:15 barry.cora.nwra.com selinux_child[18712]: SELinux range for
> orion: s0-s0:c0.c1023
> Apr 26 08:44:17 barry.cora.nwra.com setroubleshoot[18714]: SELinux is
> preventing /usr/libexec/sssd/selinux_child from using the net_admin
> capability. For complete SELinux messages. run sealert -l
> 5669ed4a-6a18-4322-a780-166573e2e94b

Following command should confirm it
sealert -l 5669ed4a-6a18-4322-a780-166573e2e94b

sssd does not call setsockopt. I checked all dynamic libraries which are loaded by selinux_child and only libsystemd uses this syscall.

My assumption is that sssd is configured to log into journald or some messages from stdout/stderr were logged into journald.

Lukas,
Do you remember some AVCs caused by `setsockopt` and libsystemd (journald...) ?

Comment 7 Orion Poplawski 2017-04-26 15:46:39 UTC
yeah, I was making use of:

/etc/systemd/system/sssd.service.d/journal.conf:
[Service]
# Uncomment *both* of the following lines to enable debug logging
# to go to journald instead of /var/log/sssd. You will need to
# run 'systemctl daemon-reload' and then restart the SSSD service
# for this to take effect
ExecStart=
ExecStart=/usr/sbin/sssd -D

to have sssd log to the journal.

Comment 8 Orion Poplawski 2017-04-26 15:47:10 UTC
# sealert -l 5669ed4a-6a18-4322-a780-166573e2e94b
SELinux is preventing /usr/libexec/sssd/selinux_child from using the net_admin capability.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that selinux_child should have the net_admin capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'selinux_child' --raw | audit2allow -M my-selinuxchild
# semodule -i my-selinuxchild.pp


Additional Information:
Source Context                system_u:system_r:sssd_selinux_manager_t:s0
Target Context                system_u:system_r:sssd_selinux_manager_t:s0
Target Objects                Unknown [ capability ]
Source                        selinux_child
Source Path                   /usr/libexec/sssd/selinux_child
Port                          <Unknown>
Host                          barry.cora.nwra.com
Source RPM Packages           sssd-ipa-1.14.0-43.el7_3.14.x86_64
Target RPM Packages
Policy RPM                    selinux-policy-3.13.1-102.el7_3.16.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     barry.cora.nwra.com
Platform                      Linux barry.cora.nwra.com
                              3.10.0-514.16.1.el7.x86_64 #1 SMP Wed Apr 12
                              07:10:20 CDT 2017 x86_64 x86_64
Alert Count                   12
First Seen                    2017-04-21 08:40:19 MDT
Last Seen                     2017-04-26 09:09:11 MDT
Local ID                      5669ed4a-6a18-4322-a780-166573e2e94b

Raw Audit Messages
type=AVC msg=audit(1493219351.703:228): avc:  denied  { net_admin } for  pid=27558 comm="selinux_child" capability=12  scontext=system_u:system_r:sssd_selinux_manager_t:s0 tcontext=system_u:system_r:sssd_selinux_manager_t:s0 tclass=capability


type=SYSCALL msg=audit(1493219351.703:228): arch=x86_64 syscall=setsockopt success=no exit=EPERM a0=3 a1=1 a2=20 a3=7ffef9637c08 items=0 ppid=26935 pid=27558 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=selinux_child exe=/usr/libexec/sssd/selinux_child subj=system_u:system_r:sssd_selinux_manager_t:s0 key=(null)

Hash: selinux_child,sssd_selinux_manager_t,sssd_selinux_manager_t,capability,net_admin

Comment 9 Lukas Slebodnik 2017-04-26 16:12:38 UTC
Orion,

thank you very much for confirmation. I hope Lukas remember similar bug.

Comment 10 Lukas Vrabec 2017-04-28 18:30:13 UTC
Okay, 

I think we should dontaudit it. 

Thanks,
Lukas.

Comment 14 errata-xmlrpc 2017-08-01 15:24:23 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861


Note You need to log in before you can comment on or make changes to this bug.