RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1444955 - SELinux prevents sssd/selinux_child from using net_admin capability
Summary: SELinux prevents sssd/selinux_child from using net_admin capability
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.3
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-04-24 15:31 UTC by Orion Poplawski
Modified: 2017-08-01 15:24 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-3.13.1-148.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 15:24:23 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:1861 0 normal SHIPPED_LIVE selinux-policy bug fix update 2017-08-01 17:50:24 UTC

Description Orion Poplawski 2017-04-24 15:31:53 UTC 
Description of problem:

I get lots of these during authentication events:

avc:  denied  { net_admin } for  pid=27174 comm="selinux_child" capability=12  scontext=system_u:system_r:sssd_selinux_manager_t:s0 tcontext=system_u:system_r:sssd_selinux_manager_t:s0 tclass=capability

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-102.el7_3.16.noarch
sssd-1.14.0-43.el7_3.14.x86_64
Comment 2 Lukas Vrabec 2017-04-25 20:57:05 UTC 
Issue will be fixed in next Minor release.
Comment 3 Milos Malik 2017-04-26 06:45:32 UTC 
Please do not close bugs as NEXTRELEASE if QE hasn't tested them yet.

# rpm -qa selinux-policy\*
selinux-policy-doc-3.13.1-144.el7.noarch
selinux-policy-mls-3.13.1-144.el7.noarch
selinux-policy-3.13.1-144.el7.noarch
selinux-policy-devel-3.13.1-144.el7.noarch
selinux-policy-minimum-3.13.1-144.el7.noarch
selinux-policy-targeted-3.13.1-144.el7.noarch
# sesearch -s sssd_selinux_manager_t -t sssd_selinux_manager_t -c capability -A -C -p net_admin

# sesearch -s sssd_selinux_manager_t -t sssd_selinux_manager_t -c capability -D -C -p net_admin

#
Comment 4 Lukas Slebodnik 2017-04-26 11:57:30 UTC 
I cannot see anything n code why selinux_child would require the capability net_admin. It is mostly wrapper around libsemanage.

Could you provide also syscall which triggered this AVC?
I think ideal would be to provide the output. 

It would also be good see selinux_child.log with high debug_level(10) in related ipa domain section.
Comment 5 Orion Poplawski 2017-04-26 15:15:52 UTC 
I think this is the syscall:

type=SYSCALL msg=audit(1493219351.703:228): arch=c000003e syscall=54 success=no exit=-1 a0=3 a1=1 a2=20 a3=7ffef9637c08 items=0 ppid=26935 pid=27558 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="selinux_child" exe="/usr/libexec/sssd/selinux_child" subj=system_u:system_r:sssd_selinux_manager_t:s0 key=(null)

Combined journal output which might help with timing:

Apr 26 08:44:15 barry.cora.nwra.com selinux_child[18712]: SELinux user for orion: unconfined_u
Apr 26 08:44:15 barry.cora.nwra.com selinux_child[18712]: SELinux range for orion: s0-s0:c0.c1023
Apr 26 08:44:17 barry.cora.nwra.com setroubleshoot[18714]: SELinux is preventing /usr/libexec/sssd/selinux_child from using the net_admin capability. For complete SELinux messages. run sealert -l 5669ed4a-6a18-4322-a780-166573e2e94b
Apr 26 09:05:02 barry.cora.nwra.com sssd_be[26935]: Using [ipa] provider for [selinux]
Apr 26 09:05:02 barry.cora.nwra.com sssd_be[26935]: Option ipa_selinux_search_base has no value
Apr 26 09:05:02 barry.cora.nwra.com sssd_be[26935]: Option ipa_selinux_refresh has value 5
Apr 26 09:05:02 barry.cora.nwra.com sssd_be[26935]: Option ipa_selinux_search_base set to cn=selinux,dc=nwra,dc=com
Apr 26 09:05:02 barry.cora.nwra.com sssd_be[26935]: Search base added: [IPA_SELINUX][cn=selinux,dc=nwra,dc=com][SUBTREE][]
Apr 26 09:05:02 barry.cora.nwra.com sssd_be[26935]: Option ipa_selinux_usermap_object_class has value ipaselinuxusermap
Apr 26 09:05:02 barry.cora.nwra.com sssd_be[26935]: Option ipa_selinux_usermap_name has value cn
Apr 26 09:05:02 barry.cora.nwra.com sssd_be[26935]: Option ipa_selinux_usermap_member_user has value memberUser
Apr 26 09:05:02 barry.cora.nwra.com sssd_be[26935]: Option ipa_selinux_usermap_member_host has value memberHost
Apr 26 09:05:02 barry.cora.nwra.com sssd_be[26935]: Option ipa_selinux_usermap_see_also has value seeAlso
Apr 26 09:05:02 barry.cora.nwra.com sssd_be[26935]: Option ipa_selinux_usermap_selinux_user has value ipaSELinuxUser
Apr 26 09:05:02 barry.cora.nwra.com sssd_be[26935]: Option ipa_selinux_usermap_enabled has value ipaEnabledFlag
Apr 26 09:05:02 barry.cora.nwra.com sssd_be[26935]: Option ipa_selinux_usermap_user_category has value userCategory
Apr 26 09:05:02 barry.cora.nwra.com sssd_be[26935]: Option ipa_selinux_usermap_host_category has value hostCategory
Apr 26 09:05:02 barry.cora.nwra.com sssd_be[26935]: Option ipa_selinux_usermap_uuid has value ipaUniqueID
Apr 26 09:05:02 barry.cora.nwra.com sssd_be[26935]: Option ipa_selinux_search_base has value cn=selinux,dc=nwra,dc=com
Apr 26 09:05:02 barry.cora.nwra.com sssd_be[26935]: Option ipa_selinux_refresh has value 5
Apr 26 09:05:02 barry.cora.nwra.com sssd_be[26935]: Option ipa_selinux_search_base has value cn=selinux,dc=nwra,dc=com
Apr 26 09:05:02 barry.cora.nwra.com sssd_be[26935]: Option ipa_selinux_refresh has value 5
Apr 26 09:05:02 barry.cora.nwra.com sssd_be[26935]: Initializing target [selinux] with module [ipa]
Apr 26 09:05:02 barry.cora.nwra.com sssd_be[26935]: Executing target [selinux] constructor
Apr 26 09:09:11 barry.cora.nwra.com sssd_be[26935]: Trying to fetch SELinux maps with following parameters: [2][(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=nwra,dc=com]
Apr 26 09:09:11 barry.cora.nwra.com sssd_be[26935]: calling ldap_search_ext with [(&(objectclass=ipaselinuxusermap)(ipaEnabledFlag=TRUE))][cn=selinux,dc=nwra,dc=com].
Apr 26 09:09:11 barry.cora.nwra.com sssd_be[26935]: Trying to delete [cn=selinux,cn=nwra.com,cn=sysdb].
Apr 26 09:09:11 barry.cora.nwra.com selinux_child[27558]: selinux_child started.
Apr 26 09:09:11 barry.cora.nwra.com selinux_child[27558]: Running with effective IDs: [0][0].
Apr 26 09:09:11 barry.cora.nwra.com selinux_child[27558]: Running with real IDs [0][0].
Apr 26 09:09:11 barry.cora.nwra.com selinux_child[27558]: context initialized
Apr 26 09:09:11 barry.cora.nwra.com selinux_child[27558]: seuser length: 12
Apr 26 09:09:11 barry.cora.nwra.com selinux_child[27558]: seuser: unconfined_u
Apr 26 09:09:11 barry.cora.nwra.com selinux_child[27558]: mls_range length: 14
Apr 26 09:09:11 barry.cora.nwra.com selinux_child[27558]: mls_range: s0-s0:c0.c1023
Apr 26 09:09:11 barry.cora.nwra.com selinux_child[27558]: username length: 5
Apr 26 09:09:11 barry.cora.nwra.com selinux_child[27558]: username: orion
Apr 26 09:09:11 barry.cora.nwra.com selinux_child[27558]: performing selinux operations
Apr 26 09:09:11 barry.cora.nwra.com selinux_child[27558]: SELinux user for orion: unconfined_u
Apr 26 09:09:11 barry.cora.nwra.com selinux_child[27558]: SELinux range for orion: s0-s0:c0.c1023
Apr 26 09:09:11 barry.cora.nwra.com selinux_child[27558]: get_seuser: ret: 0 seuser: unconfined_u mls: s0-s0:c0.c1023
Apr 26 09:09:11 barry.cora.nwra.com selinux_child[27558]: result [0]
Apr 26 09:09:11 barry.cora.nwra.com selinux_child[27558]: r->size: 4
Apr 26 09:09:11 barry.cora.nwra.com selinux_child[27558]: selinux_child completed successfully
Apr 26 09:09:13 barry.cora.nwra.com setroubleshoot[27560]: SELinux is preventing /usr/libexec/sssd/selinux_child from using the net_admin capability. For complete SELinux messages. run sealert -l 5669ed4a-6a18-4322-a780-166573e2e94b


/var/log/sssd/selinux_child.log:
(Wed Apr 26 09:14:24 2017) [[sssd[selinux_child[28597]]]] [main] (0x0400): selinux_child started.
(Wed Apr 26 09:14:24 2017) [[sssd[selinux_child[28597]]]] [main] (0x2000): Running with effective IDs: [0][0].
(Wed Apr 26 09:14:24 2017) [[sssd[selinux_child[28597]]]] [main] (0x2000): Running with real IDs [0][0].
(Wed Apr 26 09:14:24 2017) [[sssd[selinux_child[28597]]]] [main] (0x0400): context initialized
(Wed Apr 26 09:14:24 2017) [[sssd[selinux_child[28597]]]] [unpack_buffer] (0x2000): seuser length: 12
(Wed Apr 26 09:14:24 2017) [[sssd[selinux_child[28597]]]] [unpack_buffer] (0x2000): seuser: unconfined_u
(Wed Apr 26 09:14:24 2017) [[sssd[selinux_child[28597]]]] [unpack_buffer] (0x2000): mls_range length: 14
(Wed Apr 26 09:14:24 2017) [[sssd[selinux_child[28597]]]] [unpack_buffer] (0x2000): mls_range: s0-s0:c0.c1023
(Wed Apr 26 09:14:24 2017) [[sssd[selinux_child[28597]]]] [unpack_buffer] (0x2000): username length: 5
(Wed Apr 26 09:14:24 2017) [[sssd[selinux_child[28597]]]] [unpack_buffer] (0x2000): username: orion
(Wed Apr 26 09:14:24 2017) [[sssd[selinux_child[28597]]]] [main] (0x0400): performing selinux operations
(Wed Apr 26 09:14:24 2017) [[sssd[selinux_child[28597]]]] [get_seuser] (0x0040): SELinux user for orion: unconfined_u
(Wed Apr 26 09:14:24 2017) [[sssd[selinux_child[28597]]]] [get_seuser] (0x0040): SELinux range for orion: s0-s0:c0.c1023
(Wed Apr 26 09:14:24 2017) [[sssd[selinux_child[28597]]]] [seuser_needs_update] (0x2000): get_seuser: ret: 0 seuser: unconfined_u mls: s0-s0:c0.c1023
(Wed Apr 26 09:14:24 2017) [[sssd[selinux_child[28597]]]] [pack_buffer] (0x0400): result [0]
(Wed Apr 26 09:14:24 2017) [[sssd[selinux_child[28597]]]] [prepare_response] (0x4000): r->size: 4
(Wed Apr 26 09:14:24 2017) [[sssd[selinux_child[28597]]]] [main] (0x0400): selinux_child completed successfully

Perhaps just an inherited permission from the spawning process?
Comment 6 Lukas Slebodnik 2017-04-26 15:44:23 UTC 
(In reply to Orion Poplawski from comment #5)
> I think this is the syscall:
> 
> type=SYSCALL msg=audit(1493219351.703:228): arch=c000003e syscall=54
> success=no exit=-1 a0=3 a1=1 a2=20 a3=7ffef9637c08 items=0 ppid=26935
> pid=27558 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=4294967295 comm="selinux_child"
> exe="/usr/libexec/sssd/selinux_child"
> subj=system_u:system_r:sssd_selinux_manager_t:s0 key=(null)
>
syscall 54 should be:
sh$ ausyscall 54
setsockopt

> Combined journal output which might help with timing:
> 
> Apr 26 08:44:15 barry.cora.nwra.com selinux_child[18712]: SELinux user for
> orion: unconfined_u
> Apr 26 08:44:15 barry.cora.nwra.com selinux_child[18712]: SELinux range for
> orion: s0-s0:c0.c1023
> Apr 26 08:44:17 barry.cora.nwra.com setroubleshoot[18714]: SELinux is
> preventing /usr/libexec/sssd/selinux_child from using the net_admin
> capability. For complete SELinux messages. run sealert -l
> 5669ed4a-6a18-4322-a780-166573e2e94b

Following command should confirm it
sealert -l 5669ed4a-6a18-4322-a780-166573e2e94b

sssd does not call setsockopt. I checked all dynamic libraries which are loaded by selinux_child and only libsystemd uses this syscall.

My assumption is that sssd is configured to log into journald or some messages from stdout/stderr were logged into journald.

Lukas,
Do you remember some AVCs caused by `setsockopt` and libsystemd (journald...) ?
Comment 7 Orion Poplawski 2017-04-26 15:46:39 UTC 
yeah, I was making use of:

/etc/systemd/system/sssd.service.d/journal.conf:
[Service]
# Uncomment *both* of the following lines to enable debug logging
# to go to journald instead of /var/log/sssd. You will need to
# run 'systemctl daemon-reload' and then restart the SSSD service
# for this to take effect
ExecStart=
ExecStart=/usr/sbin/sssd -D

to have sssd log to the journal.
Comment 8 Orion Poplawski 2017-04-26 15:47:10 UTC 
# sealert -l 5669ed4a-6a18-4322-a780-166573e2e94b
SELinux is preventing /usr/libexec/sssd/selinux_child from using the net_admin capability.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that selinux_child should have the net_admin capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'selinux_child' --raw | audit2allow -M my-selinuxchild
# semodule -i my-selinuxchild.pp


Additional Information:
Source Context                system_u:system_r:sssd_selinux_manager_t:s0
Target Context                system_u:system_r:sssd_selinux_manager_t:s0
Target Objects                Unknown [ capability ]
Source                        selinux_child
Source Path                   /usr/libexec/sssd/selinux_child
Port                          <Unknown>
Host                          barry.cora.nwra.com
Source RPM Packages           sssd-ipa-1.14.0-43.el7_3.14.x86_64
Target RPM Packages
Policy RPM                    selinux-policy-3.13.1-102.el7_3.16.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     barry.cora.nwra.com
Platform                      Linux barry.cora.nwra.com
                              3.10.0-514.16.1.el7.x86_64 #1 SMP Wed Apr 12
                              07:10:20 CDT 2017 x86_64 x86_64
Alert Count                   12
First Seen                    2017-04-21 08:40:19 MDT
Last Seen                     2017-04-26 09:09:11 MDT
Local ID                      5669ed4a-6a18-4322-a780-166573e2e94b

Raw Audit Messages
type=AVC msg=audit(1493219351.703:228): avc:  denied  { net_admin } for  pid=27558 comm="selinux_child" capability=12  scontext=system_u:system_r:sssd_selinux_manager_t:s0 tcontext=system_u:system_r:sssd_selinux_manager_t:s0 tclass=capability


type=SYSCALL msg=audit(1493219351.703:228): arch=x86_64 syscall=setsockopt success=no exit=EPERM a0=3 a1=1 a2=20 a3=7ffef9637c08 items=0 ppid=26935 pid=27558 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=selinux_child exe=/usr/libexec/sssd/selinux_child subj=system_u:system_r:sssd_selinux_manager_t:s0 key=(null)

Hash: selinux_child,sssd_selinux_manager_t,sssd_selinux_manager_t,capability,net_admin
Comment 9 Lukas Slebodnik 2017-04-26 16:12:38 UTC 
Orion,

thank you very much for confirmation. I hope Lukas remember similar bug.
Comment 10 Lukas Vrabec 2017-04-28 18:30:13 UTC 
Okay, 

I think we should dontaudit it. 

Thanks,
Lukas.
Comment 14 errata-xmlrpc 2017-08-01 15:24:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861
Note You need to log in before you can comment on or make changes to this bug.