Bug 1452560 - tomcat_t spacewalk_log_t SELinux denials on RHEL 7.4
Summary: tomcat_t spacewalk_log_t SELinux denials on RHEL 7.4
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Spacewalk
Classification: Community
Component: Server
Version: 2.6
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Michael Mráka
QA Contact: Red Hat Satellite QA List
URL:
Whiteboard:
Depends On:
Blocks: space27
TreeView+ depends on / blocked
 
Reported: 2017-05-19 08:20 UTC by Ales Dujicek
Modified: 2017-09-27 19:34 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-09-27 19:34:22 UTC
Embargoed:

Attachments (Terms of Use)

Description Ales Dujicek 2017-05-19 08:20:05 UTC 
Description of problem:

Spacewalk has some SELinux troubles on RHEL 7.4
see bz1451318 they already fixed most of it, except spacewalk_log_t  bz1451318#c3

/var/log/audit/audit.log
type=AVC msg=audit(1495181220.108:381): avc:  denied  { search } for  pid=19962 comm="java" name="rhn" dev="dm-0" ino=1640 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:spacewalk_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1495181220.108:381): arch=c000003e syscall=2 success=no exit=-13 a0=7f99a0621390 a1=441 a2=1b6 a3=1c items=0 ppid=1 pid=19962 auid=4294967295 uid=91 gid=91 euid=91 suid=91 fsuid=91 egid=91 sgid=91 fsgid=91 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-8.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=PROCTITLE msg=audit(1495181220.108:381): proctitle=2F7573722F6C69622F6A766D2F6A72652F62696E2F6A617661002D6561002D586D733235366D002D586D783235366D002D446A6176612E6177742E686561646C6573733D74727565002D446F72672E786D6C2E7361782E6472697665723D6F72672E6170616368652E7865726365732E706172736572732E5341585061727365
type=AVC msg=audit(1495181220.108:382): avc:  denied  { getattr } for  pid=19962 comm="java" path="/var/log/rhn" dev="dm-0" ino=1640 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:spacewalk_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1495181220.108:382): arch=c000003e syscall=4 success=no exit=-13 a0=7f99a063c300 a1=7f99c18d3ad0 a2=7f99c18d3ad0 a3=c items=0 ppid=1 pid=19962 auid=4294967295 uid=91 gid=91 euid=91 suid=91 fsuid=91 egid=91 sgid=91 fsgid=91 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-8.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)


# audit2why -a
type=AVC msg=audit(1495181220.108:381): avc:  denied  { search } for  pid=19962 comm="java" name="rhn" dev="dm-0" ino=1640 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:spacewalk_log_t:s0 tclass=dir
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1495181220.108:382): avc:  denied  { getattr } for  pid=19962 comm="java" path="/var/log/rhn" dev="dm-0" ino=1640 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:spacewalk_log_t:s0 tclass=dir
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1495181220.108:383): avc:  denied  { getattr } for  pid=19962 comm="java" path="/var/log/rhn" dev="dm-0" ino=1640 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:spacewalk_log_t:s0 tclass=dir
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1495181220.108:384): avc:  denied  { getattr } for  pid=19962 comm="java" path="/var/log/rhn" dev="dm-0" ino=1640 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:spacewalk_log_t:s0 tclass=dir
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.


# audit2allow -a

#============= tomcat_t ==============
allow tomcat_t spacewalk_log_t:dir { getattr search };



Version-Release number of selected component (if applicable):
RHEL-7.4-20170518.n.0 Server
selinux-policy-3.13.1-150.el7.noarch
spacewalk-selinux-2.3.2-1.el7.noarch
Comment 1 Milos Malik 2017-06-16 09:07:59 UTC 
BZ#1451318 mentions following rule:

allow tomcat_t spacewalk_data_t:dir search;

but spacewalk_data_t is not defined in selinux-policy either

# rpm -qa selinux-policy\*
selinux-policy-3.13.1-162.el7.noarch
selinux-policy-targeted-3.13.1-162.el7.noarch
selinux-policy-devel-3.13.1-162.el7.noarch
# seinfo -tspacewalk_log_t
ERROR: could not find datum for type spacewalk_log_t
# seinfo -tspacewalk_data_t
ERROR: could not find datum for type spacewalk_data_t
# 

Therefore the spacewalk-selinux package should bring the above-mentioned rule too.
Comment 2 Eric Herget 2017-07-26 19:48:02 UTC 
The latest nightly packages now appear to define spacewalk_log_t and spacewalk_data_t.

# rpm -qa | grep selinux-policy
selinux-policy-3.13.1-166.el7.noarch
selinux-policy-devel-3.13.1-166.el7.noarch
selinux-policy-targeted-3.13.1-166.el7.noarch
# seinfo -tspacewalk_log_t
   spacewalk_log_t
# seinfo -tspacewalk_data_t
   spacewalk_data_t
#

However audit2allow -a still reports:

#============= tomcat_t ==============
allow tomcat_t spacewalk_log_t:dir { getattr search };

I'm not real familiar with defining selinux policy rules.  I suspect this rule should get added to spacewalk.te at line 35, just below:

allow httpd_t spacewalk_install_log_t:file { append ioctl };
allow restorecon_t spacewalk_install_log_t:file { append };

But I'd like someone to confirm that before I make such a change.
Comment 3 Michael Mráka 2017-07-27 10:15:46 UTC 
Fixed in spacewalk.git by
commit fad5b4efc950689191cb31053213807f9e24a8e9
    1452560 - allow tomcat to access spacewalk logs
Comment 4 Eric Herget 2017-09-27 19:34:22 UTC 
Spacewalk 2.7 has been released.

https://github.com/spacewalkproject/spacewalk/wiki/ReleaseNotes27
Note You need to log in before you can comment on or make changes to this bug.