Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1452560

Summary: tomcat_t spacewalk_log_t SELinux denials on RHEL 7.4
Product: [Community] Spacewalk Reporter: Ales Dujicek <adujicek>
Component: ServerAssignee: Michael Mráka <mmraka>
Status: CLOSED CURRENTRELEASE QA Contact: Red Hat Satellite QA List <satqe-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 2.6CC: chalal, eherget, mmalik, mmraka, pstudeni
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-09-27 19:34:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1484117    

Description Ales Dujicek 2017-05-19 08:20:05 UTC 
Description of problem:

Spacewalk has some SELinux troubles on RHEL 7.4
see bz1451318 they already fixed most of it, except spacewalk_log_t  bz1451318#c3

/var/log/audit/audit.log
type=AVC msg=audit(1495181220.108:381): avc:  denied  { search } for  pid=19962 comm="java" name="rhn" dev="dm-0" ino=1640 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:spacewalk_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1495181220.108:381): arch=c000003e syscall=2 success=no exit=-13 a0=7f99a0621390 a1=441 a2=1b6 a3=1c items=0 ppid=1 pid=19962 auid=4294967295 uid=91 gid=91 euid=91 suid=91 fsuid=91 egid=91 sgid=91 fsgid=91 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-8.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=PROCTITLE msg=audit(1495181220.108:381): proctitle=2F7573722F6C69622F6A766D2F6A72652F62696E2F6A617661002D6561002D586D733235366D002D586D783235366D002D446A6176612E6177742E686561646C6573733D74727565002D446F72672E786D6C2E7361782E6472697665723D6F72672E6170616368652E7865726365732E706172736572732E5341585061727365
type=AVC msg=audit(1495181220.108:382): avc:  denied  { getattr } for  pid=19962 comm="java" path="/var/log/rhn" dev="dm-0" ino=1640 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:spacewalk_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1495181220.108:382): arch=c000003e syscall=4 success=no exit=-13 a0=7f99a063c300 a1=7f99c18d3ad0 a2=7f99c18d3ad0 a3=c items=0 ppid=1 pid=19962 auid=4294967295 uid=91 gid=91 euid=91 suid=91 fsuid=91 egid=91 sgid=91 fsgid=91 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-8.b12.el7.x86_64/jre/bin/java" subj=system_u:system_r:tomcat_t:s0 key=(null)


# audit2why -a
type=AVC msg=audit(1495181220.108:381): avc:  denied  { search } for  pid=19962 comm="java" name="rhn" dev="dm-0" ino=1640 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:spacewalk_log_t:s0 tclass=dir
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1495181220.108:382): avc:  denied  { getattr } for  pid=19962 comm="java" path="/var/log/rhn" dev="dm-0" ino=1640 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:spacewalk_log_t:s0 tclass=dir
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1495181220.108:383): avc:  denied  { getattr } for  pid=19962 comm="java" path="/var/log/rhn" dev="dm-0" ino=1640 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:spacewalk_log_t:s0 tclass=dir
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1495181220.108:384): avc:  denied  { getattr } for  pid=19962 comm="java" path="/var/log/rhn" dev="dm-0" ino=1640 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:spacewalk_log_t:s0 tclass=dir
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.


# audit2allow -a

#============= tomcat_t ==============
allow tomcat_t spacewalk_log_t:dir { getattr search };



Version-Release number of selected component (if applicable):
RHEL-7.4-20170518.n.0 Server
selinux-policy-3.13.1-150.el7.noarch
spacewalk-selinux-2.3.2-1.el7.noarch
Comment 1 Milos Malik 2017-06-16 09:07:59 UTC 
BZ#1451318 mentions following rule:

allow tomcat_t spacewalk_data_t:dir search;

but spacewalk_data_t is not defined in selinux-policy either

# rpm -qa selinux-policy\*
selinux-policy-3.13.1-162.el7.noarch
selinux-policy-targeted-3.13.1-162.el7.noarch
selinux-policy-devel-3.13.1-162.el7.noarch
# seinfo -tspacewalk_log_t
ERROR: could not find datum for type spacewalk_log_t
# seinfo -tspacewalk_data_t
ERROR: could not find datum for type spacewalk_data_t
# 

Therefore the spacewalk-selinux package should bring the above-mentioned rule too.
Comment 2 Eric Herget 2017-07-26 19:48:02 UTC 
The latest nightly packages now appear to define spacewalk_log_t and spacewalk_data_t.

# rpm -qa | grep selinux-policy
selinux-policy-3.13.1-166.el7.noarch
selinux-policy-devel-3.13.1-166.el7.noarch
selinux-policy-targeted-3.13.1-166.el7.noarch
# seinfo -tspacewalk_log_t
   spacewalk_log_t
# seinfo -tspacewalk_data_t
   spacewalk_data_t
#

However audit2allow -a still reports:

#============= tomcat_t ==============
allow tomcat_t spacewalk_log_t:dir { getattr search };

I'm not real familiar with defining selinux policy rules.  I suspect this rule should get added to spacewalk.te at line 35, just below:

allow httpd_t spacewalk_install_log_t:file { append ioctl };
allow restorecon_t spacewalk_install_log_t:file { append };

But I'd like someone to confirm that before I make such a change.
Comment 3 Michael Mráka 2017-07-27 10:15:46 UTC 
Fixed in spacewalk.git by
commit fad5b4efc950689191cb31053213807f9e24a8e9
    1452560 - allow tomcat to access spacewalk logs
Comment 4 Eric Herget 2017-09-27 19:34:22 UTC 
Spacewalk 2.7 has been released.

https://github.com/spacewalkproject/spacewalk/wiki/ReleaseNotes27