Bug 1477542 – Regression: AVC denied related to keepalived 1.3.x, /proc and sysctl_net_t

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1477542 - Regression: AVC denied related to keepalived 1.3.x, /proc and sysctl_net_t

Summary:	Regression: AVC denied related to keepalived 1.3.x, /proc and sysctl_net_t

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy (Show other bugs)
Sub Component:
Version:	7.4
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	rc
Target Release:	---
Assigned To:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2017-08-02 07:13 EDT by Robert Scheck
Modified:	2018-04-10 08:36 EDT (History)
CC List:	13 users (show)

See Also:
Fixed In Version:	selinux-policy-3.13.1-188.el7
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2018-04-10 08:34:36 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:0763	None	None	None	2018-04-10 08:36 EDT

Groups: None (edit)

Description Robert Scheck 2017-08-02 07:13:34 EDT

Description of problem:
Since updating to RHEL 7.4 which contains a keepalived update from 1.2.x
to 1.3.x, the following SELinux related message shows up:

type=AVC msg=audit(1501671861.845:45): avc:  denied  { search } for  pid=2154 comm="keepalived" name="net" dev="proc" ino=9992 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir
type=SYSCALL msg=audit(1501671861.845:45): arch=c000003e syscall=2 success=no exit=-13 a0=5623b7fa8330 a1=0 a2=5623b7fa834c a3=63 items=0 ppid=2152 pid=2154 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="keepalived" exe="/usr/sbin/keepalived" subj=system_u:system_r:keepalived_t:s0 key=(null)
type=PROCTITLE msg=audit(1501671861.845:45): proctitle=2F7573722F7362696E2F6B656570616C69766564002D44

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-166.el7.noarch
selinux-policy-targeted-3.13.1-166.el7.noarch
keepalived-1.3.5-1.el7.x86_64

How reproducible:
Everytime during boot when keepalived gets started.

Actual results:
AVC denied related to keepalived 1.3.x, /proc and sysctl_net_t.

Expected results:
No AVC denied related to keepalived 1.3.x, /proc and sysctl_net_t, but I
am not sure if this should be allowed or not (currently not allowed).

Comment 2 Robert Scheck 2017-08-02 09:31:37 EDT

Cross-filed ticket 01903060 on the Red Hat customer portal.

Comment 3 Milos Malik 2017-08-17 11:39:21 EDT

I assume that the AVC in comment#0 talks about /proc/sys/net directory.

There is a lot of files and directories under /proc/sys/net, all of them are labeled sysctl_net_t except for:

# ls -Z /proc/sys/net/unix
-rw-r--r--. root root system_u:object_r:sysctl_net_unix_t:s0 max_dgram_qlen
#

Comment 4 Robert Scheck 2017-08-17 14:33:29 EDT

$ sealert -l f56525a2-36a4-48ef-a9d8-61adbc0f3e1d
[…]
Source Context                system_u:system_r:keepalived_t:s0
Target Context                system_u:object_r:sysctl_net_t:s0
Target Objects                net [ dir ]
Source                        keepalived
Source Path                   /usr/sbin/keepalived
[…]
Policy RPM                    selinux-policy-3.13.1-166.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
[…]

Raw Audit Messages
type=AVC msg=audit(1502994621.228:112561): avc:  denied  { search } for  pid=2198 comm="keepalived" name="net" dev="proc" ino=9716 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir
[…]
$

$ find /proc/ -inum 9716
/proc/sys/net
$ 

So the issue seems to be that keepalived is not allowed to search in the
/proc/sys/net directory in general?

Comment 8 Milos Malik 2018-01-30 11:03:08 EST

comment#0 mentions that keepalived triggers SELinux denials which are related to /proc and sysctl_net_t. Here is the /proc related one:
----
type=PROCTITLE msg=audit(01/30/2018 10:55:44.274:633) : proctitle=/usr/sbin/keepalived -D --snmp 
type=SYSCALL msg=audit(01/30/2018 10:55:44.274:633) : arch=x86_64 syscall=statfs success=no exit=EACCES(Permission denied) a0=0x5566d189c854 a1=0x7ffc459bb9f0 a2=0x8000 a3=0x46 items=0 ppid=11234 pid=11236 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) 
type=AVC msg=audit(01/30/2018 10:55:44.274:633) : avc:  denied  { getattr } for  pid=11236 comm=keepalived name=/ dev="proc" ino=1 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem 
----

The AVC is reproducible even if the latest selinux-policy build is installed.

# rpm -qa selinux\* keepalived\* | sort
keepalived-1.3.5-5.el7.x86_64
selinux-policy-3.13.1-186.el7.noarch
selinux-policy-devel-3.13.1-186.el7.noarch
selinux-policy-targeted-3.13.1-186.el7.noarch
#

Comment 9 Milos Malik 2018-01-30 11:24:14 EST

Based on SELinux denials from comment#0 and comment#4, keepalived wants to search something under /proc/sys/net. Even if keepalived found the right file, it would not be able to read it, because the policy does not allow keepalived to read any files under /proc/sys/net. Therefore I believe that following rule should be also added to the policy:

allow keepalived_t sysctl_net_t : file { getattr open read } ;

Comment 14 Milos Malik 2018-02-06 09:07:42 EST

The same SELinux denial as mentioned in comment#8 appeared again:
----
type=PROCTITLE msg=audit(02/06/2018 09:04:22.470:361) : proctitle=/usr/sbin/keepalived -D --snmp 
type=SYSCALL msg=audit(02/06/2018 09:04:22.470:361) : arch=x86_64 syscall=statfs success=no exit=EACCES(Permission denied) a0=0x558e1d0c6854 a1=0x7fff30aec800 a2=0x8000 a3=0x46 items=0 ppid=20591 pid=20593 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) 
type=AVC msg=audit(02/06/2018 09:04:22.470:361) : avc:  denied  { getattr } for  pid=20593 comm=keepalived name=/ dev="proc" ino=1 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0 
----

# rpm -qa selinux\*
selinux-policy-targeted-3.13.1-187.el7.noarch
selinux-policy-3.13.1-187.el7.noarch
selinux-policy-devel-3.13.1-187.el7.noarch
#

Comment 20 errata-xmlrpc 2018-04-10 08:34:36 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0763

Note You need to log in before you can comment on or make changes to this bug.