Bug 1479383 – stunnel >=5.41 needs additional rules.

Bug 1479383 - stunnel >=5.41 needs additional rules.

Summary:	stunnel >=5.41 needs additional rules.

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy (Show other bugs)
Sub Component:
Version:	7.3
Hardware:	All Linux

Priority	unspecified Severity unspecified
Target Milestone:	rc
Target Release:	---
Assigned To:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2017-08-08 09:13 EDT by Frank Büttner
Modified:	2018-04-10 08:37 EDT (History)
CC List:	6 users (show)

See Also:
Fixed In Version:	selinux-policy-3.13.1-174.el7
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2018-04-10 08:36:40 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:0763	None	None	None	2018-04-10 08:37 EDT

Groups: None (edit)

Description Frank Büttner 2017-08-08 09:13:51 EDT

Description of problem:
Newer versions need additional selinux rules to work. 

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.13.1-102.el7_3.16.noarch


audit:
type=AVC msg=audit(1502196618.804:2350): avc:  denied  { sys_nice } for  pid=50312 comm="stunnel" capability=23  scontext=system_u:system_r:stunnel_t:s0 tcontext=system_u:system_r:stunnel_t:s0 tclass=capability
type=AVC msg=audit(1502196618.804:2350): avc:  denied  { setsched } for  pid=50312 comm="stunnel" scontext=system_u:system_r:stunnel_t:s0 tcontext=system_u:system_r:stunnel_t:s0 tclass=process



Additional rule:
require {
        type stunnel_t;
        class capability { dac_override dac_read_search sys_nice };
        class process setsched;
}

#============= stunnel_t ==============
allow stunnel_t self:capability { dac_override dac_read_search sys_nice };
allow stunnel_t self:process setsched;

Comment 2 Milos Malik 2017-08-18 11:15:14 EDT

# rpm -qa selinux-policy\* stunnel\* | sort
selinux-policy-3.13.1-166.el7.noarch
selinux-policy-devel-3.13.1-166.el7.noarch
selinux-policy-targeted-3.13.1-166.el7.noarch
stunnel-5.41-3.el7.x86_64 (rebuilt from fc27.src.rpm)
#

Following SELinux denials appeared in enforcing mode:
----
type=PROCTITLE msg=audit(08/18/2017 11:12:21.183:282) : proctitle=/usr/bin/stunnel 
type=SYSCALL msg=audit(08/18/2017 11:12:21.183:282) : arch=x86_64 syscall=sched_setscheduler success=no exit=EACCES(Permission denied) a0=0x7245 a1=SCHED_BATCH a2=0x7f33d0aaadc0 a3=0x7f33d0aaaaa0 items=0 ppid=25205 pid=29252 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4 comm=stunnel exe=/usr/bin/stunnel subj=system_u:system_r:stunnel_t:s0 key=(null) 
type=AVC msg=audit(08/18/2017 11:12:21.183:282) : avc:  denied  { setsched } for  pid=29252 comm=stunnel scontext=system_u:system_r:stunnel_t:s0 tcontext=system_u:system_r:stunnel_t:s0 tclass=process 
type=AVC msg=audit(08/18/2017 11:12:21.183:282) : avc:  denied  { sys_nice } for  pid=29252 comm=stunnel capability=sys_nice  scontext=system_u:system_r:stunnel_t:s0 tcontext=system_u:system_r:stunnel_t:s0 tclass=capability 
----

Comment 3 Milos Malik 2017-08-18 11:19:50 EDT

Following SELinux denials appeared in permissive mode:
----
type=PROCTITLE msg=audit(08/18/2017 11:17:19.554:293) : proctitle=/usr/bin/stunnel 
type=SYSCALL msg=audit(08/18/2017 11:17:19.554:293) : arch=x86_64 syscall=sched_setscheduler success=yes exit=0 a0=0x1053 a1=SCHED_BATCH a2=0x7f96d86a1dc0 a3=0x7f96d86a1aa0 items=0 ppid=663 pid=4178 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4 comm=stunnel exe=/usr/bin/stunnel subj=system_u:system_r:stunnel_t:s0 key=(null) 
type=AVC msg=audit(08/18/2017 11:17:19.554:293) : avc:  denied  { setsched } for  pid=4178 comm=stunnel scontext=system_u:system_r:stunnel_t:s0 tcontext=system_u:system_r:stunnel_t:s0 tclass=process 
type=AVC msg=audit(08/18/2017 11:17:19.554:293) : avc:  denied  { sys_nice } for  pid=4178 comm=stunnel capability=sys_nice  scontext=system_u:system_r:stunnel_t:s0 tcontext=system_u:system_r:stunnel_t:s0 tclass=capability 
----

Comment 8 errata-xmlrpc 2018-04-10 08:36:40 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0763

Note You need to log in before you can comment on or make changes to this bug.