1516052 – SElinux denial of current tuned

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1516052 - SElinux denial of current tuned

Summary: SElinux denial of current tuned

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-11-21 22:39 UTC by R P Herrold
Modified:	2017-11-28 20:39 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-11-28 20:39:44 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description R P Herrold 2017-11-21 22:39:43 UTC

[root@router sysconfig]# sealert -l 8f8426fb-329d-4786-872c-69ef36e9020d
SELinux is preventing /usr/bin/grep from read access on the file /etc/modprobe.d/tuned.conf.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that grep should be allowed read access on the tuned.conf file by default.
Then you should report this as a bug.



Additional Information:
Source Context                system_u:system_r:iptables_t:s0
Target Context                system_u:object_r:modules_conf_t:s0
Target Objects                /etc/modprobe.d/tuned.conf [ file ]
Source                        grep
Source Path                   /usr/bin/grep
Port                          <Unknown>
Host                          router.owlriver.net
Source RPM Packages           grep-2.20-3.el7.x86_64
Target RPM Packages           tuned-2.8.0-5.el7.noarch
Policy RPM                    selinux-policy-3.13.1-166.el7_4.5.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     router.owlriver.net
Platform                      Linux router.owlriver.net
                              3.10.0-693.5.2.el7.x86_64 #1 SMP Fri Oct 20
                              20:32:50 UTC 2017 x86_64 x86_64
Alert Count                   1
First Seen                    2017-11-21 17:30:58 EST
Last Seen                     2017-11-21 17:30:58 EST
Local ID                      8f8426fb-329d-4786-872c-69ef36e9020d

Raw Audit Messages
type=AVC msg=audit(1511303458.10:5581): avc:  denied  { read } for  pid=20931 comm="grep" name="tuned.conf" dev="dm-1" ino=202693174 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file


type=SYSCALL msg=audit(1511303458.10:5581): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffffffffffff9c a1=7ffcdb11ff64 a2=0 a3=0 items=0 ppid=20920 pid=20931 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=grep exe=/usr/bin/grep subj=system_u:system_r:iptables_t:s0 key=(null)

Hash: grep,iptables_t,modules_conf_t,file,read

[root@router sysconfig]# rpm -qf `locate tuned.conf`
qemu-kvm-common-1.5.3-141.el7_4.2.x86_64
tuned-2.8.0-5.el7.noarch

[root@router sysconfig]# rpm -qi tuned
Name        : tuned
Version     : 2.8.0
Release     : 5.el7
Architecture: noarch
Install Date: Wed 13 Sep 2017 01:19:52 PM EDT
Source RPM  : tuned-2.8.0-5.el7.src.rpm
Build Date  : Fri 04 Aug 2017 05:19:18 PM EDT
Build Host  : c1bm.rdu2.centos.org

looks like an EASYFIX by adding the rule

Comment 2 Ondřej Lysoněk 2017-11-23 09:30:55 UTC

I don't think this is related to Tuned. As far as I can see, Tuned doesn't use grep anywere to check the contents of /etc/modprobe.d/tuned.conf. And even if it did, the scontext=system_u:system_r:iptables_t:s0 indicates grep was not run from Tuned. But to make sure your grep is not mislabeled, please post the output of the following:
ls -lZ /usr/bin/grep

Please tell us how you got this SELinux denial. How can we reproduce it? Thanks.

Comment 3 Mark Crossland 2017-11-23 14:03:51 UTC

I get exactly the same issue and have done for a while on versions 7.2, then 7.3 and now 7.4 of RHEL.

The Type of the relevant files is as follows:

# ls -lZ /etc/modprobe.d/tuned.conf
-rw-r--r--. root root system_u:object_r:modules_conf_t:s0 /etc/modprobe.d/tuned.conf

# ls -lZ /usr/bin/grep
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/grep


There doesn't seem to be any specific steps to reproduce this, I get it when I do the following:

1) Build a RHEL 7.4 box
2) Make sure that tuned is installed
3) Make SELinux policy is set to enforcing
4) Log in and await your SELinux error

Note that I've only had the chance to see this on client builds as these are the only ones I've been looking at for quite some time.

This is probably also not tuned so should be probably be redirected to some other component

Comment 4 Jaroslav Škarvada 2017-11-24 12:53:24 UTC

(In reply to Mark Crossland from comment #3)
> I get exactly the same issue and have done for a while on versions 7.2, then
> 7.3 and now 7.4 of RHEL.
> 
> The Type of the relevant files is as follows:
> 
> # ls -lZ /etc/modprobe.d/tuned.conf
> -rw-r--r--. root root system_u:object_r:modules_conf_t:s0
> /etc/modprobe.d/tuned.conf
> 
> # ls -lZ /usr/bin/grep
> -rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/grep
> 

Both SELinux labels seems good. I think this is not Tuned bug, but maybe selinux-policy bug. From the SELinux policy I have found that there is at least (maybe there are more) /usr/libexec/iptables/iptables.init script which has the iptables_exec_t context which changes to iptables_t and the iptables.init script contains the folowing lines:

210:	&& grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then
377:	&& grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then

I.e. it's probably running 'grep' with the iptables_t context over the files from the /etc/modprobe.d which have the modules_conf_t label. So I think it's OK and it should be allowed by the SELinux policy. So reassigning to the selinux-policy for further investigation.

Comment 5 R P Herrold 2017-11-24 17:43:35 UTC

comment permissions

[root@router ~]# ls -lZ /usr/bin/grep
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/grep
[root@router ~]#

Comment 6 R P Herrold 2017-11-24 17:48:53 UTC

As to reproducing the error, curiously the auditd logs are empty, but the message appeared in /var/log/messages when running

)
Nov 21 17:31:01 router setroubleshoot: SELinux is preventing /usr/bin/grep from read access on the file /etc/modprobe.d/lockd.conf. For complete SELinux messages run: sealert -l 8f8426fb-329d-4786-872c-69ef36e9020d
Nov 21 17:31:01 router python: SELinux is preventing /usr/bin/grep from read access on the file /etc/modprobe.d/lockd.conf.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that grep should be allowed read access on the lockd.conf file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'grep' --raw | audit2allow -M my-grep#012# semodule -i my-grep.pp#012
Nov 21 17:31:02 router setroubleshoot: SELinux is preventing /usr/bin/grep from read access on the file /etc/modprobe.d/mlx4.conf. For complete SELinux messages run: sealert -l 8f8426fb-329d-4786-872c-69ef36e9020d
Nov 21 17:31:02 router python: SELinux is preventing /usr/bin/grep from read access on the file /etc/modprobe.d/mlx4.conf.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that grep should be allowed read access on the mlx4.conf file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'grep' --raw | audit2allow -M my-grep#012# semodule -i my-grep.pp#012
Nov 21 17:31:02 router setroubleshoot: SELinux is preventing /usr/bin/grep from read access on the file /etc/modprobe.d/truescale.conf. For complete SELinux messages run: sealert -l 8f8426fb-329d-4786-872c-69ef36e9020d
Nov 21 17:31:02 router python: SELinux is preventing /usr/bin/grep from read access on the file /etc/modprobe.d/truescale.conf.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that grep should be allowed read access on the truescale.conf file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'grep' --raw | audit2allow -M my-grep#012# semodule -i my-grep.pp#012
Nov 21 17:31:02 router setroubleshoot: SELinux is preventing /usr/bin/grep from read access on the file /etc/modprobe.d/tuned.conf. For complete SELinux messages run: sealert -l 8f8426fb-329d-4786-872c-69ef36e9020d
Nov 21 17:31:02 router python: SELinux is preventing /usr/bin/grep from read access on the file /etc/modprobe.d/tuned.conf.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that grep should be allowed read access on the tuned.conf file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'grep' --raw | audit2allow -M my-grep#012# semodule -i my-grep.pp#012

possibly iptables, which is called asynchronously by fail2ban when a probe occurs

But I also see a few _systemd_ provoked messages

[root@router ~]# grep -i avc /var/log/audit/audit*
/var/log/audit/audit.log.1:type=USER_AVC msg=audit(1511189901.727:107483): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=8)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
/var/log/audit/audit.log.1:type=AVC msg=audit(1511303458.010:5578): avc:  denied  { read } for  pid=20931 comm="grep" name="lockd.conf" dev="dm-1" ino=203043361 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file
/var/log/audit/audit.log.1:type=AVC msg=audit(1511303458.010:5579): avc:  denied  { read } for  pid=20931 comm="grep" name="mlx4.conf" dev="dm-1" ino=203219880 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file
/var/log/audit/audit.log.1:type=AVC msg=audit(1511303458.010:5580): avc:  denied  { read } for  pid=20931 comm="grep" name="truescale.conf" dev="dm-1" ino=202693206 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file
/var/log/audit/audit.log.1:type=AVC msg=audit(1511303458.010:5581): avc:  denied  { read } for  pid=20931 comm="grep" name="tuned.conf" dev="dm-1" ino=202693174 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file
/var/log/audit/audit.log.2:type=USER_AVC msg=audit(1510680601.626:76782): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=7)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
/var/log/audit/audit.log.3:type=USER_AVC msg=audit(1510679401.506:76717): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=6)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

/var/log/audit/audit.log.4:type=USER_AVC msg=audit(1510679318.861:76697): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=5)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
[root@router ~]#

Comment 7 Milos Malik 2017-11-27 07:29:46 UTC

I believe this bug is a duplicate of BZ#1438937. The fact that you see the denials is caused by old (RHEL-7.4.z) policy version installed on your machines.

Comment 9 Mark Crossland 2017-11-27 08:52:33 UTC

(In reply to Milos Malik from comment #7)
> I believe this bug is a duplicate of BZ#1438937. The fact that you see the
> denials is caused by old (RHEL-7.4.z) policy version installed on your
> machines.

"You are not authorized to access bug #1438937.

Most likely the bug has been restricted for internal development processes and we cannot grant access."

Comment 10 Mark Crossland 2017-11-27 08:53:50 UTC

Are you able to let us know whether and when BZ#1438937 is going to be fixed?

Comment 11 R P Herrold 2017-11-27 17:59:35 UTC

Comment #7 
mmalik
I am unaware of any issued update later than what I run.  Where might I obtain this package?

Assumedly Comment #8
lvrabec

The bug is not visible with my rights, usually kept concealed because of PII of a customer -- seemingly not so here -- please add me to its CC list so I might view it

Comment 12 Milos Malik 2017-11-28 08:01:57 UTC

This bug will be fixed as soon as RHEL-7.5 goes out. The fix is present in selinux-policy >= 3.13.1-174.el7.

Comment 13 Lukas Vrabec 2017-11-28 20:39:44 UTC

R P Herrold, 

Milos is right, Fix will be part RHEL-7.5. Closing as NEXTRELEASE.

Note You need to log in before you can comment on or make changes to this bug.