1556798 – SELinux is preventing /usr/sbin/snapperd from mounton access

Bug 1556798 - SELinux is preventing /usr/sbin/snapperd from mounton access

Summary: SELinux is preventing /usr/sbin/snapperd from mounton access

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.5
Hardware:	All
OS:	Linux
Priority:	high
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1539427 1558656
TreeView+	depends on / blocked

Reported:	2018-03-15 09:35 UTC by Jakub Krysl
Modified:	2018-10-30 10:03 UTC (History)
CC List:	10 users (show)
Fixed In Version:	selinux-policy-3.13.1-192.el7.2
Doc Type:	Bug Fix
Doc Text:	Previously, rules for the Snapper module were missing in the SELinux policy. As a consequence, the snapperd daemon was not able to create snapshots and it was not able to work properly in general. With this update, the missing rules have been added to the selinux-policy packages, and snapperd now works correctly with SELinux in enforcing mode.
Clone Of:
Clones:	1558656 (view as bug list)
Environment:
Last Closed:	2018-10-30 10:03:08 UTC
Target Upstream Version:

Attachments	(Terms of Use)
/var/log/snapper.log after enabling the debug (17.14 KB, text/plain) 2018-03-15 15:00 UTC, Milos Malik	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:3111	None	None	None	2018-10-30 10:03:47 UTC

Description Jakub Krysl 2018-03-15 09:35:55 UTC

Description of problem:
SELinux is blocking snapperd in the latest compose. This issue was not present with the previous one. With selinux-policy-3.13.1-191.el7.noarch it works, with selinux-policy-3.13.1-192.el7.noarch it hits this:

/var/log/messages on the last one:
Mar 15 10:28:44 storageqe-75 setroubleshoot: SELinux is preventing /usr/sbin/snapperd from mounton access on the directory /mnt/snapper_test/.snapshots/2/snapshot. For complete SELinux messages run: sealert -l 4e07cff7-cc64-4c7b-89ca-22eac59c9056
Mar 15 10:28:44 storageqe-75 python: SELinux is preventing /usr/sbin/snapperd from mounton access on the directory /mnt/snapper_test/.snapshots/2/snapshot.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that snapperd should be allowed mounton access on the snapshot directory by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'snapperd' --raw | audit2allow -M my-snapperd#012# semodule -i my-snapperd.pp#012

# sealert -l 4e07cff7-cc64-4c7b-89ca-22eac59c9056
SELinux is preventing /usr/sbin/snapperd from mounton access on the directory /mnt/snapper_test/.snapshots/2/snapshot.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that snapperd should be allowed mounton access on the snapshot directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'snapperd' --raw | audit2allow -M my-snapperd
# semodule -i my-snapperd.pp


Additional Information:
Source Context                system_u:system_r:snapperd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:snapperd_data_t:s0
Target Objects                /mnt/snapper_test/.snapshots/2/snapshot [ dir ]
Source                        snapperd
Source Path                   /usr/sbin/snapperd
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           snapper-0.2.8-4.el7.x86_64
Target RPM Packages
Policy RPM                    selinux-policy-3.13.1-192.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     storageqe-75.lab.eng.brq.redhat.com
Platform                      Linux storageqe-75.lab.eng.brq.redhat.com
                              3.10.0-860.el7.x86_64 #1 SMP Wed Mar 7 07:24:17
                              EST 2018 x86_64 x86_64
Alert Count                   12
First Seen                    2018-03-15 09:43:29 CET
Last Seen                     2018-03-15 10:28:42 CET
Local ID                      4e07cff7-cc64-4c7b-89ca-22eac59c9056

Raw Audit Messages
type=AVC msg=audit(1521106122.434:242): avc:  denied  { mounton } for  pid=26331 comm="snapperd" path="/mnt/snapper_test/.snapshots/2/snapshot" dev="dm-14" ino=1310848 scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:snapperd_data_t:s0 tclass=dir


type=SYSCALL msg=audit(1521106122.434:242): arch=x86_64 syscall=mount success=no exit=EACCES a0=7f0dd0000a18 a1=7f0de49a9fc8 a2=7f0dd8001718 a3=c0f items=0 ppid=1 pid=26331 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=snapperd exe=/usr/sbin/snapperd subj=system_u:system_r:snapperd_t:s0-s0:c0.c1023 key=(null)

Hash: snapperd,snapperd_t,snapperd_data_t,dir,mounton

# ausearch -m avc --start recent
----
time->Thu Mar 15 10:26:29 2018
type=PROCTITLE msg=audit(1521105989.209:195): proctitle=2F7573722F7362696E2F736E617070657264002D64
type=SYSCALL msg=audit(1521105989.209:195): arch=c000003e syscall=141 success=no exit=-13 a0=0 a1=5c2c a2=14 a3=7f087a392620 items=0 ppid=1 pid=23392 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="snapperd" exe="/usr/sbin/snapperd" subj=system_u:system_r:snapperd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1521105989.209:195): avc:  denied  { setsched } for  pid=23392 comm="snapperd" scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tclass=process
----
time->Thu Mar 15 10:26:29 2018
type=PROCTITLE msg=audit(1521105989.209:196): proctitle=2F7573722F7362696E2F736E617070657264002D64
type=SYSCALL msg=audit(1521105989.209:196): arch=c000003e syscall=251 success=no exit=-13 a0=1 a1=5c2c a2=6000 a3=1 items=0 ppid=1 pid=23392 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="snapperd" exe="/usr/sbin/snapperd" subj=system_u:system_r:snapperd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1521105989.209:196): avc:  denied  { setsched } for  pid=23392 comm="snapperd" scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tclass=process
----
time->Thu Mar 15 10:26:29 2018
type=PROCTITLE msg=audit(1521105989.256:197): proctitle=2F7573722F7362696E2F736E617070657264002D64
type=SYSCALL msg=audit(1521105989.256:197): arch=c000003e syscall=165 success=no exit=-13 a0=7f086c000a18 a1=7f087f790fc8 a2=7f087400e268 a3=c0f items=0 ppid=1 pid=23392 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="snapperd" exe="/usr/sbin/snapperd" subj=system_u:system_r:snapperd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1521105989.256:197): avc:  denied  { mounton } for  pid=23392 comm="snapperd" path="/mnt/snapper_test/.snapshots/2/snapshot" dev="dm-14" ino=18 scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:snapperd_data_t:s0 tclass=dir
----
time->Thu Mar 15 10:27:33 2018
type=PROCTITLE msg=audit(1521106053.939:228): proctitle=2F7573722F7362696E2F736E617070657264002D64
type=SYSCALL msg=audit(1521106053.939:228): arch=c000003e syscall=141 success=no exit=-13 a0=0 a1=6121 a2=14 a3=7f0025f40620 items=0 ppid=1 pid=24800 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="snapperd" exe="/usr/sbin/snapperd" subj=system_u:system_r:snapperd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1521106053.939:228): avc:  denied  { setsched } for  pid=24800 comm="snapperd" scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tclass=process
----
time->Thu Mar 15 10:27:33 2018
type=PROCTITLE msg=audit(1521106053.939:229): proctitle=2F7573722F7362696E2F736E617070657264002D64
type=SYSCALL msg=audit(1521106053.939:229): arch=c000003e syscall=251 success=no exit=-13 a0=1 a1=6121 a2=6000 a3=1 items=0 ppid=1 pid=24800 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="snapperd" exe="/usr/sbin/snapperd" subj=system_u:system_r:snapperd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1521106053.939:229): avc:  denied  { setsched } for  pid=24800 comm="snapperd" scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tclass=process
----
time->Thu Mar 15 10:27:33 2018
type=PROCTITLE msg=audit(1521106053.986:230): proctitle=2F7573722F7362696E2F736E617070657264002D64
type=SYSCALL msg=audit(1521106053.986:230): arch=c000003e syscall=165 success=no exit=-13 a0=7f0018000a18 a1=7f002b33efc8 a2=7f002000bfd8 a3=c0f items=0 ppid=1 pid=24800 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="snapperd" exe="/usr/sbin/snapperd" subj=system_u:system_r:snapperd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1521106053.986:230): avc:  denied  { mounton } for  pid=24800 comm="snapperd" path="/mnt/snapper_test/.snapshots/2/snapshot" dev="dm-14" ino=18 scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:snapperd_data_t:s0 tclass=dir
----
time->Thu Mar 15 10:27:38 2018
type=PROCTITLE msg=audit(1521106058.493:234): proctitle=2F7573722F7362696E2F736E617070657264002D64
type=SYSCALL msg=audit(1521106058.493:234): arch=c000003e syscall=141 success=no exit=-13 a0=0 a1=629a a2=14 a3=7f827b57b620 items=0 ppid=1 pid=24902 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="snapperd" exe="/usr/sbin/snapperd" subj=system_u:system_r:snapperd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1521106058.493:234): avc:  denied  { setsched } for  pid=24902 comm="snapperd" scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tclass=process
----
time->Thu Mar 15 10:27:38 2018
type=PROCTITLE msg=audit(1521106058.493:235): proctitle=2F7573722F7362696E2F736E617070657264002D64
type=SYSCALL msg=audit(1521106058.493:235): arch=c000003e syscall=251 success=no exit=-13 a0=1 a1=629a a2=6000 a3=1 items=0 ppid=1 pid=24902 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="snapperd" exe="/usr/sbin/snapperd" subj=system_u:system_r:snapperd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1521106058.493:235): avc:  denied  { setsched } for  pid=24902 comm="snapperd" scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tclass=process
----
time->Thu Mar 15 10:27:38 2018
type=PROCTITLE msg=audit(1521106058.539:236): proctitle=2F7573722F7362696E2F736E617070657264002D64
type=SYSCALL msg=audit(1521106058.539:236): arch=c000003e syscall=165 success=no exit=-13 a0=7f826c000a18 a1=7f8280979fc8 a2=7f8274058bf8 a3=c0f items=0 ppid=1 pid=24902 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="snapperd" exe="/usr/sbin/snapperd" subj=system_u:system_r:snapperd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1521106058.539:236): avc:  denied  { mounton } for  pid=24902 comm="snapperd" path="/mnt/snapper_test/.snapshots/2/snapshot" dev="dm-14" ino=1310848 scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:snapperd_data_t:s0 tclass=dir
----
time->Thu Mar 15 10:28:42 2018
type=PROCTITLE msg=audit(1521106122.388:241): proctitle=2F7573722F7362696E2F736E617070657264002D64
type=SYSCALL msg=audit(1521106122.388:241): arch=c000003e syscall=251 success=no exit=-13 a0=1 a1=671c a2=6000 a3=1 items=0 ppid=1 pid=26331 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="snapperd" exe="/usr/sbin/snapperd" subj=system_u:system_r:snapperd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1521106122.388:241): avc:  denied  { setsched } for  pid=26331 comm="snapperd" scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tclass=process
----
time->Thu Mar 15 10:28:42 2018
type=PROCTITLE msg=audit(1521106122.434:242): proctitle=2F7573722F7362696E2F736E617070657264002D64
type=SYSCALL msg=audit(1521106122.434:242): arch=c000003e syscall=165 success=no exit=-13 a0=7f0dd0000a18 a1=7f0de49a9fc8 a2=7f0dd8001718 a3=c0f items=0 ppid=1 pid=26331 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="snapperd" exe="/usr/sbin/snapperd" subj=system_u:system_r:snapperd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1521106122.434:242): avc:  denied  { mounton } for  pid=26331 comm="snapperd" path="/mnt/snapper_test/.snapshots/2/snapshot" dev="dm-14" ino=1310848 scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:snapperd_data_t:s0 tclass=dir
----
time->Thu Mar 15 10:28:42 2018
type=PROCTITLE msg=audit(1521106122.388:240): proctitle=2F7573722F7362696E2F736E617070657264002D64
type=SYSCALL msg=audit(1521106122.388:240): arch=c000003e syscall=141 success=no exit=-13 a0=0 a1=671c a2=14 a3=7f0ddf5ab620 items=0 ppid=1 pid=26331 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="snapperd" exe="/usr/sbin/snapperd" subj=system_u:system_r:snapperd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1521106122.388:240): avc:  denied  { setsched } for  pid=26331 comm="snapperd" scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tclass=process


Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-192.el7.noarch
(selinux-policy-3.13.1-191.el7.noarch works)


How reproducible:
100%

Steps to Reproduce:
1.snapper -c bugtest status 2..3'...     

Actual results:
Failure (org.freedesktop.DBus.Error.NoReply).

Expected results:
c..... /mnt/snapper_test/dir_0/file_0
+..... /mnt/snapper_test/dir_1
+..... /mnt/snapper_test/dir_1/file_1

Additional info:

Comment 5 Miroslav Grepl 2018-03-15 13:34:04 UTC

Jakub,
do I understand correctly that it blocks a basic functionality of snapperd? Can be snapperd started? I am trying to find if it is a material for a 0day errata.

Comment 6 Milos Malik 2018-03-15 13:54:18 UTC

I don't like last minute respins, but I'm willing to do it if the fix is successfully tested by kernel QE and SELinux QE.

Our selinux-policy TC for snapperd identifies following rules as missing:

allow snapperd_t kernel_t : process { setsched };
allow snapperd_t fs_t : filesystem { mount };

Comment 7 Jakub Krysl 2018-03-15 13:54:56 UTC

Miroslav,
I think it is still possible to create and list snapshots (see the test log), but listing changes on that snapshot is not. My understanding is that SELinux is preventing connection to snapperd, hence the query for changes fails. Snapper dev Ondrej Kozina might give you better info on the extend of this bug.

Ondrej, can you please give more exact answer?

Comment 9 Ondrej Kozina 2018-03-15 14:28:29 UTC

(In reply to Milos Malik from comment #6)
> Our selinux-policy TC for snapperd identifies following rules as missing:
> 
> allow snapperd_t kernel_t : process { setsched };
> allow snapperd_t fs_t : filesystem { mount };

If snapperd is not allowed to mount filesystem snapshots it subsequently can't generate new status reply because it can't create fs diff reports.

Jakub mentioned log with following error:
INFO: [2018-03-15 09:43:29] Running: 'snapper -c bugtest status 2..3'...
Failure (org.freedesktop.DBus.Error.NoReply).

This may be due to unhandled exception. Can you get debug log from snapperd server?

Just update snapperd service file (/usr/share/dbus-1/system-services/org.opensuse.Snapper.service) with:

Exec=/usr/sbin/snapperd -d

After you edit service file, just kill the snapperd instance (to enforce restart) and run "snapper status" commmand again. The log will contain debug report for the error.

The log file is /var/log/snapper.log. Do not start snapperd server manually from command line. It would run in different domain unlike ordinary system service initiated by dbus.

Comment 10 Milos Malik 2018-03-15 15:00:47 UTC

Created attachment 1408457 [details]
/var/log/snapper.log after enabling the debug

The snapper.log contains following actions:

# gdbus introspect -y -o / -d org.opensuse.Snapper

and whole run of /CoreOS/selinux-policy/Regression/snapperd-and-similar TC.

Comment 14 Milos Malik 2018-03-21 08:48:51 UTC

Our TC found following SELinux denials on RHEL-7.5 x86_64 VM in enforcing mode:
----
type=PROCTITLE msg=audit(03/21/2018 04:45:36.162:296) : proctitle=/usr/sbin/snapperd 
type=SYSCALL msg=audit(03/21/2018 04:45:36.162:296) : arch=x86_64 syscall=mkdirat success=no exit=EACCES(Permission denied) a0=0x7 a1=0x7f35d8051008 a2=0777 a3=0x23 items=0 ppid=1 pid=19070 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=snapperd exe=/usr/sbin/snapperd subj=system_u:system_r:snapperd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(03/21/2018 04:45:36.162:296) : avc:  denied  { create } for  pid=19070 comm=snapperd name=1 scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir 
----
type=PROCTITLE msg=audit(03/21/2018 04:46:31.340:303) : proctitle=/usr/sbin/snapperd 
type=SYSCALL msg=audit(03/21/2018 04:46:31.340:303) : arch=x86_64 syscall=ioctl success=no exit=EPERM(Operation not permitted) a0=0x6 a1=0x5000940f a2=0x7f35de9f7960 a3=0x19 items=0 ppid=1 pid=19070 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=snapperd exe=/usr/sbin/snapperd subj=system_u:system_r:snapperd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(03/21/2018 04:46:31.340:303) : avc:  denied  { sys_admin } for  pid=19070 comm=snapperd capability=sys_admin  scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tclass=capability 
----

Comment 15 Milos Malik 2018-03-21 11:42:35 UTC

Our TC also found following SELinux denial on RHEL-7.5 x86_64 VM in permissive mode:
----
time->Wed Mar 21 07:37:44 2018
type=PROCTITLE msg=audit(1521632264.942:426): proctitle="/usr/sbin/snapperd"
type=SYSCALL msg=audit(1521632264.942:426): arch=c000003e syscall=190 success=yes exit=0 a0=7 a1=7f035bc89eaa a2=7f0354001250 a3=25 items=0 ppid=1 pid=429 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="snapperd" exe="/usr/sbin/snapperd" subj=system_u:system_r:snapperd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1521632264.942:426): avc:  denied  { relabelto } for  pid=429 comm="snapperd" name=".snapshots" dev="loop0" ino=256 scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:snapperd_data_t:s0 tclass=dir
----

That's maybe the reason why some directories created by snapper / snapperd are not labeled correctly when they are created.

Comment 18 errata-xmlrpc 2018-10-30 10:03:08 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111

Note You need to log in before you can comment on or make changes to this bug.