Bug 1579848 - the certmaster service triggers SELinux denials
Summary: the certmaster service triggers SELinux denials
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 28
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-18 13:13 UTC by Milos Malik
Modified: 2018-05-26 20:43 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.14.1-29.fc28
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-05-26 20:43:44 UTC
Type: Bug


Attachments (Terms of Use)

Description Milos Malik 2018-05-18 13:13:09 UTC
Description of problem:
 * the certmaster daemon is running, but several SELinux denials appear during its start

Version-Release number of selected component (if applicable):
certmaster-0.28-16.fc28.noarch
selinux-policy-3.14.1-24.fc28.noarch
selinux-policy-devel-3.14.1-24.fc28.noarch
selinux-policy-targeted-3.14.1-24.fc28.noarch

How reproducible:
 * always

Steps to Reproduce:
1. get a Fedora 28 machine (targeted policy is active)
2. start the certmaster service
3. search for SELinux denials

Actual results:
----
type=PROCTITLE msg=audit(05/18/2018 09:09:17.649:371) : proctitle=/usr/bin/python2 /usr/bin/certmaster --daemon 
type=PATH msg=audit(05/18/2018 09:09:17.649:371) : item=0 name=/sbin/ldconfig inode=134272 dev=fc:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ldconfig_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(05/18/2018 09:09:17.649:371) : cwd=/ 
type=SYSCALL msg=audit(05/18/2018 09:09:17.649:371) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x559810766af0 a1=0x559810770040 a2=0x559810718800 a3=0x0 items=1 ppid=10377 pid=10378 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=certmaster exe=/usr/bin/python2.7 subj=system_u:system_r:certmaster_t:s0 key=(null) 
type=AVC msg=audit(05/18/2018 09:09:17.649:371) : avc:  denied  { execute } for  pid=10378 comm=certmaster name=ldconfig dev="vda1" ino=134272 scontext=system_u:system_r:certmaster_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(05/18/2018 09:09:17.653:372) : proctitle=/usr/bin/python2 /usr/bin/certmaster --daemon 
type=PATH msg=audit(05/18/2018 09:09:17.653:372) : item=0 name=/tmp/ inode=14136 dev=00:2a mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(05/18/2018 09:09:17.653:372) : cwd=/ 
type=SYSCALL msg=audit(05/18/2018 09:09:17.653:372) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x559810770040 a2=O_RDWR|O_CREAT|O_EXCL|O_NOFOLLOW a3=0x180 items=1 ppid=1 pid=10377 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=certmaster exe=/usr/bin/python2.7 subj=system_u:system_r:certmaster_t:s0 key=(null) 
type=AVC msg=audit(05/18/2018 09:09:17.653:372) : avc:  denied  { write } for  pid=10377 comm=certmaster name=/ dev="tmpfs" ino=14136 scontext=system_u:system_r:certmaster_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(05/18/2018 09:09:17.656:375) : proctitle=/usr/bin/python2 /usr/bin/certmaster --daemon 
type=PATH msg=audit(05/18/2018 09:09:17.656:375) : item=0 name=/ inode=2 dev=fc:01 mode=dir,555 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:root_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(05/18/2018 09:09:17.656:375) : cwd=/ 
type=SYSCALL msg=audit(05/18/2018 09:09:17.656:375) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x559810770040 a2=O_RDWR|O_CREAT|O_EXCL|O_NOFOLLOW a3=0x180 items=1 ppid=1 pid=10377 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=certmaster exe=/usr/bin/python2.7 subj=system_u:system_r:certmaster_t:s0 key=(null) 
type=AVC msg=audit(05/18/2018 09:09:17.656:375) : avc:  denied  { dac_override } for  pid=10377 comm=certmaster capability=dac_override  scontext=system_u:system_r:certmaster_t:s0 tcontext=system_u:system_r:certmaster_t:s0 tclass=capability permissive=0 
----

Expected results:
 * no SELinux denials

Comment 1 Milos Malik 2018-05-18 13:16:38 UTC
Actual results (permissive mode):
----
type=PROCTITLE msg=audit(05/18/2018 09:15:10.627:392) : proctitle=/sbin/ldconfig -p 
type=PATH msg=audit(05/18/2018 09:15:10.627:392) : item=0 name=/sbin/ldconfig inode=134272 dev=fc:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ldconfig_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(05/18/2018 09:15:10.627:392) : cwd=/ 
type=EXECVE msg=audit(05/18/2018 09:15:10.627:392) : argc=2 a0=/sbin/ldconfig a1=-p 
type=SYSCALL msg=audit(05/18/2018 09:15:10.627:392) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x5587183be370 a1=0x558718440130 a2=0x558718449680 a3=0x0 items=1 ppid=14603 pid=14604 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ldconfig exe=/usr/sbin/ldconfig subj=system_u:system_r:certmaster_t:s0 key=(null) 
type=AVC msg=audit(05/18/2018 09:15:10.627:392) : avc:  denied  { map } for  pid=14604 comm=ldconfig path=/usr/sbin/ldconfig dev="vda1" ino=134272 scontext=system_u:system_r:certmaster_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=1 
type=AVC msg=audit(05/18/2018 09:15:10.627:392) : avc:  denied  { execute_no_trans } for  pid=14604 comm=certmaster path=/usr/sbin/ldconfig dev="vda1" ino=134272 scontext=system_u:system_r:certmaster_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=1 
type=AVC msg=audit(05/18/2018 09:15:10.627:392) : avc:  denied  { read open } for  pid=14604 comm=certmaster path=/usr/sbin/ldconfig dev="vda1" ino=134272 scontext=system_u:system_r:certmaster_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=1 
type=AVC msg=audit(05/18/2018 09:15:10.627:392) : avc:  denied  { execute } for  pid=14604 comm=certmaster name=ldconfig dev="vda1" ino=134272 scontext=system_u:system_r:certmaster_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=1 
----

Comment 2 Fedora Update System 2018-05-24 14:34:53 UTC
selinux-policy-3.14.1-29.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a74875b364

Comment 3 Fedora Update System 2018-05-25 18:41:57 UTC
selinux-policy-3.14.1-29.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a74875b364

Comment 4 Fedora Update System 2018-05-26 20:43:44 UTC
selinux-policy-3.14.1-29.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.