Bug 1596141 - Selinux cause lsmcli list --type PLUGINS leads to TRANSPORT_COMMUNICATION(400)
Summary: Selinux cause lsmcli list --type PLUGINS leads to TRANSPORT_COMMUNICATION(400)
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.6
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-06-28 10:04 UTC by Jakub Krysl
Modified: 2018-10-30 10:06 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.13.1-207.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-10-30 10:05:54 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:3111 None None None 2018-10-30 10:06:24 UTC

Description Jakub Krysl 2018-06-28 10:04:48 UTC
Description of problem:
# lsmcli -u "sim://" list --type PLUGINS
TRANSPORT_COMMUNICATION(400): Error while reading a message from the plug-in Data: [Errno 104] Connection reset by peer
# lsmcli -u "ontap://user@server" list --type PLUGINS -P
Password:
TRANSPORT_COMMUNICATION(400): Error while reading a message from the plug-in Data: [Errno 104] Connection reset by peer

libstoragemgmt-1.6.1-2.el7:
# lsmcli -u "sim://" list --type PLUGINS
Description              | Version
----------------------------------
NetApp Filer support     | 1.6.1
Storage simulator        | 1.6.1
Compiled plug-in example | 4.1
# lsmcli -u "ontap://user@server" list --type PLUGINS -P
Password:
Description              | Version
----------------------------------
NetApp Filer support     | 1.6.1
Storage simulator        | 1.6.1
Compiled plug-in example | 4.1

Version-Release number of selected component (if applicable):
libstoragemgmt-1.6.2-2.el7

How reproducible:
100%

Steps to Reproduce:
1. lsmcli list --type PLUGINS

Actual results:
TRANSPORT_COMMUNICATION(400): Error while reading a message from the plug-in Data: [Errno 104] Connection reset by peer

Expected results:
plugins listed

Additional info:

Comment 3 Gris Ge 2018-06-28 13:15:01 UTC
It should be a bug of selinux policy.

Problem gone after `setenforce 1`.

The output of `ausearch -m AVC,USER_AVC -ts recent` is:

```
time->Thu Jun 28 09:10:28 2018
type=PROCTITLE msg=audit(1530191428.057:231): proctitle="(null)"
type=SYSCALL msg=audit(1530191428.057:231): arch=c000003e syscall=59 success=no exit=-13 a0=5616f84f4310 a1=7ffeffa4c830 a2=7ffeffa4cb10 a3=2 items=0 ppid=11268 pid=11316 auid=4294967295 uid=996 gid=995 euid=996 suid=996 fsuid=996 egid=995 sgid=995 fsgid=995 tty=(none) ses=4294967295 comm="simc_lsmplugin" exe="/usr/bin/simc_lsmplugin" subj=system_u:system_r:lsmd_t:s0 key=(null)
type=AVC msg=audit(1530191428.057:231): avc:  denied  { map } for  pid=11316 comm="simc_lsmplugin" path="/usr/bin/simc_lsmplugin" dev="dm-0" ino=732599 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:lsmd_plugin_exec_t:s0 tclass=file permissive=0
```

Comment 4 Gris Ge 2018-06-28 13:17:11 UTC
Issue reproduced on RHEL-7.6-20180626.0:

selinux-policy-3.13.1-204.el7.noarch
libstoragemgmt-1.6.2-2.el7.x86_64

Comment 5 Milos Malik 2018-06-28 13:57:29 UTC
----
type=PROCTITLE msg=audit(06/28/2018 09:55:48.209:169) : proctitle=(null) 
type=PATH msg=audit(06/28/2018 09:55:48.209:169) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=313037 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=PATH msg=audit(06/28/2018 09:55:48.209:169) : item=0 name=/usr/bin/simc_lsmplugin inode=13752735 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:lsmd_plugin_exec_t:s0 objtype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(06/28/2018 09:55:48.209:169) :  cwd=/ 
type=SYSCALL msg=audit(06/28/2018 09:55:48.209:169) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x55fb36b07830 a1=0x7ffe16326b00 a2=0x7ffe16326de0 a3=0x2 items=2 ppid=29634 pid=32463 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=simc_lsmplugin exe=/usr/bin/simc_lsmplugin subj=system_u:system_r:lsmd_t:s0 key=(null) 
type=AVC msg=audit(06/28/2018 09:55:48.209:169) : avc:  denied  { map } for  pid=32463 comm=simc_lsmplugin path=/usr/bin/simc_lsmplugin dev="dm-0" ino=13752735 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:lsmd_plugin_exec_t:s0 tclass=file permissive=0 
----

Comment 6 Milos Malik 2018-06-28 14:01:38 UTC
There are no additional SELinux denials visible in permissive mode:
----
type=PROCTITLE msg=audit(06/28/2018 09:59:45.987:190) : proctitle=simc_lsmplugin 3 
type=PATH msg=audit(06/28/2018 09:59:45.987:190) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=313037 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=PATH msg=audit(06/28/2018 09:59:45.987:190) : item=0 name=/usr/bin/simc_lsmplugin inode=13752735 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:lsmd_plugin_exec_t:s0 objtype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(06/28/2018 09:59:45.987:190) :  cwd=/ 
type=EXECVE msg=audit(06/28/2018 09:59:45.987:190) : argc=2 a0=simc_lsmplugin a1=3 
type=SYSCALL msg=audit(06/28/2018 09:59:45.987:190) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x558ee18e8830 a1=0x7ffebeea9000 a2=0x7ffebeea92e0 a3=0x2 items=2 ppid=30466 pid=30574 auid=unset uid=libstoragemgmt gid=libstoragemgmt euid=libstoragemgmt suid=libstoragemgmt fsuid=libstoragemgmt egid=libstoragemgmt sgid=libstoragemgmt fsgid=libstoragemgmt tty=(none) ses=unset comm=simc_lsmplugin exe=/usr/bin/simc_lsmplugin subj=system_u:system_r:lsmd_plugin_t:s0 key=(null) 
type=AVC msg=audit(06/28/2018 09:59:45.987:190) : avc:  denied  { map } for  pid=30574 comm=simc_lsmplugin path=/usr/bin/simc_lsmplugin dev="dm-0" ino=13752735 scontext=system_u:system_r:lsmd_t:s0 tcontext=system_u:object_r:lsmd_plugin_exec_t:s0 tclass=file permissive=1 
----

Comment 10 errata-xmlrpc 2018-10-30 10:05:54 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111


Note You need to log in before you can comment on or make changes to this bug.