Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
From customer case description:
Installed pcp pcp-pmda-named to trouble shoot some DNS questions.
the selinux logs complained on perl access to the /var/named/data/named_stats.txt and rndc binary
alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------
SELinux is preventing /usr/bin/perl from search access on the directory /var/named/data/named_stats.txt.
***** Plugin restorecon (99.5 confidence) suggests ************************
If you want to fix the label.
/var/named/data/named_stats.txt default label should be named_cache_t.
Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
Do
# /sbin/restorecon -v /var/named/data/named_stats.txt
***** Plugin catchall (1.49 confidence) suggests **************************
If you believe that perl should be allowed search access on the named_stats.txt directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'perl' --raw | audit2allow -M my-perl
# semodule -i my-perl.pp
Additional Information:
Source Context system_u:system_r:pcp_pmcd_t:s0
Target Context system_u:object_r:named_zone_t:s0
Target Objects /var/named/data/named_stats.txt [ dir ]
Source perl
Source Path /usr/bin/perl
Port <Unknown>
Host <Unknown>
Source RPM Packages perl-5.16.3-292.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-192.el7_5.4.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (redacted)
Platform Linux (redacted)
3.10.0-862.9.1.el7.x86_64 #1 SMP Wed Jun 27
04:30:39 EDT 2018 x86_64 x86_64
Alert Count 4
First Seen 2018-07-25 11:31:45 MDT
Last Seen 2018-07-25 11:36:14 MDT
Local ID 5ac8394c-b8fd-4b8b-b114-a451e9e6fad7
Raw Audit Messages
type=AVC msg=audit(1532540174.341:22480): avc: denied { search } for pid=25668 comm="perl" name="named" dev="dm-3" ino=2128175 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir
type=SYSCALL msg=audit(1532540174.341:22480): arch=x86_64 syscall=stat success=no exit=EACCES a0=1204660 a1=11ce138 a2=11ce138 a3=6d616e2f7261762f items=1 ppid=19869 pid=25668 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=perl exe=/usr/bin/perl subj=system_u:system_r:pcp_pmcd_t:s0 key=(null)
type=CWD msg=audit(1532540174.341:22480): cwd=/var/log/pcp/pmcd
type=PATH msg=audit(1532540174.341:22480): item=0 name=/var/named/data/named_stats.txt objtype=UNKNOWN cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
Hash: perl,pcp_pmcd_t,named_zone_t,dir,search
SELinux is preventing /usr/bin/perl from 'read, open' accesses on the file /usr/sbin/rndc.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that perl should be allowed read open access on the rndc file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'perl' --raw | audit2allow -M my-perl
# semodule -i my-perl.pp
Additional Information:
Source Context system_u:system_r:pcp_pmcd_t:s0
Target Context system_u:object_r:ndc_exec_t:s0
Target Objects /usr/sbin/rndc [ file ]
Source perl
Source Path /usr/bin/perl
Port <Unknown>
Host <Unknown>
Source RPM Packages perl-5.16.3-292.el7.x86_64
Target RPM Packages bind-9.9.4-61.el7.x86_64
Policy RPM selinux-policy-3.13.1-192.el7_5.4.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (redacted)
Platform Linux (redacted)
3.10.0-862.9.1.el7.x86_64 #1 SMP Wed Jun 27
04:30:39 EDT 2018 x86_64 x86_64
Alert Count 9
First Seen 2018-07-25 11:49:49 MDT
Last Seen 2018-07-25 11:51:02 MDT
Local ID 408ab5d1-d8a0-4a96-8394-59dc9bbf0eab
Raw Audit Messages
type=AVC msg=audit(1532541062.782:32023): avc: denied { read open } for pid=30511 comm="perl" path="/usr/sbin/rndc" dev="dm-0" ino=9699441 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:ndc_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1532541062.782:32023): arch=x86_64 syscall=execve success=no exit=EACCES a0=7fff46e8b2dd a1=23358e0 a2=231a1f0 a3=7fff46e8ade0 items=1 ppid=29837 pid=30511 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm=perl exe=/usr/bin/perl subj=system_u:system_r:pcp_pmcd_t:s0 key=(null)
type=CWD msg=audit(1532541062.782:32023): cwd=/var/log/pcp/pmcd
type=PATH msg=audit(1532541062.782:32023): item=0 name=/usr/sbin/rndc inode=9699441 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ndc_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
Hash: perl,pcp_pmcd_t,ndc_exec_t,file,read,open
---
Additionally TSE has reproduced the same problem in house:
I tested reproducing the customers steps in the case description. I can reproduce the denial, and confirm that the setroubleshoot recommendation of a blanket perl module (probably not a good idea anyways) still yields these denials, even after being loaded:
Aug 14 20:24:01 r74 setroubleshoot: SELinux is preventing /usr/bin/perl from search access on the directory data. For complete SELinux messages run: sealert -l f14ac5f9-d425-4490-93d0-e47337ef1408
Aug 14 20:24:01 r74 python: SELinux is preventing /usr/bin/perl from search access on the directory data.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that perl should be allowed search access on the data directory by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'perl' --raw | audit2allow -M my-perl#012# semodule -i my-perl.pp#012
Aug 14 20:24:01 r74 setroubleshoot: SELinux is preventing /usr/bin/perl from search access on the directory data. For complete SELinux messages run: sealert -l f14ac5f9-d425-4490-93d0-e47337ef1408
Aug 14 20:24:01 r74 python: SELinux is preventing /usr/bin/perl from search access on the directory data.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that perl should be allowed search access on the data directory by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'perl' --raw | audit2allow -M my-perl#012# semodule -i my-perl.pp#012
Version-Release number of selected component (if applicable):
3.12.2-5
From customer case description: Installed pcp pcp-pmda-named to trouble shoot some DNS questions. the selinux logs complained on perl access to the /var/named/data/named_stats.txt and rndc binary alerts in /var/log/audit/audit.log -------------------------------------------------------------------------------- SELinux is preventing /usr/bin/perl from search access on the directory /var/named/data/named_stats.txt. ***** Plugin restorecon (99.5 confidence) suggests ************************ If you want to fix the label. /var/named/data/named_stats.txt default label should be named_cache_t. Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly. Do # /sbin/restorecon -v /var/named/data/named_stats.txt ***** Plugin catchall (1.49 confidence) suggests ************************** If you believe that perl should be allowed search access on the named_stats.txt directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'perl' --raw | audit2allow -M my-perl # semodule -i my-perl.pp Additional Information: Source Context system_u:system_r:pcp_pmcd_t:s0 Target Context system_u:object_r:named_zone_t:s0 Target Objects /var/named/data/named_stats.txt [ dir ] Source perl Source Path /usr/bin/perl Port <Unknown> Host <Unknown> Source RPM Packages perl-5.16.3-292.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-192.el7_5.4.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (redacted) Platform Linux (redacted) 3.10.0-862.9.1.el7.x86_64 #1 SMP Wed Jun 27 04:30:39 EDT 2018 x86_64 x86_64 Alert Count 4 First Seen 2018-07-25 11:31:45 MDT Last Seen 2018-07-25 11:36:14 MDT Local ID 5ac8394c-b8fd-4b8b-b114-a451e9e6fad7 Raw Audit Messages type=AVC msg=audit(1532540174.341:22480): avc: denied { search } for pid=25668 comm="perl" name="named" dev="dm-3" ino=2128175 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:named_zone_t:s0 tclass=dir type=SYSCALL msg=audit(1532540174.341:22480): arch=x86_64 syscall=stat success=no exit=EACCES a0=1204660 a1=11ce138 a2=11ce138 a3=6d616e2f7261762f items=1 ppid=19869 pid=25668 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=perl exe=/usr/bin/perl subj=system_u:system_r:pcp_pmcd_t:s0 key=(null) type=CWD msg=audit(1532540174.341:22480): cwd=/var/log/pcp/pmcd type=PATH msg=audit(1532540174.341:22480): item=0 name=/var/named/data/named_stats.txt objtype=UNKNOWN cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 Hash: perl,pcp_pmcd_t,named_zone_t,dir,search SELinux is preventing /usr/bin/perl from 'read, open' accesses on the file /usr/sbin/rndc. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that perl should be allowed read open access on the rndc file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'perl' --raw | audit2allow -M my-perl # semodule -i my-perl.pp Additional Information: Source Context system_u:system_r:pcp_pmcd_t:s0 Target Context system_u:object_r:ndc_exec_t:s0 Target Objects /usr/sbin/rndc [ file ] Source perl Source Path /usr/bin/perl Port <Unknown> Host <Unknown> Source RPM Packages perl-5.16.3-292.el7.x86_64 Target RPM Packages bind-9.9.4-61.el7.x86_64 Policy RPM selinux-policy-3.13.1-192.el7_5.4.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (redacted) Platform Linux (redacted) 3.10.0-862.9.1.el7.x86_64 #1 SMP Wed Jun 27 04:30:39 EDT 2018 x86_64 x86_64 Alert Count 9 First Seen 2018-07-25 11:49:49 MDT Last Seen 2018-07-25 11:51:02 MDT Local ID 408ab5d1-d8a0-4a96-8394-59dc9bbf0eab Raw Audit Messages type=AVC msg=audit(1532541062.782:32023): avc: denied { read open } for pid=30511 comm="perl" path="/usr/sbin/rndc" dev="dm-0" ino=9699441 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:ndc_exec_t:s0 tclass=file type=SYSCALL msg=audit(1532541062.782:32023): arch=x86_64 syscall=execve success=no exit=EACCES a0=7fff46e8b2dd a1=23358e0 a2=231a1f0 a3=7fff46e8ade0 items=1 ppid=29837 pid=30511 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm=perl exe=/usr/bin/perl subj=system_u:system_r:pcp_pmcd_t:s0 key=(null) type=CWD msg=audit(1532541062.782:32023): cwd=/var/log/pcp/pmcd type=PATH msg=audit(1532541062.782:32023): item=0 name=/usr/sbin/rndc inode=9699441 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ndc_exec_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 Hash: perl,pcp_pmcd_t,ndc_exec_t,file,read,open --- Additionally TSE has reproduced the same problem in house: I tested reproducing the customers steps in the case description. I can reproduce the denial, and confirm that the setroubleshoot recommendation of a blanket perl module (probably not a good idea anyways) still yields these denials, even after being loaded: Aug 14 20:24:01 r74 setroubleshoot: SELinux is preventing /usr/bin/perl from search access on the directory data. For complete SELinux messages run: sealert -l f14ac5f9-d425-4490-93d0-e47337ef1408 Aug 14 20:24:01 r74 python: SELinux is preventing /usr/bin/perl from search access on the directory data.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that perl should be allowed search access on the data directory by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'perl' --raw | audit2allow -M my-perl#012# semodule -i my-perl.pp#012 Aug 14 20:24:01 r74 setroubleshoot: SELinux is preventing /usr/bin/perl from search access on the directory data. For complete SELinux messages run: sealert -l f14ac5f9-d425-4490-93d0-e47337ef1408 Aug 14 20:24:01 r74 python: SELinux is preventing /usr/bin/perl from search access on the directory data.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that perl should be allowed search access on the data directory by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'perl' --raw | audit2allow -M my-perl#012# semodule -i my-perl.pp#012 Version-Release number of selected component (if applicable): 3.12.2-5