Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1701158

Summary: SELinux prevents rotatelogs (httpd_rotatelogs_t) from executing and mmap()-ing the gzip command
Product: Red Hat Enterprise Linux 8 Reporter: Branislav Náter <bnater>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: low Docs Contact:
Priority: low    
Version: 8.0CC: lvrabec, mmalik, plautrba, ssekidde, zpytela
Target Milestone: rcFlags: pm-rhel: mirror+
Target Release: 8.1   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-3.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-05 22:11:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1673107    
Bug Blocks:    

Description Branislav Náter 2019-04-18 09:06:18 UTC 
Description of problem:

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      31
selinux-policy-3.14.1-61.el8.noarch
----
time->Tue Apr 16 18:51:32 2019
type=PROCTITLE msg=audit(1555433492.147:748): proctitle="(null)"
type=PATH msg=audit(1555433492.147:748): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=3911 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1555433492.147:748): item=0 name="/bin/gzip" inode=100918752 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1555433492.147:748): cwd="/etc/httpd"
type=SYSCALL msg=audit(1555433492.147:748): arch=c000003e syscall=59 success=no exit=-13 a0=7fffcef24ef8 a1=7fffcef11bc0 a2=7fffcef22f18 a3=8 items=2 ppid=27731 pid=27732 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gzip" exe="/usr/bin/gzip" subj=system_u:system_r:httpd_rotatelogs_t:s0 key=(null)
type=AVC msg=audit(1555433492.147:748): avc:  denied  { map } for  pid=27732 comm="gzip" path="/usr/bin/gzip" dev="dm-0" ino=100918752 scontext=system_u:system_r:httpd_rotatelogs_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0

Version-Release number of selected component (if applicable):
selinux-policy-3.14.1-61.el8.noarch
selinux-policy-targeted-3.14.1-61.el8.noarch

How reproducible:
Using automated test /CoreOS/httpd/Regression/bz1401694-rotatelogs-creation-of-zombie-processes-when-p
Comment 1 Zdenek Pytela 2019-04-18 09:25:32 UTC 
Hi,

Thank you for reporting the issue. Could you please make the domain permissive:

semanage permissive -a httpd_rotatelogs_t

reproduce the scenario and gather all audit logs?

ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts recent
Comment 2 Branislav Náter 2019-04-18 09:32:36 UTC 
# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts recent
----
type=USER_AVC msg=audit(04/18/2019 05:30:52.658:471) : pid=578 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=6)  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(04/18/2019 05:31:21.498:473) : pid=578 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=7)  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(04/18/2019 05:31:21.656:476) : pid=578 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=8)  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(04/18/2019 05:31:21.805:477) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=4)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(04/18/2019 05:31:21.805:478) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=5)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(04/18/2019 05:31:21.805:479) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=6)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(04/18/2019 05:31:21.805:480) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=7)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(04/18/2019 05:31:21.805:481) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=8)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=PROCTITLE msg=audit(04/18/2019 05:31:22.035:484) : proctitle=/bin/gzip /var/log/httpd/errorX.1555565482 
type=PATH msg=audit(04/18/2019 05:31:22.035:484) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=4215935 dev=fd:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=PATH msg=audit(04/18/2019 05:31:22.035:484) : item=0 name=/bin/gzip inode=2290401 dev=fd:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(04/18/2019 05:31:22.035:484) : cwd=/etc/httpd 
type=EXECVE msg=audit(04/18/2019 05:31:22.035:484) : argc=2 a0=/bin/gzip a1=/var/log/httpd/errorX.1555565482 
type=SYSCALL msg=audit(04/18/2019 05:31:22.035:484) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x7ffc8a3bbef9 a1=0x7ffc8a3a9cd0 a2=0x7ffc8a3bb028 a3=0x8 items=2 ppid=26713 pid=26714 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gzip exe=/usr/bin/gzip subj=system_u:system_r:httpd_rotatelogs_t:s0 key=(null) 
type=AVC msg=audit(04/18/2019 05:31:22.035:484) : avc:  denied  { map } for  pid=26714 comm=gzip path=/usr/bin/gzip dev="vda1" ino=2290401 scontext=system_u:system_r:httpd_rotatelogs_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 
----
type=USER_AVC msg=audit(04/18/2019 05:31:53.382:487) : pid=578 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=9)  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(04/18/2019 05:31:53.516:490) : pid=578 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=10)  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?'
Comment 3 Milos Malik 2019-04-18 09:48:19 UTC 
# matchpathcon /usr/sbin/rotatelogs 
/usr/sbin/rotatelogs	system_u:object_r:httpd_rotatelogs_exec_t:s0
#

Because SELinux policy defines only following process transitions related to rotatelogs:

# sesearch -t httpd_rotatelogs_exec_t -T
type_transition cluster_t httpd_rotatelogs_exec_t:process httpd_rotatelogs_t;
type_transition condor_startd_t httpd_rotatelogs_exec_t:process httpd_rotatelogs_t;
type_transition glusterd_t httpd_rotatelogs_exec_t:process httpd_rotatelogs_t;
type_transition httpd_sys_script_t httpd_rotatelogs_exec_t:process httpd_rotatelogs_t;
type_transition httpd_t httpd_rotatelogs_exec_t:process httpd_rotatelogs_t;
type_transition init_t httpd_rotatelogs_exec_t:process httpd_rotatelogs_t;
type_transition initrc_t httpd_rotatelogs_exec_t:process httpd_rotatelogs_t;
type_transition kdumpctl_t httpd_rotatelogs_exec_t:process httpd_rotatelogs_t;
type_transition openshift_initrc_t httpd_rotatelogs_exec_t:process httpd_rotatelogs_t;
type_transition piranha_pulse_t httpd_rotatelogs_exec_t:process httpd_rotatelogs_t;
#

I used the following reproducer instead of the automated TC:

# runcon system_u:system_r:initrc_t:s0 bash -c "/usr/sbin/rotatelogs -l -p /bin/gzip -f -L /var/log/httpd/error_log /var/log/httpd/errorX 100B"

Following SELinux denials appeared in permissive mode:
----
type=PROCTITLE msg=audit(04/18/2019 11:38:14.946:209) : proctitle=/usr/sbin/rotatelogs -l -p /bin/gzip -f -L /var/log/httpd/error_log /var/log/httpd/errorX 100B 
type=PATH msg=audit(04/18/2019 11:38:14.946:209) : item=0 name=/bin/gzip inode=356193 dev=08:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(04/18/2019 11:38:14.946:209) : cwd=/root 
type=SYSCALL msg=audit(04/18/2019 11:38:14.946:209) : arch=x86_64 syscall=access success=yes exit=0 a0=0x7ffc88e48ca7 a1=X_OK a2=0x7ffc88e35a50 a3=0x0 items=1 ppid=3452 pid=3592 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=rotatelogs exe=/usr/sbin/rotatelogs subj=system_u:system_r:httpd_rotatelogs_t:s0 key=(null) 
type=AVC msg=audit(04/18/2019 11:38:14.946:209) : avc:  denied  { execute } for  pid=3592 comm=rotatelogs name=gzip dev="sda2" ino=356193 scontext=system_u:system_r:httpd_rotatelogs_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(04/18/2019 11:38:14.946:210) : proctitle=/bin/gzip /var/log/httpd/errorX.1555587494 
type=PATH msg=audit(04/18/2019 11:38:14.946:210) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=8409478 dev=08:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=PATH msg=audit(04/18/2019 11:38:14.946:210) : item=0 name=/bin/gzip inode=356193 dev=08:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(04/18/2019 11:38:14.946:210) : cwd=/root 
type=EXECVE msg=audit(04/18/2019 11:38:14.946:210) : argc=2 a0=/bin/gzip a1=/var/log/httpd/errorX.1555587494 
type=SYSCALL msg=audit(04/18/2019 11:38:14.946:210) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x7ffc88e48ca7 a1=0x7ffc88e35a50 a2=0x7ffc88e46da8 a3=0x8 items=2 ppid=3592 pid=3599 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=gzip exe=/usr/bin/gzip subj=system_u:system_r:httpd_rotatelogs_t:s0 key=(null) 
type=AVC msg=audit(04/18/2019 11:38:14.946:210) : avc:  denied  { map } for  pid=3599 comm=gzip path=/usr/bin/gzip dev="sda2" ino=356193 scontext=system_u:system_r:httpd_rotatelogs_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 
type=AVC msg=audit(04/18/2019 11:38:14.946:210) : avc:  denied  { execute_no_trans } for  pid=3599 comm=rotatelogs path=/usr/bin/gzip dev="sda2" ino=356193 scontext=system_u:system_r:httpd_rotatelogs_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 
----
Comment 10 errata-xmlrpc 2019-11-05 22:11:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3547