1701158 – SELinux prevents rotatelogs (httpd_rotatelogs_t) from executing and mmap()-ing the gzip command

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1701158 - SELinux prevents rotatelogs (httpd_rotatelogs_t) from executing and mmap()-ing the gzip command

Summary: SELinux prevents rotatelogs (httpd_rotatelogs_t) from executing and mmap()-in...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	8.0
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	rc
Target Release:	8.1
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:	1673107
Blocks:
TreeView+	depends on / blocked

Reported:	2019-04-18 09:06 UTC by Branislav Náter
Modified:	2020-11-14 13:00 UTC (History)
CC List:	5 users (show)
Fixed In Version:	selinux-policy-3.14.3-3.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-11-05 22:11:10 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2019:3547	0	None	None	None	2019-11-05 22:11:18 UTC

Description Branislav Náter 2019-04-18 09:06:18 UTC

Description of problem:

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      31
selinux-policy-3.14.1-61.el8.noarch
----
time->Tue Apr 16 18:51:32 2019
type=PROCTITLE msg=audit(1555433492.147:748): proctitle="(null)"
type=PATH msg=audit(1555433492.147:748): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=3911 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1555433492.147:748): item=0 name="/bin/gzip" inode=100918752 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1555433492.147:748): cwd="/etc/httpd"
type=SYSCALL msg=audit(1555433492.147:748): arch=c000003e syscall=59 success=no exit=-13 a0=7fffcef24ef8 a1=7fffcef11bc0 a2=7fffcef22f18 a3=8 items=2 ppid=27731 pid=27732 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gzip" exe="/usr/bin/gzip" subj=system_u:system_r:httpd_rotatelogs_t:s0 key=(null)
type=AVC msg=audit(1555433492.147:748): avc:  denied  { map } for  pid=27732 comm="gzip" path="/usr/bin/gzip" dev="dm-0" ino=100918752 scontext=system_u:system_r:httpd_rotatelogs_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0

Version-Release number of selected component (if applicable):
selinux-policy-3.14.1-61.el8.noarch
selinux-policy-targeted-3.14.1-61.el8.noarch

How reproducible:
Using automated test /CoreOS/httpd/Regression/bz1401694-rotatelogs-creation-of-zombie-processes-when-p

Comment 1 Zdenek Pytela 2019-04-18 09:25:32 UTC

Hi,

Thank you for reporting the issue. Could you please make the domain permissive:

semanage permissive -a httpd_rotatelogs_t

reproduce the scenario and gather all audit logs?

ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts recent

Comment 2 Branislav Náter 2019-04-18 09:32:36 UTC

# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts recent
----
type=USER_AVC msg=audit(04/18/2019 05:30:52.658:471) : pid=578 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=6)  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(04/18/2019 05:31:21.498:473) : pid=578 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=7)  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(04/18/2019 05:31:21.656:476) : pid=578 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=8)  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(04/18/2019 05:31:21.805:477) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=4)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(04/18/2019 05:31:21.805:478) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=5)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(04/18/2019 05:31:21.805:479) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=6)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(04/18/2019 05:31:21.805:480) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=7)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(04/18/2019 05:31:21.805:481) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=8)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=PROCTITLE msg=audit(04/18/2019 05:31:22.035:484) : proctitle=/bin/gzip /var/log/httpd/errorX.1555565482 
type=PATH msg=audit(04/18/2019 05:31:22.035:484) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=4215935 dev=fd:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=PATH msg=audit(04/18/2019 05:31:22.035:484) : item=0 name=/bin/gzip inode=2290401 dev=fd:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(04/18/2019 05:31:22.035:484) : cwd=/etc/httpd 
type=EXECVE msg=audit(04/18/2019 05:31:22.035:484) : argc=2 a0=/bin/gzip a1=/var/log/httpd/errorX.1555565482 
type=SYSCALL msg=audit(04/18/2019 05:31:22.035:484) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x7ffc8a3bbef9 a1=0x7ffc8a3a9cd0 a2=0x7ffc8a3bb028 a3=0x8 items=2 ppid=26713 pid=26714 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gzip exe=/usr/bin/gzip subj=system_u:system_r:httpd_rotatelogs_t:s0 key=(null) 
type=AVC msg=audit(04/18/2019 05:31:22.035:484) : avc:  denied  { map } for  pid=26714 comm=gzip path=/usr/bin/gzip dev="vda1" ino=2290401 scontext=system_u:system_r:httpd_rotatelogs_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 
----
type=USER_AVC msg=audit(04/18/2019 05:31:53.382:487) : pid=578 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=9)  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(04/18/2019 05:31:53.516:490) : pid=578 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=10)  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?'

Comment 3 Milos Malik 2019-04-18 09:48:19 UTC

# matchpathcon /usr/sbin/rotatelogs 
/usr/sbin/rotatelogs	system_u:object_r:httpd_rotatelogs_exec_t:s0
#

Because SELinux policy defines only following process transitions related to rotatelogs:

# sesearch -t httpd_rotatelogs_exec_t -T
type_transition cluster_t httpd_rotatelogs_exec_t:process httpd_rotatelogs_t;
type_transition condor_startd_t httpd_rotatelogs_exec_t:process httpd_rotatelogs_t;
type_transition glusterd_t httpd_rotatelogs_exec_t:process httpd_rotatelogs_t;
type_transition httpd_sys_script_t httpd_rotatelogs_exec_t:process httpd_rotatelogs_t;
type_transition httpd_t httpd_rotatelogs_exec_t:process httpd_rotatelogs_t;
type_transition init_t httpd_rotatelogs_exec_t:process httpd_rotatelogs_t;
type_transition initrc_t httpd_rotatelogs_exec_t:process httpd_rotatelogs_t;
type_transition kdumpctl_t httpd_rotatelogs_exec_t:process httpd_rotatelogs_t;
type_transition openshift_initrc_t httpd_rotatelogs_exec_t:process httpd_rotatelogs_t;
type_transition piranha_pulse_t httpd_rotatelogs_exec_t:process httpd_rotatelogs_t;
#

I used the following reproducer instead of the automated TC:

# runcon system_u:system_r:initrc_t:s0 bash -c "/usr/sbin/rotatelogs -l -p /bin/gzip -f -L /var/log/httpd/error_log /var/log/httpd/errorX 100B"

Following SELinux denials appeared in permissive mode:
----
type=PROCTITLE msg=audit(04/18/2019 11:38:14.946:209) : proctitle=/usr/sbin/rotatelogs -l -p /bin/gzip -f -L /var/log/httpd/error_log /var/log/httpd/errorX 100B 
type=PATH msg=audit(04/18/2019 11:38:14.946:209) : item=0 name=/bin/gzip inode=356193 dev=08:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(04/18/2019 11:38:14.946:209) : cwd=/root 
type=SYSCALL msg=audit(04/18/2019 11:38:14.946:209) : arch=x86_64 syscall=access success=yes exit=0 a0=0x7ffc88e48ca7 a1=X_OK a2=0x7ffc88e35a50 a3=0x0 items=1 ppid=3452 pid=3592 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=rotatelogs exe=/usr/sbin/rotatelogs subj=system_u:system_r:httpd_rotatelogs_t:s0 key=(null) 
type=AVC msg=audit(04/18/2019 11:38:14.946:209) : avc:  denied  { execute } for  pid=3592 comm=rotatelogs name=gzip dev="sda2" ino=356193 scontext=system_u:system_r:httpd_rotatelogs_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(04/18/2019 11:38:14.946:210) : proctitle=/bin/gzip /var/log/httpd/errorX.1555587494 
type=PATH msg=audit(04/18/2019 11:38:14.946:210) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=8409478 dev=08:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=PATH msg=audit(04/18/2019 11:38:14.946:210) : item=0 name=/bin/gzip inode=356193 dev=08:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(04/18/2019 11:38:14.946:210) : cwd=/root 
type=EXECVE msg=audit(04/18/2019 11:38:14.946:210) : argc=2 a0=/bin/gzip a1=/var/log/httpd/errorX.1555587494 
type=SYSCALL msg=audit(04/18/2019 11:38:14.946:210) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x7ffc88e48ca7 a1=0x7ffc88e35a50 a2=0x7ffc88e46da8 a3=0x8 items=2 ppid=3592 pid=3599 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=gzip exe=/usr/bin/gzip subj=system_u:system_r:httpd_rotatelogs_t:s0 key=(null) 
type=AVC msg=audit(04/18/2019 11:38:14.946:210) : avc:  denied  { map } for  pid=3599 comm=gzip path=/usr/bin/gzip dev="sda2" ino=356193 scontext=system_u:system_r:httpd_rotatelogs_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 
type=AVC msg=audit(04/18/2019 11:38:14.946:210) : avc:  denied  { execute_no_trans } for  pid=3599 comm=rotatelogs path=/usr/bin/gzip dev="sda2" ino=356193 scontext=system_u:system_r:httpd_rotatelogs_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 
----

Comment 10 errata-xmlrpc 2019-11-05 22:11:10 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3547

Note You need to log in before you can comment on or make changes to this bug.