Bug 1711005
| Summary: | tshark should be labeled wireshark_exec_t | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Milos Malik <mmalik> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 8.1 | CC: | lvrabec, mgrepl, mmalik, plautrba, ssekidde, zpytela |
| Target Milestone: | rc | Flags: | pm-rhel:
mirror+
|
| Target Release: | 8.1 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.14.3-12.el8 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 1546362 | Environment: | |
| Last Closed: | 2019-11-05 22:11:27 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Milos Malik
2019-05-16 18:11:19 UTC
Following SELinux denial appears in enforcing mode:
----
type=PROCTITLE msg=audit(05/20/2019 04:14:49.227:1975) : proctitle=/usr/bin/tshark -I -a duration:8
type=PATH msg=audit(05/20/2019 04:14:49.227:1975) : item=1 name=/var/tmp/wireshark_extcap_ciscodump_20190520041449_sKBRbT nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(05/20/2019 04:14:49.227:1975) : item=0 name=/var/tmp/ inode=4215976 dev=fd:01 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(05/20/2019 04:14:49.227:1975) : cwd=/home/user10008
type=SYSCALL msg=audit(05/20/2019 04:14:49.227:1975) : arch=x86_64 syscall=mknod success=no exit=EACCES(Permission denied) a0=0x55850e79c060 a1=fifo,600 a2=0x0 a3=0x0 items=2 ppid=15491 pid=15513 auid=user7026 uid=user7026 gid=user7026 euid=user7026 suid=user7026 fsuid=user7026 egid=user7026 sgid=user7026 fsgid=user7026 tty=pts2 ses=69 comm=tshark exe=/usr/bin/tshark subj=sysadm_u:sysadm_r:wireshark_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(05/20/2019 04:14:49.227:1975) : avc: denied { create } for pid=15513 comm=tshark name=wireshark_extcap_ciscodump_20190520041449_sKBRbT scontext=sysadm_u:sysadm_r:wireshark_t:s0-s0:c0.c1023 tcontext=sysadm_u:object_r:tmp_t:s0 tclass=fifo_file permissive=0
----
because SELinux policy does not define a type transition rule for fifo_file:
# sesearch -s wireshark_t -t tmp_t -T
type_transition wireshark_t tmp_t:dir user_fonts_t .font-unix;
type_transition wireshark_t tmp_t:dir wireshark_tmp_t;
type_transition wireshark_t tmp_t:file wireshark_tmp_t;
#
The same reproducer triggers following SELinux denials in permissive mode:
----
type=PROCTITLE msg=audit(05/20/2019 04:21:11.676:2528) : proctitle=/usr/bin/tshark -I -a duration:8
type=PATH msg=audit(05/20/2019 04:21:11.676:2528) : item=1 name=/var/tmp/wireshark_extcap_ciscodump_20190520042111_Ffs92v inode=4789121 dev=fd:01 mode=fifo,600 ouid=user7026 ogid=user7026 rdev=00:00 obj=sysadm_u:object_r:tmp_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(05/20/2019 04:21:11.676:2528) : item=0 name=/var/tmp/ inode=4215976 dev=fd:01 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(05/20/2019 04:21:11.676:2528) : cwd=/home/user18425
type=SYSCALL msg=audit(05/20/2019 04:21:11.676:2528) : arch=x86_64 syscall=mknod success=yes exit=0 a0=0x55feb8141060 a1=fifo,600 a2=0x0 a3=0x0 items=2 ppid=19920 pid=19942 auid=user7026 uid=user7026 gid=user7026 euid=user7026 suid=user7026 fsuid=user7026 egid=user7026 sgid=user7026 fsgid=user7026 tty=pts2 ses=93 comm=tshark exe=/usr/bin/tshark subj=sysadm_u:sysadm_r:wireshark_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(05/20/2019 04:21:11.676:2528) : avc: denied { create } for pid=19942 comm=tshark name=wireshark_extcap_ciscodump_20190520042111_Ffs92v scontext=sysadm_u:sysadm_r:wireshark_t:s0-s0:c0.c1023 tcontext=sysadm_u:object_r:tmp_t:s0 tclass=fifo_file permissive=1
----
type=PROCTITLE msg=audit(05/20/2019 04:21:11.693:2529) : proctitle=/usr/bin/tshark -I -a duration:8
type=PATH msg=audit(05/20/2019 04:21:11.693:2529) : item=0 name=/var/tmp/wireshark_extcap_ciscodump_20190520042111_Ffs92v inode=4789121 dev=fd:01 mode=fifo,600 ouid=user7026 ogid=user7026 rdev=00:00 obj=sysadm_u:object_r:tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(05/20/2019 04:21:11.693:2529) : cwd=/home/user18425
type=SYSCALL msg=audit(05/20/2019 04:21:11.693:2529) : arch=x86_64 syscall=stat success=yes exit=0 a0=0x55feb8182fb0 a1=0x7fffa04f54f0 a2=0x7fffa04f54f0 a3=0x0 items=1 ppid=19920 pid=19942 auid=user7026 uid=user7026 gid=user7026 euid=user7026 suid=user7026 fsuid=user7026 egid=user7026 sgid=user7026 fsgid=user7026 tty=pts2 ses=93 comm=tshark exe=/usr/bin/tshark subj=sysadm_u:sysadm_r:wireshark_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(05/20/2019 04:21:11.693:2529) : avc: denied { getattr } for pid=19942 comm=tshark path=/var/tmp/wireshark_extcap_ciscodump_20190520042111_Ffs92v dev="vda1" ino=4789121 scontext=sysadm_u:sysadm_r:wireshark_t:s0-s0:c0.c1023 tcontext=sysadm_u:object_r:tmp_t:s0 tclass=fifo_file permissive=1
----
type=PROCTITLE msg=audit(05/20/2019 04:21:11.693:2530) : proctitle=/usr/bin/tshark -I -a duration:8
type=PATH msg=audit(05/20/2019 04:21:11.693:2530) : item=1 name=/var/tmp/wireshark_extcap_ciscodump_20190520042111_Ffs92v inode=4789121 dev=fd:01 mode=fifo,600 ouid=user7026 ogid=user7026 rdev=00:00 obj=sysadm_u:object_r:tmp_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PATH msg=audit(05/20/2019 04:21:11.693:2530) : item=0 name=/var/tmp/ inode=4215976 dev=fd:01 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(05/20/2019 04:21:11.693:2530) : cwd=/home/user18425
type=SYSCALL msg=audit(05/20/2019 04:21:11.693:2530) : arch=x86_64 syscall=unlink success=yes exit=0 a0=0x55feb8182fb0 a1=0x7fffa04f54f0 a2=0x1 a3=0x0 items=2 ppid=19920 pid=19942 auid=user7026 uid=user7026 gid=user7026 euid=user7026 suid=user7026 fsuid=user7026 egid=user7026 sgid=user7026 fsgid=user7026 tty=pts2 ses=93 comm=tshark exe=/usr/bin/tshark subj=sysadm_u:sysadm_r:wireshark_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(05/20/2019 04:21:11.693:2530) : avc: denied { unlink } for pid=19942 comm=tshark name=wireshark_extcap_ciscodump_20190520042111_Ffs92v dev="vda1" ino=4789121 scontext=sysadm_u:sysadm_r:wireshark_t:s0-s0:c0.c1023 tcontext=sysadm_u:object_r:tmp_t:s0 tclass=fifo_file permissive=1
----
Even if SELinux policy defined following type transition rule:
type_transition wireshark_t tmp_t:fifo_file wireshark_tmp_t;
Following rule would still be missing:
allow wireshark_t wireshark_tmp_t:fifo_file { create getattr unlink };
commit 1ed9cccfddabda4bf4aa33d25e5c264243256bf5 (HEAD -> rhel8.1-contrib)
Author: Lukas Vrabec <lvrabec>
Date: Mon May 20 11:12:41 2019 +0200
Allow wireshark_t domain to create fifo temp files
Resolves: rhbz#1711005
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:3547 |