RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1711005 - tshark should be labeled wireshark_exec_t
Summary: tshark should be labeled wireshark_exec_t
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.1
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: 8.1
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-05-16 18:11 UTC by Milos Malik
Modified: 2020-11-14 13:57 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.14.3-12.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1546362
Environment:
Last Closed: 2019-11-05 22:11:27 UTC
Type: Bug
Target Upstream Version:
Embargoed:
pm-rhel: mirror+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:3547 0 None None None 2019-11-05 22:11:36 UTC

Description Milos Malik 2019-05-16 18:11:19 UTC 
+++ This bug was initially created as a clone of Bug #1546362 +++

Description of problem:
* incorrect file context pattern causes that tshark runs unconfined
* if we are serious about using the wireshark policy then both utilities wireshark (GUI) and tshark (text) should have the same label and they should run in wireshark_t domain

Version-Release number of selected component (if applicable):
selinux-policy-3.14.3-4.el8.noarch
selinux-policy-devel-3.14.3-4.el8.noarch
selinux-policy-targeted-3.14.3-4.el8.noarch
wireshark-2.6.2-11.el8.x86_64
wireshark-cli-2.6.2-11.el8.x86_64

How reproducible:
* always

Steps to Reproduce:
# semanage fcontext -l | grep wireshark_exec_t
/usr/bin/wireshark                                 regular file       system_u:object_r:wireshark_exec_t:s0 
# matchpathcon /usr/bin/tshark 
/usr/bin/tshark	system_u:object_r:bin_t:s0
# rpm -qf /usr/bin/tshark
wireshark-cli-2.6.2-11.el8.x86_64
#
Comment 2 Milos Malik 2019-05-20 08:25:43 UTC 
Following SELinux denial appears in enforcing mode:
----
type=PROCTITLE msg=audit(05/20/2019 04:14:49.227:1975) : proctitle=/usr/bin/tshark -I -a duration:8 
type=PATH msg=audit(05/20/2019 04:14:49.227:1975) : item=1 name=/var/tmp/wireshark_extcap_ciscodump_20190520041449_sKBRbT nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=PATH msg=audit(05/20/2019 04:14:49.227:1975) : item=0 name=/var/tmp/ inode=4215976 dev=fd:01 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(05/20/2019 04:14:49.227:1975) : cwd=/home/user10008 
type=SYSCALL msg=audit(05/20/2019 04:14:49.227:1975) : arch=x86_64 syscall=mknod success=no exit=EACCES(Permission denied) a0=0x55850e79c060 a1=fifo,600 a2=0x0 a3=0x0 items=2 ppid=15491 pid=15513 auid=user7026 uid=user7026 gid=user7026 euid=user7026 suid=user7026 fsuid=user7026 egid=user7026 sgid=user7026 fsgid=user7026 tty=pts2 ses=69 comm=tshark exe=/usr/bin/tshark subj=sysadm_u:sysadm_r:wireshark_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(05/20/2019 04:14:49.227:1975) : avc:  denied  { create } for  pid=15513 comm=tshark name=wireshark_extcap_ciscodump_20190520041449_sKBRbT scontext=sysadm_u:sysadm_r:wireshark_t:s0-s0:c0.c1023 tcontext=sysadm_u:object_r:tmp_t:s0 tclass=fifo_file permissive=0 
----

because SELinux policy does not define a type transition rule for fifo_file:

# sesearch -s wireshark_t -t tmp_t -T
type_transition wireshark_t tmp_t:dir user_fonts_t .font-unix;
type_transition wireshark_t tmp_t:dir wireshark_tmp_t;
type_transition wireshark_t tmp_t:file wireshark_tmp_t;
#

The same reproducer triggers following SELinux denials in permissive mode:
----
type=PROCTITLE msg=audit(05/20/2019 04:21:11.676:2528) : proctitle=/usr/bin/tshark -I -a duration:8 
type=PATH msg=audit(05/20/2019 04:21:11.676:2528) : item=1 name=/var/tmp/wireshark_extcap_ciscodump_20190520042111_Ffs92v inode=4789121 dev=fd:01 mode=fifo,600 ouid=user7026 ogid=user7026 rdev=00:00 obj=sysadm_u:object_r:tmp_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=PATH msg=audit(05/20/2019 04:21:11.676:2528) : item=0 name=/var/tmp/ inode=4215976 dev=fd:01 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(05/20/2019 04:21:11.676:2528) : cwd=/home/user18425 
type=SYSCALL msg=audit(05/20/2019 04:21:11.676:2528) : arch=x86_64 syscall=mknod success=yes exit=0 a0=0x55feb8141060 a1=fifo,600 a2=0x0 a3=0x0 items=2 ppid=19920 pid=19942 auid=user7026 uid=user7026 gid=user7026 euid=user7026 suid=user7026 fsuid=user7026 egid=user7026 sgid=user7026 fsgid=user7026 tty=pts2 ses=93 comm=tshark exe=/usr/bin/tshark subj=sysadm_u:sysadm_r:wireshark_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(05/20/2019 04:21:11.676:2528) : avc:  denied  { create } for  pid=19942 comm=tshark name=wireshark_extcap_ciscodump_20190520042111_Ffs92v scontext=sysadm_u:sysadm_r:wireshark_t:s0-s0:c0.c1023 tcontext=sysadm_u:object_r:tmp_t:s0 tclass=fifo_file permissive=1 
----
type=PROCTITLE msg=audit(05/20/2019 04:21:11.693:2529) : proctitle=/usr/bin/tshark -I -a duration:8 
type=PATH msg=audit(05/20/2019 04:21:11.693:2529) : item=0 name=/var/tmp/wireshark_extcap_ciscodump_20190520042111_Ffs92v inode=4789121 dev=fd:01 mode=fifo,600 ouid=user7026 ogid=user7026 rdev=00:00 obj=sysadm_u:object_r:tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(05/20/2019 04:21:11.693:2529) : cwd=/home/user18425 
type=SYSCALL msg=audit(05/20/2019 04:21:11.693:2529) : arch=x86_64 syscall=stat success=yes exit=0 a0=0x55feb8182fb0 a1=0x7fffa04f54f0 a2=0x7fffa04f54f0 a3=0x0 items=1 ppid=19920 pid=19942 auid=user7026 uid=user7026 gid=user7026 euid=user7026 suid=user7026 fsuid=user7026 egid=user7026 sgid=user7026 fsgid=user7026 tty=pts2 ses=93 comm=tshark exe=/usr/bin/tshark subj=sysadm_u:sysadm_r:wireshark_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(05/20/2019 04:21:11.693:2529) : avc:  denied  { getattr } for  pid=19942 comm=tshark path=/var/tmp/wireshark_extcap_ciscodump_20190520042111_Ffs92v dev="vda1" ino=4789121 scontext=sysadm_u:sysadm_r:wireshark_t:s0-s0:c0.c1023 tcontext=sysadm_u:object_r:tmp_t:s0 tclass=fifo_file permissive=1 
----
type=PROCTITLE msg=audit(05/20/2019 04:21:11.693:2530) : proctitle=/usr/bin/tshark -I -a duration:8 
type=PATH msg=audit(05/20/2019 04:21:11.693:2530) : item=1 name=/var/tmp/wireshark_extcap_ciscodump_20190520042111_Ffs92v inode=4789121 dev=fd:01 mode=fifo,600 ouid=user7026 ogid=user7026 rdev=00:00 obj=sysadm_u:object_r:tmp_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=PATH msg=audit(05/20/2019 04:21:11.693:2530) : item=0 name=/var/tmp/ inode=4215976 dev=fd:01 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(05/20/2019 04:21:11.693:2530) : cwd=/home/user18425 
type=SYSCALL msg=audit(05/20/2019 04:21:11.693:2530) : arch=x86_64 syscall=unlink success=yes exit=0 a0=0x55feb8182fb0 a1=0x7fffa04f54f0 a2=0x1 a3=0x0 items=2 ppid=19920 pid=19942 auid=user7026 uid=user7026 gid=user7026 euid=user7026 suid=user7026 fsuid=user7026 egid=user7026 sgid=user7026 fsgid=user7026 tty=pts2 ses=93 comm=tshark exe=/usr/bin/tshark subj=sysadm_u:sysadm_r:wireshark_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(05/20/2019 04:21:11.693:2530) : avc:  denied  { unlink } for  pid=19942 comm=tshark name=wireshark_extcap_ciscodump_20190520042111_Ffs92v dev="vda1" ino=4789121 scontext=sysadm_u:sysadm_r:wireshark_t:s0-s0:c0.c1023 tcontext=sysadm_u:object_r:tmp_t:s0 tclass=fifo_file permissive=1 
----

Even if SELinux policy defined following type transition rule:

type_transition wireshark_t tmp_t:fifo_file wireshark_tmp_t;

Following rule would still be missing:

allow wireshark_t wireshark_tmp_t:fifo_file { create getattr unlink };
Comment 3 Lukas Vrabec 2019-05-20 09:13:42 UTC 
commit 1ed9cccfddabda4bf4aa33d25e5c264243256bf5 (HEAD -> rhel8.1-contrib)
Author: Lukas Vrabec <lvrabec>
Date:   Mon May 20 11:12:41 2019 +0200

    Allow wireshark_t domain to create fifo temp files
    Resolves: rhbz#1711005
Comment 42 errata-xmlrpc 2019-11-05 22:11:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3547
Note You need to log in before you can comment on or make changes to this bug.