RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1721943 - SELinux is preventing /usr/sbin/ip from write access on the file /var/log/vmware-imc/toolsDeployPkg.log
Summary: SELinux is preventing /usr/sbin/ip from write access on the file /var/log/vmw...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.5
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: rc
: 8.7
Assignee: Zdenek Pytela
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks: 1743093
TreeView+ depends on / blocked
 
Reported: 2019-06-19 09:38 UTC by daniele.raffo@vd.ch
Modified: 2022-11-08 12:20 UTC (History)
7 users (show)

Fixed In Version: selinux-policy-3.14.3-99.el8
Doc Type: No Doc Update
Doc Text:
Clone Of:
: 1743093 (view as bug list)
Environment:
Last Closed: 2022-11-08 10:43:57 UTC
Type: Bug
Target Upstream Version:
Embargoed:
pm-rhel: mirror+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:7691 0 None None None 2022-11-08 10:44:18 UTC

Description daniele.raffo@vd.ch 2019-06-19 09:38:37 UTC 
Note: This bug should perhaps be filed on the VMWare bugtracking platform as it is supposed to install the appropriate local policy module.  If this is the case, feel free to close and consider this a FYI.   


Description of problem: sealert reports that SELinux is preventing /usr/sbin/ip from write access on the file /var/log/vmware-imc/toolsDeployPkg.log


Version-Release number of selected component (if applicable): selinux-policy.noarch 3.14.1-61.el8


How reproducible: Always


Steps to Reproduce: sealert -a /var/log/audit/audit.log


Actual results: sealert reports that SELinux is preventing /usr/sbin/ip from write access on the file /var/log/vmware-imc/toolsDeployPkg.log


Expected results: A SELinux policy should be in place to allow access to that file 


Additional info: (output of sealert command follows)

found 1 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing /usr/sbin/ip from write access on the file /var/log/vmware-imc/toolsDeployPkg.log.

*****  Plugin leaks (86.2 confidence) suggests   *****************************

If you want to ignore ip trying to write access the toolsDeployPkg.log file, because you believe it should not need this access.
Then you should report this as a bug.
You can generate a local policy module to dontaudit this access.
Do
# ausearch -x /usr/sbin/ip --raw | audit2allow -D -M my-ip
# semodule -X 300 -i my-ip.pp

*****  Plugin catchall (14.7 confidence) suggests   **************************

If you believe that ip should be allowed write access on the toolsDeployPkg.log file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'ip' --raw | audit2allow -M my-ip
# semodule -X 300 -i my-ip.pp


Additional Information:
Source Context                system_u:system_r:ifconfig_t:s0
Target Context                system_u:object_r:vmware_log_t:s0
Target Objects                /var/log/vmware-imc/toolsDeployPkg.log [ file ]
Source                        ip
Source Path                   /usr/sbin/ip
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           iproute-4.18.0-11.el8.x86_64
Target RPM Packages
Policy RPM                    selinux-policy-3.14.1-61.el8.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     <redacted>
Platform                      Linux <redacted> 4.18.0-80.1.2.el8_0.x86_64 #1 SMP
                              Sun Apr 28 09:21:22 UTC 2019 x86_64 x86_64
Alert Count                   4
First Seen                    2019-06-18 15:29:42 CEST
Last Seen                     2019-06-18 15:29:42 CEST
Local ID                      ee6df0d5-5c48-4b25-a2ff-1ca0c42ab87b

Raw Audit Messages
type=AVC msg=audit(1560864582.306:23): avc:  denied  { write } for  pid=1167 comm="ip" path="/var/log/vmware-imc/toolsDeployPkg.log" dev="dm-4" ino=23119 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:vmware_log_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1560864582.306:23): arch=x86_64 syscall=execve success=yes exit=0 a0=5585ddd3c790 a1=5585ddcea120 a2=5585dd622e80 a3=8 items=0 ppid=1106 pid=1167 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ip exe=/usr/sbin/ip subj=system_u:system_r:ifconfig_t:s0 key=(null)ARCH=x86_64 SYSCALL=execve AUID=unset UID=root GID=root EUID=root SUID=root FSUID=root EGID=root SGID=root FSGID=root

Hash: ip,ifconfig_t,vmware_log_t,file,write
Comment 1 Lukas Vrabec 2019-07-24 13:07:21 UTC 
Hi Daniele, 

Do you have any idea why would ip command write to "/var/log/vmware-imc/toolsDeployPkg.log" ? This doesn't looks like to me that should be enabled by default. Could you please describe what's going on that machine? 

Thanks,
Lukas.
Comment 2 daniele.raffo@vd.ch 2019-07-25 11:28:06 UTC 
There's not much to say.  It's just a fresh RHEL 8 install on a test VM, configured with user authentication (via sssd) from a remote LDAP server.
The package open-vm-tools is installed (v10.3.0-2.el8).
Comment 8 RHEL Program Management 2021-02-01 07:41:34 UTC 
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.
Comment 9 Renaud Métrich 2022-03-02 13:25:03 UTC 
I would like to reopen this because this AVC is just annoying.
Currently, ifconfig_t has a dontaudit rule against writing to var_log_t:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# sesearch --dontaudit -s ifconfig_t -c file -p write | grep log
dontaudit domain xserver_log_t:file { append getattr ioctl lock read write };
dontaudit ifconfig_t xend_var_log_t:file write;
dontaudit systemprocess var_log_t:file { append getattr ioctl lock read write };
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

and ifconfig_t is not able to write to any log file:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# sesearch -A -s ifconfig_t -c file -p write | grep log
--> nothing
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

As such ifconfig_t should have a dontaudit rule to ignore all writes to "logfile" attribute instead since "vmware_log_t" is part of "logfile".

Side note: why do we have this behaviour anyway? What is the risk with "ifconfig_t" being able to append/write to log files???
Comment 11 Renaud Métrich 2022-03-03 07:26:24 UTC 
Proposed module in case we want to allow ifconfig_t to append to logs:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
policy_module(ifconfig_append_logs, 1.0)

gen_require(`
    type ifconfig_t;
')

logging_append_all_logs(ifconfig_t)
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
Comment 12 Zdenek Pytela 2022-05-17 19:09:38 UTC 
Commit to backport:

commit 2f909f93138b6b66f8a6bc62afdbe5598da00f29
Author: Lukas Vrabec <lvrabec>
Date:   Thu Jul 25 16:22:22 2019 +0200

    Allow ifconfig_t domain to manage vmware logs
Comment 19 errata-xmlrpc 2022-11-08 10:43:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7691
Note You need to log in before you can comment on or make changes to this bug.