1765077 – init.d scripts not allowed to create files in /var/log/

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1765077 - init.d scripts not allowed to create files in /var/log/

Summary: init.d scripts not allowed to create files in /var/log/

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	8.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	8.0
Assignee:	Zdenek Pytela
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-10-24 10:04 UTC by Tomas Hofman
Modified:	2019-12-11 16:11 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-12-11 15:12:09 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	JBEAP-17752	0	Critical	New	Default settings of jboss-eap-rhel.sh doesn't work on RHEL8	2020-11-13 08:38:41 UTC

Description Tomas Hofman 2019-10-24 10:04:36 UTC

Description of problem:

The init.d script that we provide with JBoss EAP fails, because it's denied permission to create log file /var/log/jboss-eap/console.log:

https://github.com/jbossas/jboss-eap7/blob/EAP_7.2.5.CR1-dev/feature-pack/src/main/resources/content/bin/init.d/jboss-eap-rhel.sh#L104

The directory /var/log/jboss-eap is however created successfully.


The init script starts to work after installing following selinux policy:

#---
module my-jbosseaprhel 1.0;

require {
	type var_log_t;
	type init_t;
	class file create;
}

allow init_t var_log_t:file create;
#---

Now the question which I'm not sure about is should this be allowed by default, or is it intentional that init process can't create files in /var/log ?


How reproducible:

Always.

Steps to Reproduce:

* On clean RHEL 8 installation, download jboss-eap: http://download.eng.brq.redhat.com/released/JBoss-middleware/eap7/7.2.4/jboss-eap-7.2.4.zip
* unzip and copy to /opt/jboss-eap
* copy /opt/jboss-eap/bin/init.d/jboss-eap-rhel.sh to /etc/init.d/
* copy /opt/jboss-eap/bin/init.d/jboss-eap.conf to /etc/default/
* run `chkconfig --add jboss-eap-rhel.sh`
* run `service jboss-eap-rhel start`

Actual results:

Service fails with:

"
Job for jboss-eap-rhel.service failed because the service did not take the steps required by its unit configuration.
See "systemctl status jboss-eap-rhel.service" and "journalctl -xe" for details.
"

Expected results:

Service is started successfully.

Additional info:

[root@ibm-p8-kvm-03-guest-02 ~]# systemctl status jboss-eap-rhel.service
● jboss-eap-rhel.service - SYSV: JBoss EAP startup script
   Loaded: loaded (/etc/rc.d/init.d/jboss-eap-rhel.sh; generated)
   Active: failed (Result: protocol) since Thu 2019-10-24 05:56:42 EDT; 8s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 27142 ExecStart=/etc/rc.d/init.d/jboss-eap-rhel.sh start (code=exited, status=0/SUCCESS)

Oct 24 05:56:10 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: Starting SYSV: JBoss EAP startup script...
Oct 24 05:56:11 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com jboss-eap-rhel.sh[27142]: Starting jboss-eap: /etc/rc.d/init.d/jboss-eap-rhel.sh: line 104: /var/log/jboss-eap/console.log: Permission den>
Oct 24 05:56:11 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com jboss-eap-rhel.sh[27142]: /etc/rc.d/init.d/jboss-eap-rhel.sh: line 113: /var/log/jboss-eap/console.log: Permission denied
Oct 24 05:56:11 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com jboss-eap-rhel.sh[27142]: /
Oct 24 05:56:42 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com jboss-eap-rhel.sh[27142]: jboss-eap started with errors, please see server log for details
Oct 24 05:56:42 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com jboss-eap-rhel.sh[27142]: [  OK  ]
Oct 24 05:56:42 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: jboss-eap-rhel.service: Can't open PID file /var/run/jboss-eap/jboss-eap.pid (yet?) after start: No such file or directory
Oct 24 05:56:42 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: jboss-eap-rhel.service: Failed with result 'protocol'.
Oct 24 05:56:42 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: Failed to start SYSV: JBoss EAP startup script.



[root@ibm-p8-kvm-03-guest-02 ~]# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts recent
----
type=PROCTITLE msg=audit(24/10/19 05:56:10.999:327) : proctitle=/bin/sh /etc/rc.d/init.d/jboss-eap-rhel.sh start 
type=SYSCALL msg=audit(24/10/19 05:56:10.999:327) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x563a645c2f40 a2=O_WRONLY|O_CREAT|O_TRUNC a3=0x1b6 items=0 ppid=27142 pid=27152 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=jboss-eap-rhel. exe=/usr/bin/bash subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(24/10/19 05:56:10.999:327) : avc:  denied  { create } for  pid=27152 comm=jboss-eap-rhel. name=console.log scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(24/10/19 05:56:11.007:328) : proctitle=/bin/sh /etc/rc.d/init.d/jboss-eap-rhel.sh start 
type=SYSCALL msg=audit(24/10/19 05:56:11.007:328) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x563a645c64a0 a2=O_WRONLY|O_CREAT|O_APPEND a3=0x1b6 items=0 ppid=1 pid=27142 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=jboss-eap-rhel. exe=/usr/bin/bash subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(24/10/19 05:56:11.007:328) : avc:  denied  { create } for  pid=27142 comm=jboss-eap-rhel. name=console.log scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0 



[root@ibm-p8-kvm-03-guest-02 ~]# matchpathcon /var/log/jboss-eap /var/log/jboss-eap/console.log
/var/log/jboss-eap	system_u:object_r:var_log_t:s0
/var/log/jboss-eap/console.log	system_u:object_r:var_log_t:s0



[root@ibm-p8-kvm-03-guest-02 ~]# ls -ldZ /var/log/jboss-eap
drwxr-xr-x. 2 root root system_u:object_r:var_log_t:s0 6 Oct 24 05:56 /var/log/jboss-eap

Comment 1 Tomas Hofman 2019-10-24 10:12:44 UTC

Related JBoss EAP issue is https://issues.jboss.org/browse/JBEAP-17752

Comment 2 Lukas Vrabec 2019-10-24 14:27:55 UTC

Tomas, 

What is SELinux context of /etc/init.d/jboss-eap-rhel.sh ? 

# ls -Z /etc/init.d/jboss-eap-rhel.sh

If it's not bin_t, please run:

# chcon -t bin_t /etc/init.d/jboss-eap-rhel.sh

and try to restart the service.

Comment 3 Tomas Hofman 2019-10-24 17:19:07 UTC

Yes, that did the trick. It was etc_t, not bin_t. The service starts after fixing this. I will suggest updating EAP docs.

[root@ibm-p8-kvm-03-guest-02 ~]# ls -Z /etc/init.d/jboss-eap-rhel.sh 
unconfined_u:object_r:etc_t:s0 /etc/init.d/jboss-eap-rhel.sh
[root@ibm-p8-kvm-03-guest-02 ~]# chcon -t bin_t /etc/init.d/jboss-eap-rhel.sh
[root@ibm-p8-kvm-03-guest-02 ~]# ls -Z /etc/init.d/jboss-eap-rhel.sh 
unconfined_u:object_r:bin_t:s0 /etc/init.d/jboss-eap-rhel.sh

Thank you!

Comment 4 Lukas Vrabec 2019-10-25 08:12:28 UTC

Tomas, 

What I proposed is just temporary change. If you would like to update EAP docs, 

Please propose following (permanent) solution:

# semanage fcontext -a -t bin_t /etc/init.d/jboss-eap-rhel.sh
# restorecon -v /etc/init.d/jboss-eap-rhel.sh

Thanks,
Lukas.

Comment 5 Tomas Hofman 2019-10-25 09:24:07 UTC

I see, it would be lost during relabeling...

So I'm experimenting bit more and I noticed that after copying the init script to /etc/init.d/ it has type etc_t, but when I run restorecon on it, without setting fcontext at all, the type changes to initrc_exec_t, and with this type the script runs correctly too.


[root@rama init.d]# cp /opt/jboss-eap/bin/init.d/jboss-eap-rhel.sh ./

[root@rama init.d]# ls -Z -1
        system_u:object_r:bin_t:s0 functions
    unconfined_u:object_r:etc_t:s0 jboss-eap-rhel.sh
system_u:object_r:initrc_exec_t:s0 network
system_u:object_r:initrc_exec_t:s0 README

[root@rama init.d]# restorecon -v jboss-eap-rhel.sh 
Relabeled /etc/rc.d/init.d/jboss-eap-rhel.sh from unconfined_u:object_r:etc_t:s0 to unconfined_u:object_r:initrc_exec_t:s0

[root@rama init.d]# ls -Z -1
            system_u:object_r:bin_t:s0 functions
unconfined_u:object_r:initrc_exec_t:s0 jboss-eap-rhel.sh
    system_u:object_r:initrc_exec_t:s0 network
    system_u:object_r:initrc_exec_t:s0 README


Technically, is initrc_exec_t "more correct" file type than bin_t?

In that case the only command we would need to add after copying the init script is

# restorecon /etc/init.d/jboss-eap-rhel.sh

Is that all right, or is it better to set fcontext explicitly?

Comment 6 Lukas Vrabec 2019-10-25 11:00:13 UTC

Hi Tomas, 

Well, initrc_t somes from RHEL-6. We're trying to keep all services for which we don't have SELinux policy in unconfined_service_t. 

The difference is, when systemd labeled as init_t will execute binary labeled as initrc_exec_t, the newly created process (service process) has initrc_t label. 

Here is a record from SELinux policy:
# sesearch -T -s init_t -t initrc_exec_t -c process
type_transition init_t initrc_exec_t:process initrc_t;

But, when you label binary as bin_t, the situation si different. When systemd labeled as init_t will execute binary labeled as bin_t, the newly created process (service process) has unconfined_service_t label. 

Similar record from policy:
# sesearch -T -s init_t -t bin_t -c process
type_transition init_t bin_t:process unconfined_service_t;

I prefer to keeps it as unconfined_service_t. 

Thanks,
Lukas.

Comment 7 Tomas Hofman 2019-12-11 16:11:12 UTC

Thanks for replies Lukas!

Note You need to log in before you can comment on or make changes to this bug.