1808736 – the lttng-sessiond service triggers SELinux denials

Bug 1808736 - the lttng-sessiond service triggers SELinux denials

Summary: the lttng-sessiond service triggers SELinux denials

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	32
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Richard Fiľo
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-02-29 19:36 UTC by Milos Malik
Modified:	2020-05-26 03:12 UTC (History)
CC List:	7 users (show)
Fixed In Version:	selinux-policy-3.14.5-39.fc32
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-05-26 03:12:46 UTC
Type:	Bug
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Milos Malik 2020-02-29 19:36:38 UTC

Description of problem:

Version-Release number of selected component (if applicable):
lttng-tools-2.11.1-1.fc32.x86_64
lttng-ust-2.11.0-4.fc32.x86_64
selinux-policy-3.14.5-28.fc32.noarch
selinux-policy-devel-3.14.5-28.fc32.noarch
selinux-policy-targeted-3.14.5-28.fc32.noarch

How reproducible:
 * always

Steps to Reproduce:
1. get a Fedora 32 machine (targeted policy is active)
2. start the lttng-sessiond service
3. search for SELinux denials

Actual results (enforcing mode):
----
type=PROCTITLE msg=audit(02/29/2020 14:05:20.752:373) : proctitle=/usr/bin/lttng-sessiond -d 
type=PATH msg=audit(02/29/2020 14:05:20.752:373) : item=0 name=/dev/random inode=10536 dev=00:06 mode=character,666 ouid=root ogid=root rdev=01:08 obj=system_u:object_r:random_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/29/2020 14:05:20.752:373) : cwd=/ 
type=SYSCALL msg=audit(02/29/2020 14:05:20.752:373) : arch=x86_64 syscall=access success=no exit=EACCES(Permission denied) a0=0x7feaf62ad034 a1=R_OK a2=0x7ffec15e0320 a3=0x7ffec15e0180 items=1 ppid=1 pid=5502 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lttng-sessiond exe=/usr/bin/lttng-sessiond subj=system_u:system_r:lttng_sessiond_t:s0 key=(null) 
type=AVC msg=audit(02/29/2020 14:05:20.752:373) : avc:  denied  { read } for  pid=5502 comm=lttng-sessiond name=random dev="devtmpfs" ino=10536 scontext=system_u:system_r:lttng_sessiond_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=0 
----
type=PROCTITLE msg=audit(02/29/2020 14:05:30.592:387) : proctitle=/sbin/modprobe lttng-ring-buffer-client-discard 
type=PATH msg=audit(02/29/2020 14:05:30.592:387) : item=0 name=/lib/modules/5.6.0-0.rc2.git0.1.fc32.x86_64/modules.alias.bin inode=393521 dev=fc:01 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:modules_dep_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/29/2020 14:05:30.592:387) : cwd=/ 
type=SYSCALL msg=audit(02/29/2020 14:05:30.592:387) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7ffe9b2d7f30 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=6080 pid=6084 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=modprobe exe=/usr/bin/kmod subj=system_u:system_r:lttng_sessiond_t:s0 key=(null) 
type=AVC msg=audit(02/29/2020 14:05:30.592:387) : avc:  denied  { read } for  pid=6084 comm=modprobe name=modules.alias.bin dev="vda1" ino=393521 scontext=system_u:system_r:lttng_sessiond_t:s0 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(02/29/2020 14:05:30.594:388) : proctitle=/usr/bin/lttng-sessiond -d 
type=PATH msg=audit(02/29/2020 14:05:30.594:388) : item=0 name=/var/run/lttng/sessiond-notification inode=33825 dev=00:19 mode=socket,660 ouid=root ogid=tracing rdev=00:00 obj=system_u:object_r:lttng_sessiond_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/29/2020 14:05:30.594:388) : cwd=/ 
type=SOCKADDR msg=audit(02/29/2020 14:05:30.594:388) : saddr={ saddr_fam=local path=/var/run/lttng/sessiond-notification } 
type=SYSCALL msg=audit(02/29/2020 14:05:30.594:388) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x30 a1=0x7f694881a8b0 a2=0x6e a3=0x6f items=1 ppid=6079 pid=6080 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lttng-sessiond exe=/usr/bin/lttng-sessiond subj=system_u:system_r:lttng_sessiond_t:s0 key=(null) 
type=AVC msg=audit(02/29/2020 14:05:30.594:388) : avc:  denied  { connectto } for  pid=6080 comm=lttng-sessiond path=/run/lttng/sessiond-notification scontext=system_u:system_r:lttng_sessiond_t:s0 tcontext=system_u:system_r:lttng_sessiond_t:s0 tclass=unix_stream_socket permissive=0 
----
type=PROCTITLE msg=audit(02/29/2020 14:05:30.595:389) : proctitle=/usr/bin/lttng-sessiond -d 
type=MMAP msg=audit(02/29/2020 14:05:30.595:389) : fd=49 flags=MAP_SHARED 
type=SYSCALL msg=audit(02/29/2020 14:05:30.595:389) : arch=x86_64 syscall=mmap success=no exit=EACCES(Permission denied) a0=0x0 a1=0x1000 a2=PROT_READ|PROT_WRITE a3=MAP_SHARED items=0 ppid=6079 pid=6080 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lttng-sessiond exe=/usr/bin/lttng-sessiond subj=system_u:system_r:lttng_sessiond_t:s0 key=(null) 
type=AVC msg=audit(02/29/2020 14:05:30.595:389) : avc:  denied  { map } for  pid=6080 comm=lttng-sessiond path=/dev/shm/lttng-ust-wait-8 dev="tmpfs" ino=32970 scontext=system_u:system_r:lttng_sessiond_t:s0 tcontext=system_u:object_r:lttng_sessiond_tmpfs_t:s0 tclass=file permissive=0 
----

Expected results:
 * no SELinux denials

Comment 1 Milos Malik 2020-02-29 19:40:20 UTC

Actual results (permissive mode):
----
type=PROCTITLE msg=audit(02/29/2020 14:38:07.488:421) : proctitle=/usr/bin/lttng-sessiond -d 
type=PATH msg=audit(02/29/2020 14:38:07.488:421) : item=0 name=/dev/random inode=10536 dev=00:06 mode=character,666 ouid=root ogid=root rdev=01:08 obj=system_u:object_r:random_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/29/2020 14:38:07.488:421) : cwd=/ 
type=SYSCALL msg=audit(02/29/2020 14:38:07.488:421) : arch=x86_64 syscall=access success=yes exit=0 a0=0x7f6143f7e034 a1=R_OK a2=0x7ffebe248000 a3=0x7ffebe247e60 items=1 ppid=1 pid=14984 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lttng-sessiond exe=/usr/bin/lttng-sessiond subj=system_u:system_r:lttng_sessiond_t:s0 key=(null) 
type=AVC msg=audit(02/29/2020 14:38:07.488:421) : avc:  denied  { read } for  pid=14984 comm=lttng-sessiond name=random dev="devtmpfs" ino=10536 scontext=system_u:system_r:lttng_sessiond_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=1 
----
type=PROCTITLE msg=audit(02/29/2020 14:38:07.497:422) : proctitle=/sbin/modprobe lttng-ring-buffer-client-discard 
type=PATH msg=audit(02/29/2020 14:38:07.497:422) : item=0 name=/lib/modules/5.6.0-0.rc2.git0.1.fc32.x86_64/modules.softdep inode=393522 dev=fc:01 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:modules_dep_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/29/2020 14:38:07.497:422) : cwd=/ 
type=SYSCALL msg=audit(02/29/2020 14:38:07.497:422) : arch=x86_64 syscall=openat success=yes exit=4 a0=0xffffff9c a1=0x7ffc53e96800 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=14985 pid=14989 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=modprobe exe=/usr/bin/kmod subj=system_u:system_r:lttng_sessiond_t:s0 key=(null) 
type=AVC msg=audit(02/29/2020 14:38:07.497:422) : avc:  denied  { open } for  pid=14989 comm=modprobe path=/usr/lib/modules/5.6.0-0.rc2.git0.1.fc32.x86_64/modules.softdep dev="vda1" ino=393522 scontext=system_u:system_r:lttng_sessiond_t:s0 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=1 
type=AVC msg=audit(02/29/2020 14:38:07.497:422) : avc:  denied  { read } for  pid=14989 comm=modprobe name=modules.softdep dev="vda1" ino=393522 scontext=system_u:system_r:lttng_sessiond_t:s0 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(02/29/2020 14:38:07.498:423) : proctitle=/sbin/modprobe lttng-ring-buffer-client-discard 
type=SYSCALL msg=audit(02/29/2020 14:38:07.498:423) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x4 a1=0x7ffc53e96490 a2=0x7ffc53e96490 a3=0x0 items=0 ppid=14985 pid=14989 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=modprobe exe=/usr/bin/kmod subj=system_u:system_r:lttng_sessiond_t:s0 key=(null) 
type=AVC msg=audit(02/29/2020 14:38:07.498:423) : avc:  denied  { getattr } for  pid=14989 comm=modprobe path=/usr/lib/modules/5.6.0-0.rc2.git0.1.fc32.x86_64/modules.softdep dev="vda1" ino=393522 scontext=system_u:system_r:lttng_sessiond_t:s0 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(02/29/2020 14:38:07.498:424) : proctitle=/sbin/modprobe lttng-ring-buffer-client-discard 
type=MMAP msg=audit(02/29/2020 14:38:07.498:424) : fd=4 flags=MAP_PRIVATE 
type=SYSCALL msg=audit(02/29/2020 14:38:07.498:424) : arch=x86_64 syscall=mmap success=yes exit=139953097527296 a0=0x0 a1=0x8a1f8 a2=PROT_READ a3=MAP_PRIVATE items=0 ppid=14985 pid=14989 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=modprobe exe=/usr/bin/kmod subj=system_u:system_r:lttng_sessiond_t:s0 key=(null) 
type=AVC msg=audit(02/29/2020 14:38:07.498:424) : avc:  denied  { map } for  pid=14989 comm=modprobe path=/usr/lib/modules/5.6.0-0.rc2.git0.1.fc32.x86_64/modules.dep.bin dev="vda1" ino=393519 scontext=system_u:system_r:lttng_sessiond_t:s0 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(02/29/2020 14:38:07.499:425) : proctitle=/usr/bin/lttng-sessiond -d 
type=PATH msg=audit(02/29/2020 14:38:07.499:425) : item=0 name=/var/run/lttng/sessiond-notification inode=42428 dev=00:19 mode=socket,660 ouid=root ogid=tracing rdev=00:00 obj=system_u:object_r:lttng_sessiond_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/29/2020 14:38:07.499:425) : cwd=/ 
type=SOCKADDR msg=audit(02/29/2020 14:38:07.499:425) : saddr={ saddr_fam=local path=/var/run/lttng/sessiond-notification } 
type=SYSCALL msg=audit(02/29/2020 14:38:07.499:425) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x31 a1=0x7f6133ffe8b0 a2=0x6e a3=0x6f items=1 ppid=14984 pid=14985 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lttng-sessiond exe=/usr/bin/lttng-sessiond subj=system_u:system_r:lttng_sessiond_t:s0 key=(null) 
type=AVC msg=audit(02/29/2020 14:38:07.499:425) : avc:  denied  { connectto } for  pid=14985 comm=lttng-sessiond path=/run/lttng/sessiond-notification scontext=system_u:system_r:lttng_sessiond_t:s0 tcontext=system_u:system_r:lttng_sessiond_t:s0 tclass=unix_stream_socket permissive=1 
----
type=PROCTITLE msg=audit(02/29/2020 14:38:07.500:426) : proctitle=/usr/bin/lttng-sessiond -d 
type=MMAP msg=audit(02/29/2020 14:38:07.500:426) : fd=52 flags=MAP_SHARED 
type=SYSCALL msg=audit(02/29/2020 14:38:07.500:426) : arch=x86_64 syscall=mmap success=yes exit=140055729643520 a0=0x0 a1=0x1000 a2=PROT_READ|PROT_WRITE a3=MAP_SHARED items=0 ppid=14984 pid=14985 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lttng-sessiond exe=/usr/bin/lttng-sessiond subj=system_u:system_r:lttng_sessiond_t:s0 key=(null) 
type=AVC msg=audit(02/29/2020 14:38:07.500:426) : avc:  denied  { map } for  pid=14985 comm=lttng-sessiond path=/dev/shm/lttng-ust-wait-8 dev="tmpfs" ino=32970 scontext=system_u:system_r:lttng_sessiond_t:s0 tcontext=system_u:object_r:lttng_sessiond_tmpfs_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(02/29/2020 14:38:13.342:429) : proctitle=/usr/bin/lttng-sessiond -d 
type=PATH msg=audit(02/29/2020 14:38:13.342:429) : item=0 name=/dev/random inode=10536 dev=00:06 mode=character,666 ouid=root ogid=root rdev=01:08 obj=system_u:object_r:random_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/29/2020 14:38:13.342:429) : cwd=/ 
type=SYSCALL msg=audit(02/29/2020 14:38:13.342:429) : arch=x86_64 syscall=access success=yes exit=0 a0=0x7fb10eb3b034 a1=R_OK a2=0x7ffec8ae6320 a3=0x7ffec8ae6180 items=1 ppid=1 pid=15581 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lttng-sessiond exe=/usr/bin/lttng-sessiond subj=system_u:system_r:lttng_sessiond_t:s0 key=(null) 
type=AVC msg=audit(02/29/2020 14:38:13.342:429) : avc:  denied  { read } for  pid=15581 comm=lttng-sessiond name=random dev="devtmpfs" ino=10536 scontext=system_u:system_r:lttng_sessiond_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=1 
----

Comment 2 Richard Fiľo 2020-05-13 16:32:55 UTC

It should be fixed in the selinux-policy package.

Link to PR: https://github.com/fedora-selinux/selinux-policy-contrib/pull/245

Comment 3 Lukas Vrabec 2020-05-15 11:38:27 UTC

commit f2f4cfc80091299dd5eb58748032535d752853eb (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Richard Filo <rfilo@redhat.com>
Date:   Wed May 13 13:51:36 2020 +0200

    Add allow rules for lttng-sessiond domain
    
    Allow lttng-sessiond domain to map files labeled lttng_sessiond_tmpfs_t,
    to connect to unix stream sockets,
    to read from random number generator devices
    and to read the dependencies of kernel modules.
    
    fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1808736


Backported to F32.

Comment 4 Fedora Update System 2020-05-20 11:52:37 UTC

FEDORA-2020-886cc9af08 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-886cc9af08

Comment 5 Fedora Update System 2020-05-21 05:23:24 UTC

FEDORA-2020-886cc9af08 has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-886cc9af08`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-886cc9af08

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 6 Fedora Update System 2020-05-26 03:12:46 UTC

FEDORA-2020-886cc9af08 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.