Bug 1815603 - the vhostmd service triggers SELinux denial during reboot
Summary: the vhostmd service triggers SELinux denial during reboot
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.2
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Patrik Koncity
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-03-20 17:07 UTC by Milos Malik
Modified: 2021-05-18 14:58 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-05-18 14:57:35 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)

Description Milos Malik 2020-03-20 17:07:16 UTC
Description of problem:
 * the SELinux denial appears during reboot, but does not appear during start or stop of the service
 * no need to change vhostmd configuration

Version-Release number of selected component (if applicable):
selinux-policy-3.14.3-40.el8.noarch
selinux-policy-targeted-3.14.3-40.el8.noarch
vhostmd-1.1-4.el8.x86_64

How reproducible:
 * always during reboot

Steps to Reproduce:
1. get a RHEL-8.2 machine (targeted policy is active)
2. install and enable the vhostmd service
3. reboot
4. search for SELinux denial

Actual results:
----
type=PROCTITLE msg=audit(03/20/2020 12:05:23.096:25) : proctitle=rpm -q --queryformat %{VENDOR}\n libvirt 
type=PATH msg=audit(03/20/2020 12:05:23.096:25) : item=1 name=/var/lib/rpm/.dbenv.lock inode=4214915 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:rpm_var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(03/20/2020 12:05:23.096:25) : item=0 name=/var/lib/rpm/ inode=4214914 dev=fd:01 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:rpm_var_lib_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(03/20/2020 12:05:23.096:25) : cwd=/ 
type=SYSCALL msg=audit(03/20/2020 12:05:23.096:25) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x55cf99b1d7b0 a2=O_RDWR|O_CREAT a3=0x1a4 items=2 ppid=754 pid=755 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpm exe=/usr/bin/rpm subj=system_u:system_r:vhostmd_t:s0 key=(null) 
type=AVC msg=audit(03/20/2020 12:05:23.096:25) : avc:  denied  { write } for  pid=755 comm=rpm name=rpm dev="vda1" ino=4214914 scontext=system_u:system_r:vhostmd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir permissive=0 
----

Expected results:
 * no SELinux denial

Additional info:
# grep -R rpm /etc/vhostmd/
/etc/vhostmd/vhostmd.conf:        rpm -q --queryformat "%{VENDOR}\n" libvirt | sort -u
#

Comment 1 Milos Malik 2020-03-20 17:11:06 UTC
Actual results (permissive mode):
----
type=PROCTITLE msg=audit(03/20/2020 13:08:42.763:23) : proctitle=rpm -q --queryformat %{VENDOR}\n libvirt 
type=PATH msg=audit(03/20/2020 13:08:42.763:23) : item=1 name=/var/lib/rpm/.dbenv.lock inode=4214915 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:rpm_var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(03/20/2020 13:08:42.763:23) : item=0 name=/var/lib/rpm/ inode=4214914 dev=fd:01 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:rpm_var_lib_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(03/20/2020 13:08:42.763:23) : cwd=/ 
type=SYSCALL msg=audit(03/20/2020 13:08:42.763:23) : arch=x86_64 syscall=openat success=yes exit=7 a0=0xffffff9c a1=0x55ba215607b0 a2=O_RDWR|O_CREAT a3=0x1a4 items=2 ppid=747 pid=748 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpm exe=/usr/bin/rpm subj=system_u:system_r:vhostmd_t:s0 key=(null) 
type=AVC msg=audit(03/20/2020 13:08:42.763:23) : avc:  denied  { create } for  pid=748 comm=rpm name=.dbenv.lock scontext=system_u:system_r:vhostmd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file permissive=1 
type=AVC msg=audit(03/20/2020 13:08:42.763:23) : avc:  denied  { add_name } for  pid=748 comm=rpm name=.dbenv.lock scontext=system_u:system_r:vhostmd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir permissive=1 
type=AVC msg=audit(03/20/2020 13:08:42.763:23) : avc:  denied  { write } for  pid=748 comm=rpm name=rpm dev="vda1" ino=4214914 scontext=system_u:system_r:vhostmd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir permissive=1 
----

Comment 4 Milos Malik 2020-05-07 08:58:08 UTC
Based on the "rpm -q --queryformat %{VENDOR}\n libvirt" command, this SELinux denial is also related:
----
type=PROCTITLE msg=audit(05/07/2020 10:53:40.222:2122) : proctitle=rpm -q --queryformat %{VENDOR}\n libvirt 
type=OBJ_PID msg=audit(05/07/2020 10:53:40.222:2122) : opid=84003 oauid=unset ouid=root oses=-1 obj=system_u:system_r:rpm_t:s0 ocomm=packagekitd 
type=SYSCALL msg=audit(05/07/2020 10:53:40.222:2122) : arch=x86_64 syscall=kill success=yes exit=0 a0=0x14823 a1=SIG0 a2=0x7f93dd84bfc0 a3=0x0 items=0 ppid=84048 pid=84049 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpm exe=/usr/bin/rpm subj=system_u:system_r:vhostmd_t:s0 key=(null) 
type=AVC msg=audit(05/07/2020 10:53:40.222:2122) : avc:  denied  { signull } for  pid=84049 comm=rpm scontext=system_u:system_r:vhostmd_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=process permissive=1 
----

Unfortunately, I don't know how to reproduce it. I just noticed on my VM that it appeared in permissive mode.

Comment 5 Milos Malik 2020-07-16 19:50:23 UTC
During some unrelated testing, I found out that SELinux policy policy already contains the following dontaudit rule:

dontaudit vhostmd_t rpm_var_lib_t:file write;

When dontaudit rules were disabled, following SELinux denial appeared:
----
type=PROCTITLE msg=audit(07/16/2020 17:36:57.345:392) : proctitle=rpm -q --queryformat %{VENDOR}\n libvirt 
type=PATH msg=audit(07/16/2020 17:36:57.345:392) : item=1 name=/var/lib/rpm/.dbenv.lock inode=16797795 dev=08:02 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:rpm_var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(07/16/2020 17:36:57.345:392) : item=0 name=/var/lib/rpm/ inode=16797794 dev=08:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:rpm_var_lib_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(07/16/2020 17:36:57.345:392) : cwd=/ 
type=SYSCALL msg=audit(07/16/2020 17:36:57.345:392) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x5574ecbab530 a2=O_RDWR|O_CREAT a3=0x1a4 items=2 ppid=10513 pid=10514 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpm exe=/usr/bin/rpm subj=system_u:system_r:vhostmd_t:s0 key=(null) 
type=AVC msg=audit(07/16/2020 17:36:57.345:392) : avc:  denied  { write } for  pid=10514 comm=rpm name=.dbenv.lock dev="sda2" ino=16797795 scontext=system_u:system_r:vhostmd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file permissive=0 
----

Because this SELinux denial and comment#0 contain the same path /var/lib/rpm/.dbenv.lock, I believe they should either both dontaudited or both allowed.

Comment 7 Patrik Koncity 2021-01-26 10:03:53 UTC
PR: https://github.com/fedora-selinux/selinux-policy/pull/548

Comment 17 errata-xmlrpc 2021-05-18 14:57:35 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1639


Note You need to log in before you can comment on or make changes to this bug.