Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1836820

Summary:	avc: denied { read } for pid=1 comm="systemd" name="slapd-test"
Product:	Red Hat Enterprise Linux 8	Reporter:	Steeve Goveas <sgoveas>
Component:	selinux-policy	Assignee:	Zdenek Pytela <zpytela>
Status:	CLOSED ERRATA	QA Contact:	Milos Malik <mmalik>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	8.3	CC:	amore, lvrabec, mmalik, mupadhye, pasik, plautrba, ssekidde, zpytela
Target Milestone:	rc	Keywords:	AutoVerified, Triaged
Target Release:	8.3	Flags:	pm-rhel: mirror+
Hardware:	Unspecified
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	No Doc Update
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2020-11-04 01:56:37 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	1842946

Description Steeve Goveas 2020-05-18 09:06:55 UTC

Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      32
selinux-policy-3.14.3-43.el8.noarch
----
time->Mon May 18 03:19:23 2020
type=PROCTITLE msg=audit(1589786363.431:1692): proctitle=2F7573722F6C69622F73797374656D642F73797374656D64002D2D73776974636865642D726F6F74002D2D73797374656D002D2D646573657269616C697A65003136
type=SYSCALL msg=audit(1589786363.431:1692): arch=c000003e syscall=257 success=no exit=-13 a0=14 a1=7f2650008d33 a2=f0800 a3=0 items=0 ppid=0 pid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1589786363.431:1692): avc:  denied  { read } for  pid=1 comm="systemd" name="slapd-test" dev="vda3" ino=8715292 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:dirsrv_tmp_t:s0 tclass=dir permissive=0


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Zdenek Pytela 2020-05-19 11:07:44 UTC

Steve, 

What are the reproducing steps to trigger this denial? I see an attempt to access the "slapd-test" file, is this a result of some customizations?

Comment 2 Steeve Goveas 2020-05-26 09:21:52 UTC

Hi Zdenek,

slapd-test is the 389ds instance name. It can be reproduced by removing the instance.
remove-ds.pl -i slapd-test

Comment 4 Zdenek Pytela 2020-06-11 16:53:09 UTC

Steeve,

Unfortunately I cannot reproduce this issue and the bugzilla description does not contain enough information or reproducing steps. Could you please share the scenario and other information as indicated in the bugzilla template (packages version)?
Apart from the denial, did you notice any actual problem?

It would also be helpful to gather all possible additional AVC denials:

1) Open the /etc/audit/rules.d/audit.rules file in an editor.
2) Add the following line at the end of the file:
-w /etc/shadow -p w
3) Restart the audit daemon:
  # service auditd restart
4) Set the system into SELinux permissive mode:
  # setenforce 0
5) Re-run your scenario.
6) Undo setenforce:
  # setenforce 1
7) Collect AVC denials:
  # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts recent

Comment 6 Madhuri 2020-06-18 09:27:34 UTC

by mistakenly I have added steps which were executed on the client.
correcting it,

Version:
[root@ci-vm-10-0-106-167 ~]# rpm -qa | grep 389
python3-lib389-1.4.3.8-3.module+el8.3.0+6935+6f68b788.noarch
389-ds-base-1.4.3.8-3.module+el8.3.0+6935+6f68b788.x86_64
389-ds-base-legacy-tools-1.4.3.8-3.module+el8.3.0+6935+6f68b788.x86_64
389-ds-base-libs-1.4.3.8-3.module+el8.3.0+6935+6f68b788.x86_64


1) Add the following line at the end of the file:
-w /etc/shadow -p w

[root@ci-vm-10-0-107-60 ~]# cat /etc/audit/rules.d/audit.rules
## First rule - delete all
-D

## Increase the buffers to survive stress events.
## Make this bigger for busy systems
-b 8192

## This determine how long to wait in burst of events
--backlog_wait_time 60000

## Set failure mode to syslog
-f 1
-w /etc/shadow -p w

2) Restart the audit daemon:
[root@ci-vm-10-0-107-60 ~]# service auditd restart
Stopping logging:                                          [  OK  ]
Redirecting start to /bin/systemctl start auditd.service

3) Set the system into SELinux permissive mode:
[root@ci-vm-10-0-107-60 ~]# setenforce 0
[root@ci-vm-10-0-107-60 ~]# getenforce 
Permissive


4) Here now stopping the slapd instance and check-in permissive mode

----
type=PROCTITLE msg=audit(06/18/2020 04:54:13.172:2280) : proctitle=/usr/lib/systemd/systemd --switched-root --system --deserialize 16 
type=PATH msg=audit(06/18/2020 04:54:13.172:2280) : item=1 name=slapd-example1 inode=67112785 dev=fc:03 mode=dir,755 ouid=nobody ogid=nobody rdev=00:00 obj=system_u:object_r:dirsrv_tmp_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(06/18/2020 04:54:13.172:2280) : item=0 name=/ inode=42000915 dev=fc:03 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(06/18/2020 04:54:13.172:2280) : cwd=/ 
type=SYSCALL msg=audit(06/18/2020 04:54:13.172:2280) : arch=x86_64 syscall=unlinkat success=yes exit=0 a0=0x15 a1=0x7f0ee8008d33 a2=0x200 a3=0x0 items=2 ppid=0 pid=1 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(06/18/2020 04:54:13.172:2280) : avc:  denied  { rmdir } for  pid=1 comm=systemd name=slapd-example1 dev="vda3" ino=67112785 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:dirsrv_tmp_t:s0 tclass=dir permissive=1

Also tried to remove directory server instance 

----
type=PROCTITLE msg=audit(06/18/2020 05:05:58.947:2289) : proctitle=/usr/lib/systemd/systemd --switched-root --system --deserialize 16 
type=PATH msg=audit(06/18/2020 05:05:58.947:2289) : item=1 name=slapd-example1 inode=109055977 dev=fc:03 mode=dir,755 ouid=nobody ogid=nobody rdev=00:00 obj=system_u:object_r:dirsrv_tmp_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(06/18/2020 05:05:58.947:2289) : item=0 name=/ inode=83889672 dev=fc:03 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(06/18/2020 05:05:58.947:2289) : cwd=/ 
type=SYSCALL msg=audit(06/18/2020 05:05:58.947:2289) : arch=x86_64 syscall=unlinkat success=no exit=EACCES(Permission denied) a0=0x14 a1=0x7f0ee8008d33 a2=0x200 a3=0x0 items=2 ppid=0 pid=1 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(06/18/2020 05:05:58.947:2289) : avc:  denied  { rmdir } for  pid=1 comm=systemd name=slapd-example1 dev="vda3" ino=109055977 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:dirsrv_tmp_t:s0 tclass=dir permissive=0 


I can reproduce it, please let me know if you need machine access or anything else.

Comment 7 Zdenek Pytela 2020-06-18 11:45:01 UTC

Hi,

Is systemd PrivateTmp feature in place?

Comment 8 Madhuri 2020-06-18 12:23:19 UTC

(In reply to Zdenek Pytela from comment #7)
> Hi,
> 
> Is systemd PrivateTmp feature in place?

How do I check this?

Comment 9 Zdenek Pytela 2020-06-18 12:30:21 UTC

In the service unit file.

  $ systemctl cat servicename

Comment 10 Madhuri 2020-06-18 13:14:55 UTC

The Value of PrivateTmp is On

[root@ci-vm-10-0-106-22 ~]# systemctl cat dirsrv@service | grep  PrivateTmp
PrivateTmp=on
#PrivateTmp=yes

Comment 11 Zdenek Pytela 2020-06-18 13:27:46 UTC

Thanks. I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy-contrib/pull/273

Comment 14 Zdenek Pytela 2020-06-22 06:56:58 UTC

Steve,

The second denial, similar to those in c#6, will be allowed in the next build. For remove_name, we need to update the ruleset.

Comment 19 Steeve Goveas 2020-06-26 18:16:55 UTC

avc denials with the latest version as well

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      32
selinux-policy-3.14.3-46.el8.noarch
----
time->Fri Jun 26 13:58:54 2020
type=PROCTITLE msg=audit(1593194334.538:1645): proctitle=2F7573722F6C69622F73797374656D642F73797374656D64002D2D73776974636865642D726F6F74002D2D73797374656D002D2D646573657269616C697A65003137
type=SYSCALL msg=audit(1593194334.538:1645): arch=c000003e syscall=263 success=no exit=-13 a0=32 a1=7f7d64010e93 a2=0 a3=0 items=0 ppid=0 pid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1593194334.538:1645): avc:  denied  { remove_name } for  pid=1 comm="systemd" name="CA20certificate.pem" dev="vda3" ino=41948875 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:dirsrv_tmp_t:s0 tclass=dir permissive=0
----
time->Fri Jun 26 13:58:54 2020
type=PROCTITLE msg=audit(1593194334.538:1646): proctitle=2F7573722F6C69622F73797374656D642F73797374656D64002D2D73776974636865642D726F6F74002D2D73797374656D002D2D646573657269616C697A65003137
type=SYSCALL msg=audit(1593194334.538:1646): arch=c000003e syscall=263 success=no exit=-13 a0=32 a1=7f7d64010ebb a2=0 a3=0 items=0 ppid=0 pid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1593194334.538:1646): avc:  denied  { remove_name } for  pid=1 comm="systemd" name="Server-Cert.pem" dev="vda3" ino=41948876 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:dirsrv_tmp_t:s0 tclass=dir permissive=0
----
time->Fri Jun 26 13:58:54 2020
type=PROCTITLE msg=audit(1593194334.538:1647): proctitle=2F7573722F6C69622F73797374656D642F73797374656D64002D2D73776974636865642D726F6F74002D2D73797374656D002D2D646573657269616C697A65003137
type=SYSCALL msg=audit(1593194334.538:1647): arch=c000003e syscall=263 success=no exit=-13 a0=32 a1=7f7d64010ee3 a2=0 a3=0 items=0 ppid=0 pid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1593194334.538:1647): avc:  denied  { remove_name } for  pid=1 comm="systemd" name="Server-Cert-Key.pem" dev="vda3" ino=41948877 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:dirsrv_tmp_t:s0 tclass=dir permissive=0
----
time->Fri Jun 26 13:58:54 2020
type=PROCTITLE msg=audit(1593194334.538:1648): proctitle=2F7573722F6C69622F73797374656D642F73797374656D64002D2D73776974636865642D726F6F74002D2D73797374656D002D2D646573657269616C697A65003137
type=SYSCALL msg=audit(1593194334.538:1648): arch=c000003e syscall=263 success=no exit=-13 a0=30 a1=7f7d64008d33 a2=200 a3=0 items=0 ppid=0 pid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1593194334.538:1648): avc:  denied  { rmdir } for  pid=1 comm="systemd" name="slapd-test" dev="vda3" ino=41948874 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:dirsrv_tmp_t:s0 tclass=dir permissive=0

Comment 20 Steeve Goveas 2020-06-29 13:04:24 UTC

moving it back to assigned as we still see same avc errors

Comment 21 Zdenek Pytela 2020-06-29 14:12:06 UTC

(In reply to Steeve Goveas from comment #19)
> avc denials with the latest version as well
> 
> SELinux status:                 enabled
> SELinuxfs mount:                /sys/fs/selinux
> SELinux root directory:         /etc/selinux
> Loaded policy name:             targeted
> Current mode:                   enforcing
> Mode from config file:          enforcing
> Policy MLS status:              enabled
> Policy deny_unknown status:     allowed
> Memory protection checking:     actual (secure)
> Max kernel policy version:      32
> selinux-policy-3.14.3-46.el8.noarch
Steve,

This is not the latest selinux-policy package build. Please use selinux-policy-3.14.3-47.el8.noarch for testing.

Comment 22 Zdenek Pytela 2020-06-29 14:16:08 UTC

Stev, I am sorry, I see the problem now.

Comment 33 errata-xmlrpc 2020-11-04 01:56:37 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4528