1837461 – avc: denied { search } for comm="rhsmd" dev="proc"

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1837461 - avc: denied { search } for comm="rhsmd" dev="proc"

Summary: avc: denied { search } for comm="rhsmd" dev="proc"

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.9
Hardware:	Unspecified
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-05-19 13:53 UTC by Martin Pitt
Modified:	2023-12-15 17:57 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-09-29 19:55:23 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2020:3925	0	None	None	None	2020-09-29 19:55:44 UTC

Description Martin Pitt 2020-05-19 13:53:19 UTC

Description of problem: Recent RHEL 7.9 nightly has a regression [1]: Trying to talk to com.redhat.SubscriptionManager now results in 

type=1400 audit(1589782144.166:4): avc:  denied  { search } for  pid=1610 comm="rhsmd" name="2" dev="proc" ino=11917 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=dir permissive=0

This then causes rhsmd to crash (full journal at [2]):

May 18 02:07:35 localhost.localdomain com.redhat.SubscriptionManager[648]: Traceback (most recent call last):
May 18 02:07:35 localhost.localdomain com.redhat.SubscriptionManager[648]: File "/usr/libexec/rhsmd", line 9, in <module>
May 18 02:07:35 localhost.localdomain com.redhat.SubscriptionManager[648]: load_entry_point('subscription-manager==1.24.37', 'console_scripts', 'rhsmd')()
May 18 02:07:35 localhost.localdomain com.redhat.SubscriptionManager[648]: File "/usr/lib64/python2.7/site-packages/subscription_manager/scripts/rhsm_d.py", line 367, in main
May 18 02:07:35 localhost.localdomain com.redhat.SubscriptionManager[648]: if not is_rhsm_icon_running() and not options.keep_alive:
May 18 02:07:35 localhost.localdomain com.redhat.SubscriptionManager[648]: File "/usr/lib64/python2.7/site-packages/subscription_manager/scripts/rhsm_d.py", line 183, in is_rhsm_icon_running
May 18 02:07:35 localhost.localdomain com.redhat.SubscriptionManager[648]: ret = is_process_running('rhsm-icon')
May 18 02:07:35 localhost.localdomain com.redhat.SubscriptionManager[648]: File "/usr/lib64/python2.7/site-packages/subscription_manager/utils.py", line 643, in is_process_running
May 18 02:07:35 localhost.localdomain com.redhat.SubscriptionManager[648]: for process_name in get_process_names():
May 18 02:07:35 localhost.localdomain com.redhat.SubscriptionManager[648]: File "/usr/lib64/python2.7/site-packages/subscription_manager/utils.py", line 632, in get_process_names
May 18 02:07:35 localhost.localdomain com.redhat.SubscriptionManager[648]: with open(process_status_file_path) as status:
May 18 02:07:35 localhost.localdomain com.redhat.SubscriptionManager[648]: IOError: [Errno 13] Permission denied: '/proc/2/status'

I'm not sure if rhsmd really needs to look at /proc/2/ -- if so, please reassign to selinux-policy.


Version-Release number of selected component (if applicable):

subscription-manager-1.24.37-1.el7.x86_64
selinux-policy-targeted-3.13.1-267.el7.noarch

[1] https://github.com/cockpit-project/bots/pull/873
[2] https://logs.cockpit-project.org/logs/pull-873-20200518-041004-540fbebf-rhel-7-9-cockpit-project-cockpit-rhel-7.9/TestFirewall-testNetworkingPage-rhel-7-9-127.0.0.2-2301-FAIL.log

Comment 2 Martin Pitt 2020-05-19 13:57:01 UTC

I know that the com.redhat.SubscriptionManager API is obsolete, I'll backport the cockpit change [1] to move to com.redhat.RHSM1 to our 7.9 branch. But cockpit may not be the only consumer here?

[1] https://github.com/cockpit-project/cockpit/commit/0fc40a9a83f5387f10b9d3eae4aa7f60495a2d6b

Comment 5 Martin Pitt 2020-05-19 17:52:30 UTC

> What is the scope of harm if this BZ is not resolved in this release?

Cockpit's Subscriptions UI is broken due to this. Possibly other consumers of that API.

We noticed that in our latest image refresh, but on second thought this *could* have been broken before -- it's just that until last week, the subscription-manager API was broken because of bug 1823523. That could have shadowed this SELinux violation, as subscription-manager crashed very early on.

Comment 7 Martin Pitt 2020-05-20 09:00:04 UTC

Ack, thanks Jiri. Moving to selinux-policy then. (How did that not come up in testing?)

Comment 8 Milos Malik 2020-05-20 09:42:21 UTC

Appeared on my RHEL-7.9 VM too:
----
type=PROCTITLE msg=audit(05/19/2020 09:12:28.816:839) : proctitle=/usr/bin/python /usr/libexec/rhsmd 
type=PATH msg=audit(05/19/2020 09:12:28.816:839) : item=0 name=/proc/2/status objtype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(05/19/2020 09:12:28.816:839) :  cwd=/ 
type=SYSCALL msg=audit(05/19/2020 09:12:28.816:839) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x13d4470 a1=O_RDONLY a2=0x1b6 a3=0x24 items=1 ppid=1 pid=16683 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(05/19/2020 09:12:28.816:839) : avc:  denied  { search } for  pid=16683 comm=rhsmd name=2 dev="proc" ino=12415 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=dir permissive=0 
----

Comment 9 Milos Malik 2020-05-20 11:06:48 UTC

The above-metioned SELinux denial can be reproduced using:

# service rhsmcertd status
Redirecting to /bin/systemctl status rhsmcertd.service
● rhsmcertd.service - Enable periodic update of entitlement certificates.
   Loaded: loaded (/usr/lib/systemd/system/rhsmcertd.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2020-05-20 11:39:58 CEST; 1h 17min ago
  Process: 1355 ExecStart=/usr/bin/rhsmcertd (code=exited, status=0/SUCCESS)
 Main PID: 1361 (rhsmcertd)
    Tasks: 1
   CGroup: /system.slice/rhsmcertd.service
           └─1361 /usr/bin/rhsmcertd

May 20 11:39:58 localhost.localdomain systemd[1]: Starting Enable periodic update of entitlement certificates....
May 20 11:39:58 localhost.localdomain systemd[1]: Started Enable periodic update of entitlement certificates..
# subscription-manager list
+-------------------------------------------+
    Installed Product Status
+-------------------------------------------+
... intentionally shortened ...

# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today
----
type=PROCTITLE msg=audit(05/20/2020 12:58:09.593:366) : proctitle=/usr/bin/python /usr/libexec/rhsmd 
type=PATH msg=audit(05/20/2020 12:58:09.593:366) : item=0 name=/proc/2/status objtype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(05/20/2020 12:58:09.593:366) :  cwd=/ 
type=SYSCALL msg=audit(05/20/2020 12:58:09.593:366) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x180a470 a1=O_RDONLY a2=0x1b6 a3=0x24 items=1 ppid=1 pid=4482 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(05/20/2020 12:58:09.593:366) : avc:  denied  { search } for  pid=4482 comm=rhsmd name=2 dev="proc" ino=11803 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=dir permissive=0 
----

When running the same reproducer in permissive mode, a lot of SELinux denials are triggered:

# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today | audit2allow

#============= rhsmcertd_t ==============
allow rhsmcertd_t NetworkManager_t:dir search;
allow rhsmcertd_t NetworkManager_t:file { getattr open read };
allow rhsmcertd_t abrt_watch_log_t:dir search;
allow rhsmcertd_t abrt_watch_log_t:file { getattr open read };
allow rhsmcertd_t accountsd_t:dir search;
allow rhsmcertd_t accountsd_t:file { getattr open read };
allow rhsmcertd_t apmd_t:dir search;
allow rhsmcertd_t apmd_t:file { getattr open read };
allow rhsmcertd_t audisp_t:dir search;
allow rhsmcertd_t audisp_t:file { getattr open read };
allow rhsmcertd_t auditd_t:dir search;
allow rhsmcertd_t auditd_t:file { getattr open read };
allow rhsmcertd_t avahi_t:dir search;
allow rhsmcertd_t avahi_t:file { getattr open read };
allow rhsmcertd_t boltd_t:dir search;
allow rhsmcertd_t boltd_t:file { getattr open read };
allow rhsmcertd_t chronyd_t:dir search;
allow rhsmcertd_t chronyd_t:file { getattr open read };
allow rhsmcertd_t colord_t:dir search;
allow rhsmcertd_t colord_t:file { getattr open read };
allow rhsmcertd_t crond_t:dir search;
allow rhsmcertd_t crond_t:file { getattr open read };
allow rhsmcertd_t cupsd_t:dir search;
allow rhsmcertd_t cupsd_t:file { getattr open read };
allow rhsmcertd_t devicekit_disk_t:dir search;
allow rhsmcertd_t devicekit_disk_t:file { getattr open read };
allow rhsmcertd_t devicekit_power_t:dir search;
allow rhsmcertd_t devicekit_power_t:file { getattr open read };
allow rhsmcertd_t dhcpc_t:dir search;
allow rhsmcertd_t dhcpc_t:file { getattr open read };
allow rhsmcertd_t dnsmasq_t:dir search;
allow rhsmcertd_t dnsmasq_t:file { getattr open read };
allow rhsmcertd_t firewalld_t:dir search;
allow rhsmcertd_t firewalld_t:file { getattr open read };
allow rhsmcertd_t fsdaemon_t:dir search;
allow rhsmcertd_t fsdaemon_t:file { getattr open read };
allow rhsmcertd_t gpm_t:dir search;
allow rhsmcertd_t gpm_t:file { getattr open read };
allow rhsmcertd_t gpsd_t:dir search;
allow rhsmcertd_t gpsd_t:file { getattr open read };
allow rhsmcertd_t gssproxy_t:dir search;
allow rhsmcertd_t gssproxy_t:file { getattr open read };
allow rhsmcertd_t inetd_t:dir search;
allow rhsmcertd_t inetd_t:file { getattr open read };
allow rhsmcertd_t kernel_t:dir search;
allow rhsmcertd_t kernel_t:file { getattr open read };
allow rhsmcertd_t ksmtuned_t:dir search;
allow rhsmcertd_t ksmtuned_t:file { getattr open read };
allow rhsmcertd_t lsmd_t:dir search;
allow rhsmcertd_t lsmd_t:file { getattr open read };
allow rhsmcertd_t lttng_sessiond_t:dir search;
allow rhsmcertd_t lttng_sessiond_t:file { getattr open read };
allow rhsmcertd_t mcelog_t:dir search;
allow rhsmcertd_t mcelog_t:file { getattr open read };
allow rhsmcertd_t modemmanager_t:dir search;
allow rhsmcertd_t modemmanager_t:file { getattr open read };
allow rhsmcertd_t pcscd_t:dir search;
allow rhsmcertd_t pcscd_t:file { getattr open read };
allow rhsmcertd_t policykit_t:dir search;
allow rhsmcertd_t policykit_t:file { getattr open read };
allow rhsmcertd_t restorecond_t:dir search;
allow rhsmcertd_t restorecond_t:file { getattr open read };
allow rhsmcertd_t rhnsd_t:dir search;
allow rhsmcertd_t rhnsd_t:file { getattr open read };
allow rhsmcertd_t rngd_t:dir search;
allow rhsmcertd_t rngd_t:file { getattr open read };
allow rhsmcertd_t rpcbind_t:dir search;
allow rhsmcertd_t rpcbind_t:file { getattr open read };
allow rhsmcertd_t rpm_t:dir search;
allow rhsmcertd_t rpm_t:file { getattr open read };
allow rhsmcertd_t rtkit_daemon_t:dir search;
allow rhsmcertd_t rtkit_daemon_t:file { getattr open read };
allow rhsmcertd_t sendmail_t:dir search;
allow rhsmcertd_t sendmail_t:file { getattr open read };
allow rhsmcertd_t sshd_t:dir search;
allow rhsmcertd_t sshd_t:file { getattr open read };
allow rhsmcertd_t syslogd_t:dir search;
allow rhsmcertd_t syslogd_t:file { getattr open read };
allow rhsmcertd_t systemd_logind_t:dir search;
allow rhsmcertd_t systemd_logind_t:file { getattr open read };
allow rhsmcertd_t tuned_t:dir search;
allow rhsmcertd_t tuned_t:file { getattr open read };
allow rhsmcertd_t udev_t:dir search;
allow rhsmcertd_t udev_t:file { getattr open read };
allow rhsmcertd_t unconfined_service_t:dir search;
allow rhsmcertd_t unconfined_service_t:file { getattr open read };
allow rhsmcertd_t virt_qemu_ga_t:dir search;
allow rhsmcertd_t virt_qemu_ga_t:file { getattr open read };
allow rhsmcertd_t virtd_t:dir search;
allow rhsmcertd_t virtd_t:file { getattr open read };
allow rhsmcertd_t xdm_t:dir search;
allow rhsmcertd_t xdm_t:file { getattr open read };
allow rhsmcertd_t xserver_t:dir search;
allow rhsmcertd_t xserver_t:file { getattr open read };

It seems that the rhsmd process tries to check every running process and it is not using the ps command:

# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today | tr ' ' '\n' | grep comm= | sort | uniq -c
    564 comm=rhsmd
#

Comment 25 errata-xmlrpc 2020-09-29 19:55:23 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:3925

Note You need to log in before you can comment on or make changes to this bug.