RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1846598 - avc: denied { read } for pid=35573 comm="ns-slapd" name="/" dev="cgroup" ino=1
Summary: avc: denied { read } for pid=35573 comm="ns-slapd" name="/" dev="cgroup" i...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.3
Hardware: Unspecified
OS: Linux
medium
high
Target Milestone: rc
: 8.3
Assignee: Zdenek Pytela
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks: 1842946
TreeView+ depends on / blocked
 
Reported: 2020-06-12 07:13 UTC by Alexander Bokovoy
Modified: 2020-11-04 21:11 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-11-04 01:56:46 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1797224 0 medium CLOSED SELinux is preventing /usr/lib/systemd/systemd from unlink access on the file krb5_25.rcache2 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHBA-2020:4528 0 None None None 2020-11-04 01:57:16 UTC

Description Alexander Bokovoy 2020-06-12 07:13:13 UTC 
From idm:DL1 gating tests for module build 6996:

Test report:
https://idm-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/ipa-server-ci-prod/job/RHEL8.3/16/ipa-user-cli-adduser_20HTML_20Report/

Packages:
http://idm-artifacts.usersys.redhat.com/ipa-server-ci-prod/RHEL8.3/6/ipa-user-cli-adduser/logs/master.testrealm.test/installed-rpm.log

Full set of AVCs:
https://idm-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/ipa-server-ci-prod/job/RHEL8.3/16/ipa-user-cli-adduser_20HTML_20Report/recipes/1/tasks/2/results/1591893955/logs/avc.log

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      32
selinux-policy-3.14.3-44.el8.noarch
----
time->Thu Jun 11 12:50:07 2020
type=PROCTITLE msg=audit(1591894207.565:1490): proctitle=2F7573722F7362696E2F6E732D736C617064002D44002F6574632F6469727372762F736C6170642D544553545245414C4D2D54455354002D69002F72756E2F6469727372762F736C6170642D544553545245414C4D2D544553542E706964
type=PATH msg=audit(1591894207.565:1490): item=0 name="/sys/fs/cgroup/memory" inode=1 dev=00:26 mode=040555 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cgroup_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1591894207.565:1490): cwd="/var/log/dirsrv/slapd-TESTREALM-TEST"
type=SYSCALL msg=audit(1591894207.565:1490): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7fbdc14a3c00 a2=90800 a3=0 items=1 ppid=1 pid=30751 auid=4294967295 uid=389 gid=389 euid=389 suid=389 fsuid=389 egid=389 sgid=389 fsgid=389 tty=(none) ses=4294967295 comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=system_u:system_r:dirsrv_t:s0 key=(null)
type=AVC msg=audit(1591894207.565:1490): avc:  denied  { read } for  pid=30751 comm="ns-slapd" name="/" dev="cgroup" ino=1 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=0
----
time->Thu Jun 11 12:50:07 2020
type=PROCTITLE msg=audit(1591894207.578:1491): proctitle=2F7573722F7362696E2F6E732D736C617064002D44002F6574632F6469727372762F736C6170642D544553545245414C4D2D54455354002D69002F72756E2F6469727372762F736C6170642D544553545245414C4D2D544553542E706964
type=PATH msg=audit(1591894207.578:1491): item=0 name="/sys/fs/cgroup/memory" inode=1 dev=00:26 mode=040555 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cgroup_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1591894207.578:1491): cwd="/var/log/dirsrv/slapd-TESTREALM-TEST"
type=SYSCALL msg=audit(1591894207.578:1491): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7fbdc14a3c00 a2=90800 a3=0 items=1 ppid=1 pid=30751 auid=4294967295 uid=389 gid=389 euid=389 suid=389 fsuid=389 egid=389 sgid=389 fsgid=389 tty=(none) ses=4294967295 comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=system_u:system_r:dirsrv_t:s0 key=(null)
type=AVC msg=audit(1591894207.578:1491): avc:  denied  { read } for  pid=30751 comm="ns-slapd" name="/" dev="cgroup" ino=1 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=0
----
time->Thu Jun 11 12:50:07 2020
type=PROCTITLE msg=audit(1591894207.589:1492): proctitle=2F7573722F7362696E2F6E732D736C617064002D44002F6574632F6469727372762F736C6170642D544553545245414C4D2D54455354002D69002F72756E2F6469727372762F736C6170642D544553545245414C4D2D544553542E706964
type=PATH msg=audit(1591894207.589:1492): item=0 name="/sys/fs/cgroup/memory" inode=1 dev=00:26 mode=040555 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:cgroup_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1591894207.589:1492): cwd="/var/log/dirsrv/slapd-TESTREALM-TEST"
type=SYSCALL msg=audit(1591894207.589:1492): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7fbdc14a3c00 a2=90800 a3=0 items=1 ppid=1 pid=30751 auid=4294967295 uid=389 gid=389 euid=389 suid=389 fsuid=389 egid=389 sgid=389 fsgid=389 tty=(none) ses=4294967295 comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=system_u:system_r:dirsrv_t:s0 key=(null)
type=AVC msg=audit(1591894207.589:1492): avc:  denied  { read } for  pid=30751 comm="ns-slapd" name="/" dev="cgroup" ino=1 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=0
----
Comment 1 Zdenek Pytela 2020-06-15 09:15:52 UTC 
AVCs from the description have already been addressed in bz#1836795.
There are 2 others in the jenkins link, one addressed as well, this one remains:

----
type=PROCTITLE msg=audit(06/11/20 18:54:50.404:1804) : proctitle=/usr/lib/systemd/systemd --switched-root --system --deserialize 17 
----
type=AVC msg=audit(06/11/20 18:54:50.404:1804) : avc:  denied  { unlink } for  pid=1 comm=systemd name=krb5_25.rcache2 dev="vda3" ino=25247986 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:named_tmp_t:s0 tclass=file permissive=0 
type=SYSCALL msg=audit(06/11/20 18:54:50.404:1804) : arch=x86_64 syscall=unlinkat success=no exit=EACCES(Permission denied) a0=0x15 a1=0x7f28bc008d33 a2=0x0 a3=0x0 items=2 ppid=0 pid=1 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) 
type=CWD msg=audit(06/11/20 18:54:50.404:1804) : cwd=/ 
type=PATH msg=audit(06/11/20 18:54:50.404:1804) : item=0 name=/ inode=25247981 dev=fc:03 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(06/11/20 18:54:50.404:1804) : item=1 name=krb5_25.rcache2 inode=25247986 dev=fc:03 mode=file,600 ouid=named ogid=named rdev=00:00 obj=system_u:object_r:named_tmp_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 

I wonder why the tmp file has named_tmp_t type: Alexander, do you know how the file was created?
Was PrivateTmp systemd feature turned on?

*** This bug has been marked as a duplicate of bug 1836795 ***
Comment 2 Alexander Bokovoy 2020-06-15 10:18:00 UTC 
PrivateTmp=yes for named-pkcs11.service

krb5_25.rcache2 is a replay cache created by the libkrb5 when running under uid 25 (named). Most likely it is bind-dyndb-ldap plugin to named attempts to authenticate to LDAP, so thus it has named_tmp_t context.
Comment 3 Zdenek Pytela 2020-06-15 15:03:44 UTC 
In that case the following Fedora PR should address the remaining AVC:

commit dd32a9e30993116d8cb49c176a4a593f76dfa107
Author: Zdenek Pytela <zpytela>
Date:   Mon Feb 10 10:14:38 2020 +0100

    Allow systemd_private_tmp(named_tmp_t)
    
    Resolves: rhbz#1797224

diff --git a/bind.te b/bind.te
index 872445c34..5e39ed371 100644
--- a/bind.te
+++ b/bind.te
@@ -248,6 +248,10 @@ optional_policy(`
        seutil_sigchld_newrole(named_t)
 ')
 
+optional_policy(`
+       systemd_private_tmp(named_tmp_t)
+')
+
 optional_policy(`
        udev_read_db(named_t)
 ')
Comment 4 Alexander Bokovoy 2020-06-16 08:41:23 UTC 
Please consider including this fix into RHEL 8.3 too.
Comment 5 Zdenek Pytela 2020-06-24 10:25:21 UTC 
This bug has not been acknowledged by the subsystem to be resolved during the RHEL 8.3 development and testing phase.
If you believe the decision needs to be reconsidered, please adjust severity accordingly and bring out justification.
Comment 6 Alexander Bokovoy 2020-06-24 10:35:35 UTC 
This bug is preventing operations of RHEL IdM without SELinux AVCs in the default installation with integrated DNS in RHEL. It is a regression as there was no such AVC in past in the default installation.
Comment 7 Alexander Bokovoy 2020-06-24 10:36:57 UTC 
Aside from bind, I saw the very same replay cache AVCs in Samba and other RHEL IdM components, so it is clearly affecting a lot of operations.
Comment 13 Sumedh Sidhaye 2020-07-20 13:48:53 UTC 
Reproducer:

https://idm-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/ipa-server-ci-prod/job/RHEL8.3/16/ipa-user-cli-adduser_20HTML_20Report/


SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      32
selinux-policy-3.14.3-44.el8.noarch


Fixed Version:

https://idm-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/ipa-server-ci-prod/job/RHEL8.3/27/ipa-user-cli-adduser_20HTML_20Report/

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      32
selinux-policy-3.14.3-49.el8.noarch
Comment 18 errata-xmlrpc 2020-11-04 01:56:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4528
Note You need to log in before you can comment on or make changes to this bug.