Bug 1846598
| Summary: | avc: denied { read } for pid=35573 comm="ns-slapd" name="/" dev="cgroup" ino=1 | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Alexander Bokovoy <abokovoy> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | high | Docs Contact: | |
| Priority: | medium | ||
| Version: | 8.3 | CC: | lvrabec, mmalik, pasik, pcech, plautrba, ssekidde, ssidhaye |
| Target Milestone: | rc | Keywords: | Regression, Triaged |
| Target Release: | 8.3 | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-11-04 01:56:46 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1842946 | ||
|
Description
Alexander Bokovoy
2020-06-12 07:13:13 UTC
AVCs from the description have already been addressed in bz#1836795. There are 2 others in the jenkins link, one addressed as well, this one remains: ---- type=PROCTITLE msg=audit(06/11/20 18:54:50.404:1804) : proctitle=/usr/lib/systemd/systemd --switched-root --system --deserialize 17 ---- type=AVC msg=audit(06/11/20 18:54:50.404:1804) : avc: denied { unlink } for pid=1 comm=systemd name=krb5_25.rcache2 dev="vda3" ino=25247986 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:named_tmp_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(06/11/20 18:54:50.404:1804) : arch=x86_64 syscall=unlinkat success=no exit=EACCES(Permission denied) a0=0x15 a1=0x7f28bc008d33 a2=0x0 a3=0x0 items=2 ppid=0 pid=1 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) type=CWD msg=audit(06/11/20 18:54:50.404:1804) : cwd=/ type=PATH msg=audit(06/11/20 18:54:50.404:1804) : item=0 name=/ inode=25247981 dev=fc:03 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(06/11/20 18:54:50.404:1804) : item=1 name=krb5_25.rcache2 inode=25247986 dev=fc:03 mode=file,600 ouid=named ogid=named rdev=00:00 obj=system_u:object_r:named_tmp_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 I wonder why the tmp file has named_tmp_t type: Alexander, do you know how the file was created? Was PrivateTmp systemd feature turned on? *** This bug has been marked as a duplicate of bug 1836795 *** PrivateTmp=yes for named-pkcs11.service krb5_25.rcache2 is a replay cache created by the libkrb5 when running under uid 25 (named). Most likely it is bind-dyndb-ldap plugin to named attempts to authenticate to LDAP, so thus it has named_tmp_t context. In that case the following Fedora PR should address the remaining AVC:
commit dd32a9e30993116d8cb49c176a4a593f76dfa107
Author: Zdenek Pytela <zpytela>
Date: Mon Feb 10 10:14:38 2020 +0100
Allow systemd_private_tmp(named_tmp_t)
Resolves: rhbz#1797224
diff --git a/bind.te b/bind.te
index 872445c34..5e39ed371 100644
--- a/bind.te
+++ b/bind.te
@@ -248,6 +248,10 @@ optional_policy(`
seutil_sigchld_newrole(named_t)
')
+optional_policy(`
+ systemd_private_tmp(named_tmp_t)
+')
+
optional_policy(`
udev_read_db(named_t)
')
Please consider including this fix into RHEL 8.3 too. This bug has not been acknowledged by the subsystem to be resolved during the RHEL 8.3 development and testing phase. If you believe the decision needs to be reconsidered, please adjust severity accordingly and bring out justification. This bug is preventing operations of RHEL IdM without SELinux AVCs in the default installation with integrated DNS in RHEL. It is a regression as there was no such AVC in past in the default installation. Aside from bind, I saw the very same replay cache AVCs in Samba and other RHEL IdM components, so it is clearly affecting a lot of operations. Reproducer: https://idm-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/ipa-server-ci-prod/job/RHEL8.3/16/ipa-user-cli-adduser_20HTML_20Report/ SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 32 selinux-policy-3.14.3-44.el8.noarch Fixed Version: https://idm-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/ipa-server-ci-prod/job/RHEL8.3/27/ipa-user-cli-adduser_20HTML_20Report/ SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 32 selinux-policy-3.14.3-49.el8.noarch Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4528 |