1894527 – rhsmcertd-worker AVC accessing /usr/sbin/kpatch

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1894527 - rhsmcertd-worker AVC accessing /usr/sbin/kpatch

Summary: rhsmcertd-worker AVC accessing /usr/sbin/kpatch

Keywords:
Status:	CLOSED DUPLICATE of bug 1895322
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	subscription-manager
Sub Component:
Version:	8.3
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	8.4
Assignee:	candlepin-bugs
QA Contact:	Red Hat subscription-manager QE Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-11-04 12:42 UTC by James Hartsock
Modified:	2024-03-25 16:56 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-11-12 16:42:58 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	5554231	0	None	None	None	2020-11-06 14:41:16 UTC

Description James Hartsock 2020-11-04 12:42:48 UTC

Description of problem:
After upgrading RHEL 8.2 system to RHEL 8.3 with subscription-manager-1.27.16-1.el8.x86_64 started getting AVC events int he logs

Version-Release number of selected component (if applicable):


How reproducible:
subscription-manager-1.27.16-1.el8

Steps to Reproduce:
1. Update RHEL 8.3 on system subscribed CDN
2. Reboot
3. Look audit log for AVC

Actual results:
# ausearch --input-logs --message DAEMON_START --message avc,user_avc,avc_path --success no --format text
At 12:52:18 11/03/2020 system, acting as root, unsuccessfully accessed-mac-policy-controlled-object using /usr/lib/systemd/systemd
At 13:21:36 11/03/2020 system, acting as root, unsuccessfully accessed-mac-policy-controlled-object using /usr/libexec/platform-python3.6
At 13:21:36 11/03/2020 system, acting as root, unsuccessfully accessed-mac-policy-controlled-object using /usr/libexec/platform-python3.6
At 17:21:53 11/03/2020 system, acting as root, unsuccessfully accessed-mac-policy-controlled-object using /usr/libexec/platform-python3.6
At 21:21:53 11/03/2020 system, acting as root, unsuccessfully accessed-mac-policy-controlled-object using /usr/libexec/platform-python3.6
At 01:21:53 11/04/2020 system, acting as root, unsuccessfully accessed-mac-policy-controlled-object using /usr/libexec/platform-python3.6
At 05:21:53 11/04/2020 system, acting as root, unsuccessfully accessed-mac-policy-controlled-object using /usr/libexec/platform-python3.6


Expected results:
No AVC on system with selinux installedc8 

Additional info:
time->Tue Nov  3 13:21:36 2020
type=PROCTITLE msg=audit(1604431296.300:1172): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002F7573722F6C6962657865632F7268736D63657274642D776F726B6572
type=SYSCALL msg=audit(1604431296.300:1172): arch=c000003e syscall=4 success=no exit=-13 a0=7f8ab68489f0 a1=7fff6dbd5740 a2=7fff6dbd5740 a3=1 items=0 ppid=1350 pid=15881 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rhsmcertd-worke" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:rhsmcertd_t:s0 key=(null)
type=AVC msg=audit(1604431296.300:1172): avc:  denied  { getattr } for  pid=15881 comm="rhsmcertd-worke" path="/usr/sbin/kpatch" dev="dm-0" ino=1337388 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:kpatch_exec_t:s0 tclass=file permissive=0

Comment 1 James Hartsock 2020-11-04 12:43:53 UTC

Noticed following log time stamps appear to match with AVC

# tail -n 8 /var/log/rhsm/rhsmcertd.log
Tue Nov  3 12:52:17 2020 [INFO] Waiting 2.0 minutes plus 19997 splay seconds [20117 seconds total] before performing first auto-attach.
Tue Nov  3 12:52:17 2020 [INFO] Waiting 2.0 minutes plus 1628 splay seconds [1748 seconds total] before performing first cert check.
Tue Nov  3 13:21:43 2020 [INFO] (Cert Check) Certificates updated.
Tue Nov  3 17:21:58 2020 [INFO] (Cert Check) Certificates updated.
Tue Nov  3 18:27:39 2020 [INFO] (Auto-attach) Certificates updated.
Tue Nov  3 21:21:58 2020 [INFO] (Cert Check) Certificates updated.
Wed Nov  4 01:21:58 2020 [INFO] (Cert Check) Certificates updated.
Wed Nov  4 05:21:58 2020 [INFO] (Cert Check) Certificates updated.

Comment 2 James Hartsock 2020-11-04 13:01:30 UTC

# mkdir /etc/systemd/system/rhsmcertd.service.d
# echo -e "[Service]\nExecStart=\nExecStart=/usr/bin/rhsmcertd -d -i 1 -c 1" > /etc/systemd/system/rhsmcertd.service.d/BZ1894527.conf
# systemctl daemon-reload 
# systemctl restart rhsmcertd
# tail -f /var/log/rhsm/rhsmcertd.log
..
Wed Nov  4 06:53:04 2020 [DEBUG] Loading configuration from: /etc/rhsm/rhsm.conf
Wed Nov  4 06:53:04 2020 [INFO] Starting rhsmcertd...
Wed Nov  4 06:53:04 2020 [INFO] Auto-attach interval: 1.0 minutes [60 seconds]
Wed Nov  4 06:53:04 2020 [INFO] Cert check interval: 1.0 minutes [60 seconds]
Wed Nov  4 06:53:04 2020 [INFO] Waiting 2.0 minutes plus 51 splay seconds [171 seconds total] before performing first auto-attach.
Wed Nov  4 06:53:04 2020 [INFO] Waiting 2.0 minutes plus 18 splay seconds [138 seconds total] before performing first cert check.
Wed Nov  4 06:55:38 2020 [INFO] (Cert Check) Certificates updated.
Wed Nov  4 06:56:00 2020 [INFO] (Auto-attach) Certificates updated.
Wed Nov  4 06:56:53 2020 [INFO] (Cert Check) Certificates updated.
Wed Nov  4 06:57:05 2020 [INFO] (Auto-attach) Certificates updated.
Wed Nov  4 06:57:53 2020 [INFO] (Cert Check) Certificates updated.
Wed Nov  4 06:58:05 2020 [INFO] (Auto-attach) Certificates updated.
Wed Nov  4 06:58:53 2020 [INFO] (Cert Check) Certificates updated.
Wed Nov  4 06:59:05 2020 [INFO] (Auto-attach) Certificates updated.


---

# ausearch --input-logs --message DAEMON_START --message avc,user_avc,avc_path --success no --format text -ts recent
At 06:55:33 11/04/2020 system, acting as root, unsuccessfully accessed-mac-policy-controlled-object using /usr/libexec/platform-python3.6
At 06:55:33 11/04/2020 system, acting as root, unsuccessfully accessed-mac-policy-controlled-object using /usr/libexec/platform-python3.6
At 06:56:49 11/04/2020 system, acting as root, unsuccessfully accessed-mac-policy-controlled-object using /usr/libexec/platform-python3.6
At 06:57:49 11/04/2020 system, acting as root, unsuccessfully accessed-mac-policy-controlled-object using /usr/libexec/platform-python3.6
At 06:58:49 11/04/2020 system, acting as root, unsuccessfully accessed-mac-policy-controlled-object using /usr/libexec/platform-python3.6

Comment 3 James Hartsock 2020-11-04 16:21:20 UTC

Suspect regression here is with
  Bug 1761566 - [RFE] Collect kernel patch version version in facts


Following custom selinux module seems to be working for me...

# cat james-rhsmcertd.te 
# https://bugzilla.redhat.com/show_bug.cgi?id=1894527
# 
# Steps:
# checkmodule -M -m -o james-rhsmcertd.mod james-rhsmcertd.te
# semodule_package  -o james-rhsmcertd.pp -m james-rhsmcertd.mod
# semodule -i james-rhsmcertd.pp

module james-rhsmcertd 1.0;

require {
	type kpatch_exec_t;
	type rhsmcertd_t;
	class file { execute getattr };
}

#============= rhsmcertd_t ==============
allow rhsmcertd_t kpatch_exec_t:file { execute getattr };

Comment 5 Milos Malik 2020-11-06 15:04:01 UTC

There is almost identical bug filed against selinux-policy component:
 * https://bugzilla.redhat.com/show_bug.cgi?id=1895322

Most likely one of them will be closed as duplicate.

Comment 6 Milos Malik 2020-11-11 09:10:42 UTC

As you can see in BZ#1895322 we already have the reproducer and SELinux denials are gathered.
I think that SELinux policy maintainer (zpytela) has everything he needs to fix the bug in the selinux-policy component.

Comment 7 Milos Malik 2020-11-11 09:16:08 UTC

If this bug is blocking you or your team, please increase priority/severity in BZ#1895322.

Comment 8 Rehana 2020-11-12 16:42:58 UTC

Thank Milos , based on the discussion moving this bug as duplicate of 1895322

*** This bug has been marked as a duplicate of bug 1895322 ***

Note You need to log in before you can comment on or make changes to this bug.