Bug 1895322 - rhsmcertd_t needs to execute kpatch (kpatch_exec_t)
Summary: rhsmcertd_t needs to execute kpatch (kpatch_exec_t)
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.3
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: 8.4
Assignee: Zdenek Pytela
QA Contact: Milos Malik
URL:
Whiteboard:
: 1894527 1925643 1925811 1927844 (view as bug list)
Depends On:
Blocks: 1122832
TreeView+ depends on / blocked
 
Reported: 2020-11-06 10:39 UTC by Renaud Métrich
Modified: 2021-05-18 14:58 UTC (History)
20 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: A new "kpatch fact" feature in subscription-manager in RHEL 8.3 requires to execute the kpatch command. As this is a newly requested permission, it was not presnet in the policy. Consequence: Subscription manager fails to execute kpatch and keeps reporting a problem. Fix: Add the permission to execute kpatch with a transition. Result: The kpatch fact in the subscription manager works as expected.
Clone Of:
Environment:
Last Closed: 2021-05-18 14:58:17 UTC
Type: Bug
Target Upstream Version:
arpandey: needinfo-


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1761566 0 unspecified CLOSED [RFE] Collect kernel patch version version in facts 2021-02-22 00:41:40 UTC
Red Hat Knowledge Base (Solution) 5554231 0 None None None 2020-11-06 15:35:54 UTC

Description Renaud Métrich 2020-11-06 10:39:38 UTC
Description of problem:

With RHEL 8.3, subscription-manager comes with a "kpatch" fact /usr/lib64/python3.6/site-packages/rhsmlib/facts/kpatch.py which internally checks if /usr/sbin/kpatch exists (requires "getattr") and then executes it later (requires "execute").

This requires a policy update:

AVCs:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
avc:  denied  { getattr } for  pid=192521 comm=rhsmcertd-worke path=/usr/sbin/kpatch dev="dm-0" ino=2185345 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:kpatch_exec_t:s0 tclass=file permissive=1
avc:  denied  { execute } for  pid=192521 comm=rhsmcertd-worke name=kpatch dev="dm-0" ino=2185345 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:kpatch_exec_t:s0 tclass=file permissive=1
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Missing CIL rule:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
(allow rhsmcertd_t kpatch_exec_t (file (getattr execute)))
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------


Version-Release number of selected component (if applicable):

selinux-policy-3.14.3-54.el8.noarch
subscription-manager-1.27.16-1.el8.x86_64

How reproducible:

No idea, 100% by the customer.

Additional info:

I requested SysMgmt to explain when this fact is triggered.

Comment 1 Milos Malik 2020-11-06 15:07:26 UTC
It seems that following bug contains the reproducer:
 * https://bugzilla.redhat.com/show_bug.cgi?id=1894527

Comment 3 Milos Malik 2020-11-11 08:13:48 UTC
The reproducer triggers the following SELinux denial enforcing mode:
----
type=PROCTITLE msg=audit(11/11/2020 09:10:12.218:3095) : proctitle=/usr/libexec/platform-python /usr/libexec/rhsmcertd-worker 
type=PATH msg=audit(11/11/2020 09:10:12.218:3095) : item=0 name=/usr/sbin/kpatch inode=8727282 dev=08:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:kpatch_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(11/11/2020 09:10:12.218:3095) : cwd=/ 
type=SYSCALL msg=audit(11/11/2020 09:10:12.218:3095) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x7fb7e7e576e0 a1=0x7ffc5aa003b0 a2=0x7ffc5aa003b0 a3=0x1 items=1 ppid=311622 pid=312331 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmcertd-worke exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:rhsmcertd_t:s0 key=(null) 
type=AVC msg=audit(11/11/2020 09:10:12.218:3095) : avc:  denied  { getattr } for  pid=312331 comm=rhsmcertd-worke path=/usr/sbin/kpatch dev="sda2" ino=8727282 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:kpatch_exec_t:s0 tclass=file permissive=0 
----

The reproducer triggers following SELinux denials in permissive mode:
----
type=PROCTITLE msg=audit(11/11/2020 09:11:35.820:3100) : proctitle=/usr/libexec/platform-python /usr/libexec/rhsmcertd-worker 
type=PATH msg=audit(11/11/2020 09:11:35.820:3100) : item=0 name=/usr/sbin/kpatch inode=8727282 dev=08:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:kpatch_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(11/11/2020 09:11:35.820:3100) : cwd=/ 
type=SYSCALL msg=audit(11/11/2020 09:11:35.820:3100) : arch=x86_64 syscall=stat success=yes exit=0 a0=0x7fd25b224718 a1=0x7fff8c3f35c0 a2=0x7fff8c3f35c0 a3=0x1 items=1 ppid=311622 pid=312790 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmcertd-worke exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:rhsmcertd_t:s0 key=(null) 
type=AVC msg=audit(11/11/2020 09:11:35.820:3100) : avc:  denied  { getattr } for  pid=312790 comm=rhsmcertd-worke path=/usr/sbin/kpatch dev="sda2" ino=8727282 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:kpatch_exec_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(11/11/2020 09:11:35.827:3101) : proctitle=/usr/libexec/platform-python /usr/libexec/rhsmcertd-worker 
type=PATH msg=audit(11/11/2020 09:11:35.827:3101) : item=0 name=/usr/sbin/kpatch inode=8727282 dev=08:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:kpatch_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(11/11/2020 09:11:35.827:3101) : cwd=/ 
type=SYSCALL msg=audit(11/11/2020 09:11:35.827:3101) : arch=x86_64 syscall=access success=yes exit=0 a0=0x7fd25b224718 a1=X_OK a2=0x0 a3=0x2 items=1 ppid=311622 pid=312790 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmcertd-worke exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:rhsmcertd_t:s0 key=(null) 
type=AVC msg=audit(11/11/2020 09:11:35.827:3101) : avc:  denied  { execute } for  pid=312790 comm=rhsmcertd-worke name=kpatch dev="sda2" ino=8727282 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:kpatch_exec_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(11/11/2020 09:11:35.827:3102) : proctitle=/usr/libexec/platform-python /usr/libexec/rhsmcertd-worker 
type=PATH msg=audit(11/11/2020 09:11:35.827:3102) : item=0 name=/var/lib/kpatch inode=6415 dev=08:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:kpatch_var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(11/11/2020 09:11:35.827:3102) : cwd=/ 
type=SYSCALL msg=audit(11/11/2020 09:11:35.827:3102) : arch=x86_64 syscall=openat success=yes exit=8 a0=0xffffff9c a1=0x7fd259d31b30 a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=1 ppid=311622 pid=312790 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmcertd-worke exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:rhsmcertd_t:s0 key=(null) 
type=AVC msg=audit(11/11/2020 09:11:35.827:3102) : avc:  denied  { read } for  pid=312790 comm=rhsmcertd-worke name=kpatch dev="sda2" ino=6415 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:kpatch_var_lib_t:s0 tclass=dir permissive=1
----

Comment 7 Rehana 2020-11-12 16:42:57 UTC
*** Bug 1894527 has been marked as a duplicate of this bug. ***

Comment 11 Zdenek Pytela 2021-01-05 17:34:12 UTC
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/529

Milosi,
kpatch is used to gather information only, so I went the can_exec way, i. e. no test change is required.

Archana Pandey,
will you be able to verify the fix is sufficient once we have a RHEL build?

Comment 24 Zdenek Pytela 2021-02-05 19:15:06 UTC
*** Bug 1925643 has been marked as a duplicate of this bug. ***

Comment 28 Zdenek Pytela 2021-02-11 16:42:54 UTC
*** Bug 1927844 has been marked as a duplicate of this bug. ***

Comment 34 Rehana 2021-02-16 14:54:47 UTC
*** Bug 1925811 has been marked as a duplicate of this bug. ***

Comment 36 errata-xmlrpc 2021-05-18 14:58:17 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1639


Note You need to log in before you can comment on or make changes to this bug.