1926256 – AVC denial for abrt-dump-journ module_request

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1926256 - AVC denial for abrt-dump-journ module_request

Summary: AVC denial for abrt-dump-journ module_request

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	---
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	low
Target Milestone:	rc
Target Release:	8.0
Assignee:	Zdenek Pytela
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-02-08 14:05 UTC by Hubert Kario
Modified:	2022-01-19 20:03 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-01-19 20:03:09 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Hubert Kario 2021-02-08 14:05:37 UTC

Description of problem:
Restarting the system with IPv6 disabled causes AVC denials to be logged.

Version-Release number of selected component (if applicable):
selinux-policy-3.14.3-62.el8.noarch

How reproducible:
always

Steps to Reproduce:
1. add ipv6.disable=1 do kernel command line
2. restart the system
3. inspect selinux journal

Actual results:
time->Tue Jan 19 02:27:15 2021
type=PROCTITLE msg=audit(1611041235.183:27): proctitle=2F7573722F62696E2F616272742D64756D702D6A6F75726E616C2D6F6F7073002D66787444
type=SYSCALL msg=audit(1611041235.183:27): arch=c00000b7 syscall=198 success=no exit=-97 a0=a a1=2 a2=0 a3=454c494647 items=0 ppid=1 pid=924 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="abrt-dump-journ" exe="/usr/bin/abrt-dump-journal-oops" subj=system_u:system_r:abrt_dump_oops_t:s0 key=(null)
type=AVC msg=audit(1611041235.183:27): avc:  denied  { module_request } for  pid=924 comm="abrt-dump-journ" kmod="net-pf-10" scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0

Expected results:
no AVCs logged

Additional info:

Comment 3 Zdenek Pytela 2021-03-10 08:59:27 UTC

Hubert and Stanislav,

How the ipv6 module is disabled? There are multiple ways.
What is the purpose of disabling, like for the boot time or for the system lifetime? Which use case it covers?
What is the expected behaviour of services when ipv6 is disabled?

See also bz#1931450
https://access.redhat.com/solutions/8709
https://danwalsh.livejournal.com/47118.html

Comment 4 Hubert Kario 2021-03-10 15:35:10 UTC

(In reply to Zdenek Pytela from comment #3)
> Hubert and Stanislav,
> 
> How the ipv6 module is disabled? There are multiple ways.

Steps to Reproduce:
1. add ipv6.disable=1 do kernel command line

> What is the purpose of disabling, like for the boot time or for the system
> lifetime? Which use case it covers?

to cover a use case reported by customer, they reported that openssl didn't work with ipv6 disabled, we fixed it, we're running regression test case for that

> What is the expected behaviour of services when ipv6 is disabled?

continue to work as if IPv6 was unroutable/unavilable

> See also bz#1931450
> https://access.redhat.com/solutions/8709
> https://danwalsh.livejournal.com/47118.html

From the article:

> It still loads the module but unhooks almost all of the calls into the module.

that "almost all" is precisely the issue and the reason for use of ipv6.disable=1 on command line instead of any other approach

Comment 5 Zdenek Pytela 2021-03-22 19:13:42 UTC

Hubert,

Thank you, now I think I understand, for sure it is different to bz#1931450. What we can do in the policy is to dontaudit these messages, i. e. silence them not to be audited, either for enumerated list of domains or for all services.

Is it a bit questionable though as it makes further troubleshooting harder, so these audit records can be taken as indication of a possible problem.

We currently have:
# sesearch --dontaudit -t kernel_t -c system -p module_request
dontaudit dnssec_trigger_t kernel_t:system module_request;
dontaudit init_t kernel_t:system module_request;
dontaudit ipsec_mgmt_t kernel_t:system module_request;
dontaudit openshift_domain kernel_t:system module_request;
dontaudit pcp_pmie_t kernel_t:system module_request;
dontaudit pcscd_t kernel_t:system module_request;
dontaudit postfix_domain kernel_t:system module_request;
dontaudit sandbox_xserver_t kernel_t:system module_request;
dontaudit sshd_keygen_t kernel_t:system module_request;
dontaudit systemd_rfkill_t kernel_t:system module_request;
dontaudit tlp_t kernel_t:system module_request;
dontaudit xguest_t kernel_t:system module_request;

Comment 6 Hubert Kario 2021-03-22 19:38:19 UTC

ipv6.disable=1 isn't default configuration, so it requiring additional audit rule(s) to work as expected isn't exactly unexpected...
dunno if the rule should be to blanket allow module loading, or if it should be to just suppress these messages; but it looks to me like we should document the solution, then we can use it in the test cases that run in this configuration

Comment 7 Zdenek Pytela 2021-04-13 13:15:49 UTC

Hubert,

There is no definite answer, but I tend not to dontaudit these messages in the policy, that is leave the denial exposed instead of hiding it.

For sure the applications need to get the information that loading of the module failed. Exposing the error in audit log is  a possible way to point to the problem.

If it actually is needed to allow the attempts, the domain_kernel_load_modules SELinux boolean can be turned on:
domain_kernel_load_modules     (off  ,  off)  Allow all domains to have the kernel load modules
The boolean is off by default.

Is this satisfactory explanation and resolution?

Comment 8 Hubert Kario 2021-04-13 14:23:30 UTC

The problem is that the attempt at loading the module doesn't come from the application, I'm guessing it comes from glibc.
So we can't limit the rule to specific domains, any application that binds to a socket will likely attempt to load that module.
We could allow all domains to load modules, and depend on the kernel to block the loading of the ipv6 module, but then we make the system less secure, as attacker can use it to load some obsolete module.
Or we could stop logging, and make debugging more complex for applications that have legitimate use case of loading modules...

With my security hat on, I'd go for the latter, but I'm thinking that documenting both approaches and their individual downsides is more user friendly.

Comment 9 Zdenek Pytela 2022-01-19 20:03:09 UTC

All things considered, we decided to let the problem rather exposed and visible for further troubleshooting and neither allow nor dontaudit the denials.

The issue is going to be closed now, but if you believe that the decision needs to be reconsidered, feel free to reopen this bug and attach information regarding severity of the problem.

Note You need to log in before you can comment on or make changes to this bug.