1926756 – selinux issue with pcp-pmda-sockets

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1926756 - selinux issue with pcp-pmda-sockets

Summary: selinux issue with pcp-pmda-sockets

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	pcp
Sub Component:
Version:	8.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	8.4
Assignee:	Mark Goodwin
QA Contact:	Jan Kurik
Docs Contact:	Apurva Bhide
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-02-09 12:17 UTC by Jan Kurik
Modified:	2021-09-17 12:44 UTC (History)
CC List:	5 users (show)
Fixed In Version:	pcp-5.2.5-3
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-05-18 15:19:49 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Jan Kurik 2021-02-09 12:17:27 UTC

Description of problem:
Registration of "sockets" pmda generates AVC records

Version-Release number of selected component (if applicable):
* RHEL-8.4.0-20210202.n.0 compose
* pcp-5.2.5-2.el8
* selinux-policy-3.14.3-62.el8


How reproducible:
Always

Steps to Reproduce:
1. Install pcp-pmda-sockets and pcp-zeroconf packages
# yum install -y pcp-pmda-sockets pcp-zeroconf
2. Register the socket PMDA
# cd /var/lib/pcp/pmdas/sockets && ./Install


Actual results:
The following selinux record is generated during the registration process

# audit2allow -a
#============= pcp_pmcd_t ==============
allow pcp_pmcd_t self:netlink_tcpdiag_socket create;
allow pcp_pmcd_t self:netlink_tcpdiag_socket setopt;
allow pcp_pmcd_t self:netlink_tcpdiag_socket bind;
allow pcp_pmcd_t self:netlink_tcpdiag_socket getattr;



# ausearch -m AVC
----
time->Tue Feb  9 06:27:04 2021
type=PROCTITLE msg=audit(1612870024.868:1204): proctitle=2F7573722F7362696E2F7373002D6E6F656D697461754F4800737461746500636F6E6E6563746564
type=SYSCALL msg=audit(1612870024.868:1204): arch=c000003e syscall=41 success=no exit=-13 a0=10 a1=80003 a2=4 a3=404 items=0 ppid=26358 pid=27288 auid=4294967295 uid=993 gid=990 euid=993 suid=993 fsuid=993 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="ss" exe="/usr/sbin/ss" subj=system_u:system_r:pcp_pmcd_t:s0 key=(null)
type=AVC msg=audit(1612870024.868:1204): avc:  denied  { create } for  pid=27288 comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=0
----
time->Tue Feb  9 06:35:56 2021
type=PROCTITLE msg=audit(1612870556.944:1229): proctitle=2F7573722F7362696E2F7373002D6E6F656D697461754F4800737461746500636F6E6E6563746564
type=SYSCALL msg=audit(1612870556.944:1229): arch=c000003e syscall=54 success=no exit=-13 a0=6 a1=1 a2=7 a3=7ffc1340d3d0 items=0 ppid=29077 pid=29097 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ss" exe="/usr/sbin/ss" subj=system_u:system_r:pcp_pmcd_t:s0 key=(null)
type=AVC msg=audit(1612870556.944:1229): avc:  denied  { setopt } for  pid=29097 comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=0
----
time->Tue Feb  9 06:41:15 2021
type=PROCTITLE msg=audit(1612870875.033:2031): proctitle=2F7573722F7362696E2F7373002D6E6F656D697461754F4800737461746500636F6E6E6563746564
type=SYSCALL msg=audit(1612870875.033:2031): arch=c000003e syscall=49 success=no exit=-13 a0=1e a1=7fffe44b1774 a2=c a3=7fffe44b16b4 items=0 ppid=44368 pid=46332 auid=4294967295 uid=993 gid=990 euid=993 suid=993 fsuid=993 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="ss" exe="/usr/sbin/ss" subj=system_u:system_r:pcp_pmcd_t:s0 key=(null)
type=AVC msg=audit(1612870875.033:2031): avc:  denied  { bind } for  pid=46332 comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=0
----
time->Tue Feb  9 06:51:33 2021
type=PROCTITLE msg=audit(1612871493.134:2909): proctitle=2F7573722F7362696E2F7373002D6E6F656D697461754F4800737461746500636F6E6E6563746564
type=SYSCALL msg=audit(1612871493.134:2909): arch=c000003e syscall=51 success=no exit=-13 a0=1e a1=7ffc94fba304 a2=7ffc94fba23c a3=7ffc94fba244 items=0 ppid=53873 pid=54868 auid=4294967295 uid=993 gid=990 euid=993 suid=993 fsuid=993 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="ss" exe="/usr/sbin/ss" subj=system_u:system_r:pcp_pmcd_t:s0 key=(null)
type=AVC msg=audit(1612871493.134:2909): avc:  denied  { getattr } for  pid=54868 comm="ss" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_tcpdiag_socket permissive=0



There is also the folloving error message in /var/log/pcp/pmcd/pmcd.log file:
Cannot open netlink socket: Permission denied



Expected results:
No AVC issues, no error messages in /var/log/pcp/pmcd/pmcd.log file.


Additional info:

Comment 1 Mark Goodwin 2021-02-11 12:32:59 UTC

Jan, were there any other AVCs (other than the four listed /usr/sbin/ss operations on netlink_tcpdiag_socket) in the audit log on your RHEL84 test system? On my f33 test system I'm also seeing AVCs denying execute and execute_no_trans like the following:

type=AVC msg=audit(1613000440.144:54204): avc:  denied  { execute } for  pid=3891551 comm="pmcd" name="bash" dev="dm-1" ino=137448978 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
type=AVC msg=audit(1613000440.144:54205): avc:  denied  { execute_no_trans } for  pid=3891551 comm="pmcd" path="/usr/bin/bash" dev="dm-1" ino=137448978 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1

Thanks

Comment 2 Jan Kurik 2021-02-11 13:34:01 UTC

Hi Mark,

I tried to kept the sockets pmda running for a while and run the upstream testsuite with '-g pmda.sockets' on it several times.
This has generated one more AVC beside of those already reported (nlmsg_read). Here is the full list of AVCs I can see on RHEL-8.4:

#============= pcp_pmcd_t ==============
allow pcp_pmcd_t self:netlink_tcpdiag_socket { bind create getattr nlmsg_read setopt };


However I do not see any of those AVCs you reported above.

Comment 4 Jan Kurik 2021-02-12 04:41:51 UTC

I do not observe any AVC issues on the pcp-5.2.5-3 build.

Comment 7 Jan Kurik 2021-02-15 04:42:22 UTC

This BZ has been verified on x86_64, ppc64le, aarch64 platforms.
Due to lack of s390x systems, the verification on s390x platform has been done only on a shared system with limited testing capabilities -> setting SanityOnly flag.

Comment 9 errata-xmlrpc 2021-05-18 15:19:49 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (pcp bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1754

Note You need to log in before you can comment on or make changes to this bug.