RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1949871 - SELinux is preventing /usr/libexec/platform-python3.6 from add_name access on the directory /var/log/hawkey.log
Summary: SELinux is preventing /usr/libexec/platform-python3.6 from add_name access on...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.5
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: 8.6
Assignee: Zdenek Pytela
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-04-15 09:47 UTC by dbodnarc
Modified: 2024-12-20 19:54 UTC (History)
9 users (show)

Fixed In Version: selinux-policy-3.14.3-90.el8
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-05-10 15:14:58 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1720639 1 high CLOSED SELinux is preventing /usr/libexec/platform-python3.6 from open access on the file /var/log/hawkey.log. 2024-06-13 22:11:20 UTC
Red Hat Product Errata RHBA-2022:1995 0 None None None 2022-05-10 15:15:33 UTC

Description dbodnarc 2021-04-15 09:47:14 UTC 
AVC denial:
SELinux is preventing /usr/libexec/platform-python3.6 from add_name access on the directory /var/log/hawkey.log

Environment:
> RHEL8.3 (kernel-4.18.0-240.22.1.el8_3)
> selinux-policy-3.14.3-54.el8_3.3

Raw Audit Messages
----------------8<----------------8<----------------8<----------------8<----------------8<----------------8<----------------8<----------------
type=AVC msg=audit(1617833922.827:918): avc:  denied  { add_name } for  pid=33456 comm="rhsmcertd-worke" name="hawkey.log" scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1617833922.827:918): avc:  denied  { create } for  pid=33456 comm="rhsmcertd-worke" name="hawkey.log" scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1617833922.827:918): arch=c000003e syscall=257 success=yes exit=9 a0=ffffff9c a1=55fc374a6df0 a2=441 a3=1b6 items=2 ppid=1431 pid=33456 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rhsmcertd-worke" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:rhsmcertd_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=openat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=CWD msg=audit(1617833922.827:918): cwd="/"
type=PATH msg=audit(1617833922.827:918): item=0 name="/var/log/" inode=2 dev=fd:03 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_log_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0^]OUID="root" OGID="root"
type=PATH msg=audit(1617833922.827:918): item=1 name="/var/log/hawkey.log" inode=73 dev=fd:03 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:rpm_log_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0^]OUID="root" OGID="root"
type=PROCTITLE msg=audit(1617833922.827:918): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002F7573722F6C6962657865632F7268736D63657274642D776F726B6572
----------------8<----------------8<----------------8<----------------8<----------------8<----------------8<----------------8<----------------

# rpm -q selinux-policy
selinux-policy-3.14.3-54.el8_3.3.noarch

# sesearch --allow --source rhsmcertd_t --target var_log_t
allow application_domain_type logfile:file { append getattr ioctl lock };
allow daemon logfile:file { append getattr ioctl lock };
allow domain file_type:blk_file map; [ domain_can_mmap_files ]:True
allow domain file_type:chr_file map; [ domain_can_mmap_files ]:True
allow domain file_type:file map; [ domain_can_mmap_files ]:True
allow domain file_type:lnk_file map; [ domain_can_mmap_files ]:True
allow domain var_log_t:dir { getattr open search };
allow systemprocess logfile:file { append getattr ioctl lock };

There was a BZ#1720639 covering open access for the /var/log/hawkey.log file, but it didn't cover cases when the file needs to be created (add_name + create).
Comment 6 Zdenek Pytela 2022-02-04 08:47:04 UTC 
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/1045
Comment 18 errata-xmlrpc 2022-05-10 15:14:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1995
Comment 19 John 2022-07-28 06:00:35 UTC 
OH, it's fixed in 3.14.3-95 is it?

Jul 28 03:28:34 audccfots809 setroubleshoot[57764]: SELinux is preventing /usr/libexec/platform-python3.6 from read access on the file /var/log/hawkey.log.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that platform-python3.6 should be allowed read access on the hawkey.log file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'yum' --raw | audit2allow -M my-yum#012# semodule -X 300 -i my-yum.pp#012

[root@audccfots809 07-28 15:55:24 ~]# rpm -q selinux-policy
selinux-policy-3.14.3-95.el8.noarch

Hopeless.
Hopeless.
Hopeless.
Hopeless.
Hopeless.
Hopeless.
Hopeless.

Maybe you want to have another try?
Maybe get it properly fixed by the time RHEL 860 comes out, the year 6000 AD or so?
Comment 20 John 2022-07-28 06:09:29 UTC 
Oh, and error on open access too:

Jul 28 03:28:34 audccfots809 setroubleshoot[57764]: SELinux is preventing /usr/libexec/platform-python3.6 from open access on the file /var/log/hawkey.log.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that platform-python3.6 should be allowed open access on the hawkey.log file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'yum' --raw | audit2allow -M my-yum#012# semodule -X 300 -i my-yum.pp#012

Pitiful.
Comment 21 Milos Malik 2022-07-28 09:15:09 UTC 
Please run the following commands and let us know if the problem still persists:

# ls -lZ /var/log/hawkey.log
# restorecon -v /var/log/hawkey.log

I assume that the /var/log/hawkey.log file is mislabeled (my guess is var_log_t). The restorecon command should correct the label to rpm_log_t.
Comment 22 Milos Malik 2022-07-28 09:22:38 UTC 
The important questions are which process created the incorrectly labeled /var/log/hawkey.log file and how the file was created.
Was it created directly in /var/log directory or was it created elsewhere and then renamed?
Comment 23 John 2022-07-29 00:44:35 UTC 
Nope.

The file is labelled rpm_log_t

Jul 29 02:22:01 audccfots809 setroubleshoot[121363]: SELinux is preventing /usr/libexec/platform-python3.6 from read access on the file /var/log/hawkey.log.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that platform-python3.6 should be allowed read access on the hawkey.log file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'yum' --raw | audit2allow -M my-yum#012# semodule -X 300 -i my-yum.pp#012

[root@audccfots809 07-29 10:43:29 ~]# ls -lZ /var/log/hawkey.log
-rw-------. 1 root root system_u:object_r:rpm_log_t:s0 5940 Jul 29 10:03 /var/log/hawkey.log

[root@audccfots809 07-29 10:43:34 ~]# restorecon -v /var/log/hawkey.log
[root@audccfots809 07-29 10:43:46 ~]#
Comment 24 John 2022-07-29 00:48:15 UTC 
Also, there are multiple hawkey logs, so they are being created via the normal process, and rotating like normal:

-rw-------. 1 root      root            system_u:object_r:rpm_log_t:s0                         5940 Jul 29 10:03 hawkey.log
-rw-------. 1 root      root            system_u:object_r:rpm_log_t:s0                         6360 Jul  3 02:39 hawkey.log-20220703
-rw-------. 1 root      root            system_u:object_r:rpm_log_t:s0                         6420 Jul 10 02:22 hawkey.log-20220710
-rw-------. 1 root      root            system_u:object_r:rpm_log_t:s0                         6780 Jul 17 01:49 hawkey.log-20220717
-rw-------. 1 root      root            system_u:object_r:rpm_log_t:s0                         6540 Jul 24 02:47 hawkey.log-20220724

And yet i still have these nonsense warnings spamming my logs.
Comment 25 John 2022-07-29 01:29:09 UTC 
Fully updated vm(s), with:

[root@audccfots809 07-29 11:27:52 ~]# rpm -q selinux-policy
selinux-policy-3.14.3-95.el8.noarch
Note You need to log in before you can comment on or make changes to this bug.