Description of problem: The sosreport binary, which has been deprecated by sos: # sosreport Please note the 'sosreport' command has been deprecated in favor of the new 'sos' command, E.G. 'sos report'. Redirecting to 'sos report ' is running under sosreport_exec_t while the sos binary has just the bin_t context: system_u:object_r:bin_t:s0 /usr/sbin/sos system_u:object_r:sosreport_exec_t:s0 /usr/sbin/sosreport system_u:object_r:bin_t:s0 /usr/sbin/sos-collector That causes a ton of avc denials when the 'sos report' command is invoked instead of 'sosreport' as advised: ---- time->Mon Feb 6 10:18:45 2023 type=PROCTITLE msg=audit(1675696725.124:36119): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002D73002F7573722F7362696E2F736F73007265706F7274002D2D746D702D646972002F7661722F73706F6F6C2F616272742F6C69627265706F72742D323032332D30322D30362D31303A31383A34342E3130343133362D3731353037002D2D62617463 type=PATH msg=audit(1675696725.124:36119): item=0 name="/etc/audit/plugins.d/" inode=342578 dev=fd:00 mode=040750 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:auditd_etc_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(1675696725.124:36119): cwd="/var/spool/abrt/libreport-2023-02-06-10:18:44.104136-71507" type=SYSCALL msg=audit(1675696725.124:36119): arch=80000016 syscall=288 success=no exit=-13 a0=ffffffffffffff9c a1=3ffab4a29b8 a2=90800 a3=0 items=1 ppid=361344 pid=361345 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sos" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1675696725.124:36119): avc: denied { read } for pid=361345 comm="sos" name="plugins.d" dev="dm-0" ino=342578 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:auditd_etc_t:s0 tclass=dir permissive=0 ---- time->Mon Feb 6 10:18:45 2023 type=PROCTITLE msg=audit(1675696725.124:36120): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002D73002F7573722F7362696E2F736F73007265706F7274002D2D746D702D646972002F7661722F73706F6F6C2F616272742F6C69627265706F72742D323032332D30322D30362D31303A31383A34342E3130343133362D3731353037002D2D62617463 type=PATH msg=audit(1675696725.124:36120): item=0 name="/etc/audit/auditd.conf" inode=202049031 dev=fd:00 mode=0100640 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:auditd_etc_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(1675696725.124:36120): cwd="/var/spool/abrt/libreport-2023-02-06-10:18:44.104136-71507" type=SYSCALL msg=audit(1675696725.124:36120): arch=80000016 syscall=288 success=no exit=-13 a0=ffffffffffffff9c a1=3ffac34cfd8 a2=80000 a3=0 items=1 ppid=361344 pid=361345 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sos" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1675696725.124:36120): avc: denied { read } for pid=361345 comm="sos" name="auditd.conf" dev="dm-0" ino=202049031 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:auditd_etc_t:s0 tclass=file permissive=0 ---- https://beaker-archive.hosts.prod.psi.bos.redhat.com/beaker-logs/2023/02/75042/7504242/13345479/155853991/726493506/avc.log Version-Release number of selected component (if applicable): selinux-policy-3.14.3-115.el8 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
# rpm -qa sos\* | sort sos-4.4-4.el8.noarch sos-audit-4.4-4.el8.noarch # rpm -qla sos\* | grep bin | xargs matchpathcon /usr/sbin/sos-audit.sh system_u:object_r:bin_t:s0 /usr/sbin/sos system_u:object_r:bin_t:s0 /usr/sbin/sos-collector system_u:object_r:bin_t:s0 /usr/sbin/sosreport system_u:object_r:sosreport_exec_t:s0 #
# ls -lZ /usr/sbin/sos* -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 611 Nov 3 16:59 /usr/sbin/sos -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 2727 Oct 19 2018 /usr/sbin/sos-audit.sh -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 1080 Nov 3 16:59 /usr/sbin/sos-collector -rwxr-xr-x. 1 root root system_u:object_r:sosreport_exec_t:s0 1072 Nov 3 16:59 /usr/sbin/sosreport # file /usr/sbin/sos* /usr/sbin/sos: Python script, ASCII text executable /usr/sbin/sos-audit.sh: Bourne-Again shell script, ASCII text executable /usr/sbin/sos-collector: Python script, ASCII text executable /usr/sbin/sosreport: Python script, ASCII text executable #
Based on the information stored in the attached SELinux denials, the sos command was running under the abrt_t context. The transition defined in SELinux policy did NOT happen: # rpm -qa selinux\* selinux-policy-targeted-3.14.3-115.el8.noarch selinux-policy-3.14.3-115.el8.noarch # sesearch -s abrt_t -t sosreport_exec_t -c file -p execute -A allow abrt_t exec_type:file { execute execute_no_trans getattr ioctl lock map open read }; allow abrt_t sosreport_exec_t:file { execute execute_no_trans getattr ioctl map open read }; # sesearch -s abrt_t -t sosreport_exec_t -c process -T type_transition abrt_t sosreport_exec_t:process sosreport_t; # sesearch -s abrt_t -t sosreport_t -c process -p transition -A allow abrt_t sosreport_t:process transition; # because the /usr/sbin/sos file is labeled bin_t.
Martine, I cannot reproduce any problem with sos. Given the denials are for the abrt_t domain I suppose there was abrt running after some of the plugins failed - can you confirm it? Perhaps there was a coredump: # coredumpctl # abrt-cli list If you need abrt to t execute its handlers and be able to troubleshoot further, the following boolean needs to be turned on: # setsebool -P abrt_handle_event on Refer to abrt_handle_event_selinux(8) for more information.
Zdenku, I am not sure if I understand your question correctly. Anyways, abrt gets spawned upon a crash so there is a coredump. Because the issue is quite a serious one but has a simple fix on abrt side, we're going to revert the change in abrt (sosreport -> sos report) for 8.8.
I probably just misunderstood the request, going to assign the same label for sos.