Bug 2167731
| Summary: | sos command running under wrong context | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Martin Kyral <mkyral> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | low | ||
| Version: | 8.8 | CC: | lvrabec, mmalik |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | 8.9 | Flags: | pm-rhel:
mirror+
|
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.14.3-124.el8 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-11-14 15:47:42 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
# rpm -qa sos\* | sort sos-4.4-4.el8.noarch sos-audit-4.4-4.el8.noarch # rpm -qla sos\* | grep bin | xargs matchpathcon /usr/sbin/sos-audit.sh system_u:object_r:bin_t:s0 /usr/sbin/sos system_u:object_r:bin_t:s0 /usr/sbin/sos-collector system_u:object_r:bin_t:s0 /usr/sbin/sosreport system_u:object_r:sosreport_exec_t:s0 # # ls -lZ /usr/sbin/sos* -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 611 Nov 3 16:59 /usr/sbin/sos -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 2727 Oct 19 2018 /usr/sbin/sos-audit.sh -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 1080 Nov 3 16:59 /usr/sbin/sos-collector -rwxr-xr-x. 1 root root system_u:object_r:sosreport_exec_t:s0 1072 Nov 3 16:59 /usr/sbin/sosreport # file /usr/sbin/sos* /usr/sbin/sos: Python script, ASCII text executable /usr/sbin/sos-audit.sh: Bourne-Again shell script, ASCII text executable /usr/sbin/sos-collector: Python script, ASCII text executable /usr/sbin/sosreport: Python script, ASCII text executable # Based on the information stored in the attached SELinux denials, the sos command was running under the abrt_t context. The transition defined in SELinux policy did NOT happen:
# rpm -qa selinux\*
selinux-policy-targeted-3.14.3-115.el8.noarch
selinux-policy-3.14.3-115.el8.noarch
# sesearch -s abrt_t -t sosreport_exec_t -c file -p execute -A
allow abrt_t exec_type:file { execute execute_no_trans getattr ioctl lock map open read };
allow abrt_t sosreport_exec_t:file { execute execute_no_trans getattr ioctl map open read };
# sesearch -s abrt_t -t sosreport_exec_t -c process -T
type_transition abrt_t sosreport_exec_t:process sosreport_t;
# sesearch -s abrt_t -t sosreport_t -c process -p transition -A
allow abrt_t sosreport_t:process transition;
#
because the /usr/sbin/sos file is labeled bin_t.
Martine, I cannot reproduce any problem with sos. Given the denials are for the abrt_t domain I suppose there was abrt running after some of the plugins failed - can you confirm it? Perhaps there was a coredump: # coredumpctl # abrt-cli list If you need abrt to t execute its handlers and be able to troubleshoot further, the following boolean needs to be turned on: # setsebool -P abrt_handle_event on Refer to abrt_handle_event_selinux(8) for more information. Zdenku, I am not sure if I understand your question correctly. Anyways, abrt gets spawned upon a crash so there is a coredump. Because the issue is quite a serious one but has a simple fix on abrt side, we're going to revert the change in abrt (sosreport -> sos report) for 8.8. I probably just misunderstood the request, going to assign the same label for sos. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:7091 |
Description of problem: The sosreport binary, which has been deprecated by sos: # sosreport Please note the 'sosreport' command has been deprecated in favor of the new 'sos' command, E.G. 'sos report'. Redirecting to 'sos report ' is running under sosreport_exec_t while the sos binary has just the bin_t context: system_u:object_r:bin_t:s0 /usr/sbin/sos system_u:object_r:sosreport_exec_t:s0 /usr/sbin/sosreport system_u:object_r:bin_t:s0 /usr/sbin/sos-collector That causes a ton of avc denials when the 'sos report' command is invoked instead of 'sosreport' as advised: ---- time->Mon Feb 6 10:18:45 2023 type=PROCTITLE msg=audit(1675696725.124:36119): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002D73002F7573722F7362696E2F736F73007265706F7274002D2D746D702D646972002F7661722F73706F6F6C2F616272742F6C69627265706F72742D323032332D30322D30362D31303A31383A34342E3130343133362D3731353037002D2D62617463 type=PATH msg=audit(1675696725.124:36119): item=0 name="/etc/audit/plugins.d/" inode=342578 dev=fd:00 mode=040750 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:auditd_etc_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(1675696725.124:36119): cwd="/var/spool/abrt/libreport-2023-02-06-10:18:44.104136-71507" type=SYSCALL msg=audit(1675696725.124:36119): arch=80000016 syscall=288 success=no exit=-13 a0=ffffffffffffff9c a1=3ffab4a29b8 a2=90800 a3=0 items=1 ppid=361344 pid=361345 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sos" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1675696725.124:36119): avc: denied { read } for pid=361345 comm="sos" name="plugins.d" dev="dm-0" ino=342578 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:auditd_etc_t:s0 tclass=dir permissive=0 ---- time->Mon Feb 6 10:18:45 2023 type=PROCTITLE msg=audit(1675696725.124:36120): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002D73002F7573722F7362696E2F736F73007265706F7274002D2D746D702D646972002F7661722F73706F6F6C2F616272742F6C69627265706F72742D323032332D30322D30362D31303A31383A34342E3130343133362D3731353037002D2D62617463 type=PATH msg=audit(1675696725.124:36120): item=0 name="/etc/audit/auditd.conf" inode=202049031 dev=fd:00 mode=0100640 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:auditd_etc_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(1675696725.124:36120): cwd="/var/spool/abrt/libreport-2023-02-06-10:18:44.104136-71507" type=SYSCALL msg=audit(1675696725.124:36120): arch=80000016 syscall=288 success=no exit=-13 a0=ffffffffffffff9c a1=3ffac34cfd8 a2=80000 a3=0 items=1 ppid=361344 pid=361345 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sos" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1675696725.124:36120): avc: denied { read } for pid=361345 comm="sos" name="auditd.conf" dev="dm-0" ino=202049031 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:auditd_etc_t:s0 tclass=file permissive=0 ---- https://beaker-archive.hosts.prod.psi.bos.redhat.com/beaker-logs/2023/02/75042/7504242/13345479/155853991/726493506/avc.log Version-Release number of selected component (if applicable): selinux-policy-3.14.3-115.el8 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: