Bug 2167731 - sos command running under wrong context
Summary: sos command running under wrong context
Keywords:
Status: VERIFIED
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.8
Hardware: All
OS: Linux
low
unspecified
Target Milestone: rc
: 8.9
Assignee: Zdenek Pytela
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-02-07 12:11 UTC by Martin Kyral
Modified: 2023-07-25 14:48 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-3.14.3-124.el8
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 1791 0 None open Label /usr/sbin/sos with sosreport_exec_t 2023-07-20 15:12:00 UTC
Red Hat Issue Tracker RHELPLAN-147761 0 None None None 2023-02-07 12:13:05 UTC

Description Martin Kyral 2023-02-07 12:11:21 UTC 
Description of problem:

The sosreport binary, which has been deprecated by sos:

# sosreport 
Please note the 'sosreport' command has been deprecated in favor of the new 'sos' command, E.G. 'sos report'.
Redirecting to 'sos report '


is running under sosreport_exec_t while the sos binary has just the bin_t context:

system_u:object_r:bin_t:s0 /usr/sbin/sos            system_u:object_r:sosreport_exec_t:s0 /usr/sbin/sosreport
system_u:object_r:bin_t:s0 /usr/sbin/sos-collector

That causes a ton of avc denials when the 'sos report' command is invoked instead of 'sosreport' as advised:

----
time->Mon Feb  6 10:18:45 2023
type=PROCTITLE msg=audit(1675696725.124:36119): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002D73002F7573722F7362696E2F736F73007265706F7274002D2D746D702D646972002F7661722F73706F6F6C2F616272742F6C69627265706F72742D323032332D30322D30362D31303A31383A34342E3130343133362D3731353037002D2D62617463
type=PATH msg=audit(1675696725.124:36119): item=0 name="/etc/audit/plugins.d/" inode=342578 dev=fd:00 mode=040750 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:auditd_etc_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1675696725.124:36119): cwd="/var/spool/abrt/libreport-2023-02-06-10:18:44.104136-71507"
type=SYSCALL msg=audit(1675696725.124:36119): arch=80000016 syscall=288 success=no exit=-13 a0=ffffffffffffff9c a1=3ffab4a29b8 a2=90800 a3=0 items=1 ppid=361344 pid=361345 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sos" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1675696725.124:36119): avc:  denied  { read } for  pid=361345 comm="sos" name="plugins.d" dev="dm-0" ino=342578 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:auditd_etc_t:s0 tclass=dir permissive=0
----
time->Mon Feb  6 10:18:45 2023
type=PROCTITLE msg=audit(1675696725.124:36120): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002D73002F7573722F7362696E2F736F73007265706F7274002D2D746D702D646972002F7661722F73706F6F6C2F616272742F6C69627265706F72742D323032332D30322D30362D31303A31383A34342E3130343133362D3731353037002D2D62617463
type=PATH msg=audit(1675696725.124:36120): item=0 name="/etc/audit/auditd.conf" inode=202049031 dev=fd:00 mode=0100640 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:auditd_etc_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1675696725.124:36120): cwd="/var/spool/abrt/libreport-2023-02-06-10:18:44.104136-71507"
type=SYSCALL msg=audit(1675696725.124:36120): arch=80000016 syscall=288 success=no exit=-13 a0=ffffffffffffff9c a1=3ffac34cfd8 a2=80000 a3=0 items=1 ppid=361344 pid=361345 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sos" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1675696725.124:36120): avc:  denied  { read } for  pid=361345 comm="sos" name="auditd.conf" dev="dm-0" ino=202049031 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:auditd_etc_t:s0 tclass=file permissive=0
----

https://beaker-archive.hosts.prod.psi.bos.redhat.com/beaker-logs/2023/02/75042/7504242/13345479/155853991/726493506/avc.log


Version-Release number of selected component (if applicable):
selinux-policy-3.14.3-115.el8


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Milos Malik 2023-02-07 13:51:29 UTC 
# rpm -qa sos\* | sort
sos-4.4-4.el8.noarch
sos-audit-4.4-4.el8.noarch
# rpm -qla sos\* | grep bin | xargs matchpathcon
/usr/sbin/sos-audit.sh	system_u:object_r:bin_t:s0
/usr/sbin/sos	system_u:object_r:bin_t:s0
/usr/sbin/sos-collector	system_u:object_r:bin_t:s0
/usr/sbin/sosreport	system_u:object_r:sosreport_exec_t:s0
#
Comment 2 Milos Malik 2023-02-07 13:55:46 UTC 
# ls -lZ /usr/sbin/sos*
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0             611 Nov  3 16:59 /usr/sbin/sos
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0            2727 Oct 19  2018 /usr/sbin/sos-audit.sh
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0            1080 Nov  3 16:59 /usr/sbin/sos-collector
-rwxr-xr-x. 1 root root system_u:object_r:sosreport_exec_t:s0 1072 Nov  3 16:59 /usr/sbin/sosreport
# file /usr/sbin/sos*
/usr/sbin/sos:           Python script, ASCII text executable
/usr/sbin/sos-audit.sh:  Bourne-Again shell script, ASCII text executable
/usr/sbin/sos-collector: Python script, ASCII text executable
/usr/sbin/sosreport:     Python script, ASCII text executable
#
Comment 3 Milos Malik 2023-02-07 14:02:16 UTC 
Based on the information stored in the attached SELinux denials, the sos command was running under the abrt_t context. The transition defined in SELinux policy did NOT happen:

# rpm -qa selinux\*
selinux-policy-targeted-3.14.3-115.el8.noarch
selinux-policy-3.14.3-115.el8.noarch
# sesearch -s abrt_t -t sosreport_exec_t -c file -p execute -A
allow abrt_t exec_type:file { execute execute_no_trans getattr ioctl lock map open read };
allow abrt_t sosreport_exec_t:file { execute execute_no_trans getattr ioctl map open read };
# sesearch -s abrt_t -t sosreport_exec_t -c process -T
type_transition abrt_t sosreport_exec_t:process sosreport_t;
# sesearch -s abrt_t -t sosreport_t -c process -p transition -A
allow abrt_t sosreport_t:process transition;
#

because the /usr/sbin/sos file is labeled bin_t.
Comment 4 Zdenek Pytela 2023-02-07 19:19:37 UTC 
Martine,

I cannot reproduce any problem with sos. Given the denials are for the abrt_t domain I suppose there was abrt running after some of the plugins failed - can you confirm it? Perhaps there was a coredump:

  # coredumpctl
  # abrt-cli list

If you need abrt to t execute its handlers and be able to troubleshoot further, the following boolean needs to be turned on:

  # setsebool -P abrt_handle_event on

Refer to abrt_handle_event_selinux(8) for more information.
Comment 5 Martin Kyral 2023-02-16 10:13:36 UTC 
Zdenku,

I am not sure if I understand your question correctly. Anyways, abrt gets spawned upon a crash so there is a coredump.

Because the issue is quite a serious one but has a simple fix on abrt side, we're going to revert the change in abrt (sosreport -> sos report) for 8.8.
Comment 7 Zdenek Pytela 2023-07-20 15:12:00 UTC 
I probably just misunderstood the request, going to assign the same label for sos.
Note You need to log in before you can comment on or make changes to this bug.