2167731 – sos command running under wrong context

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2167731 - sos command running under wrong context

Summary: sos command running under wrong context

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	8.8
Hardware:	All
OS:	Linux
Priority:	low
Severity:	unspecified
Target Milestone:	rc
Target Release:	8.9
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-02-07 12:11 UTC by Martin Kyral
Modified:	2023-11-14 17:57 UTC (History)
CC List:	2 users (show)
Fixed In Version:	selinux-policy-3.14.3-124.el8
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-11-14 15:47:42 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 1791	None	open	Label /usr/sbin/sos with sosreport_exec_t	2023-07-20 15:12:00 UTC
Red Hat Issue Tracker	RHELPLAN-147761	None	None	None	2023-02-07 12:13:05 UTC
Red Hat Product Errata	RHBA-2023:7091	None	None	None	2023-11-14 15:48:02 UTC

Description Martin Kyral 2023-02-07 12:11:21 UTC

Description of problem:

The sosreport binary, which has been deprecated by sos:

# sosreport 
Please note the 'sosreport' command has been deprecated in favor of the new 'sos' command, E.G. 'sos report'.
Redirecting to 'sos report '


is running under sosreport_exec_t while the sos binary has just the bin_t context:

system_u:object_r:bin_t:s0 /usr/sbin/sos            system_u:object_r:sosreport_exec_t:s0 /usr/sbin/sosreport
system_u:object_r:bin_t:s0 /usr/sbin/sos-collector

That causes a ton of avc denials when the 'sos report' command is invoked instead of 'sosreport' as advised:

----
time->Mon Feb  6 10:18:45 2023
type=PROCTITLE msg=audit(1675696725.124:36119): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002D73002F7573722F7362696E2F736F73007265706F7274002D2D746D702D646972002F7661722F73706F6F6C2F616272742F6C69627265706F72742D323032332D30322D30362D31303A31383A34342E3130343133362D3731353037002D2D62617463
type=PATH msg=audit(1675696725.124:36119): item=0 name="/etc/audit/plugins.d/" inode=342578 dev=fd:00 mode=040750 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:auditd_etc_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1675696725.124:36119): cwd="/var/spool/abrt/libreport-2023-02-06-10:18:44.104136-71507"
type=SYSCALL msg=audit(1675696725.124:36119): arch=80000016 syscall=288 success=no exit=-13 a0=ffffffffffffff9c a1=3ffab4a29b8 a2=90800 a3=0 items=1 ppid=361344 pid=361345 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sos" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1675696725.124:36119): avc:  denied  { read } for  pid=361345 comm="sos" name="plugins.d" dev="dm-0" ino=342578 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:auditd_etc_t:s0 tclass=dir permissive=0
----
time->Mon Feb  6 10:18:45 2023
type=PROCTITLE msg=audit(1675696725.124:36120): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002D73002F7573722F7362696E2F736F73007265706F7274002D2D746D702D646972002F7661722F73706F6F6C2F616272742F6C69627265706F72742D323032332D30322D30362D31303A31383A34342E3130343133362D3731353037002D2D62617463
type=PATH msg=audit(1675696725.124:36120): item=0 name="/etc/audit/auditd.conf" inode=202049031 dev=fd:00 mode=0100640 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:auditd_etc_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1675696725.124:36120): cwd="/var/spool/abrt/libreport-2023-02-06-10:18:44.104136-71507"
type=SYSCALL msg=audit(1675696725.124:36120): arch=80000016 syscall=288 success=no exit=-13 a0=ffffffffffffff9c a1=3ffac34cfd8 a2=80000 a3=0 items=1 ppid=361344 pid=361345 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sos" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1675696725.124:36120): avc:  denied  { read } for  pid=361345 comm="sos" name="auditd.conf" dev="dm-0" ino=202049031 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:auditd_etc_t:s0 tclass=file permissive=0
----

https://beaker-archive.hosts.prod.psi.bos.redhat.com/beaker-logs/2023/02/75042/7504242/13345479/155853991/726493506/avc.log


Version-Release number of selected component (if applicable):
selinux-policy-3.14.3-115.el8


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Milos Malik 2023-02-07 13:51:29 UTC

# rpm -qa sos\* | sort
sos-4.4-4.el8.noarch
sos-audit-4.4-4.el8.noarch
# rpm -qla sos\* | grep bin | xargs matchpathcon
/usr/sbin/sos-audit.sh	system_u:object_r:bin_t:s0
/usr/sbin/sos	system_u:object_r:bin_t:s0
/usr/sbin/sos-collector	system_u:object_r:bin_t:s0
/usr/sbin/sosreport	system_u:object_r:sosreport_exec_t:s0
#

Comment 2 Milos Malik 2023-02-07 13:55:46 UTC

# ls -lZ /usr/sbin/sos*
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0             611 Nov  3 16:59 /usr/sbin/sos
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0            2727 Oct 19  2018 /usr/sbin/sos-audit.sh
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0            1080 Nov  3 16:59 /usr/sbin/sos-collector
-rwxr-xr-x. 1 root root system_u:object_r:sosreport_exec_t:s0 1072 Nov  3 16:59 /usr/sbin/sosreport
# file /usr/sbin/sos*
/usr/sbin/sos:           Python script, ASCII text executable
/usr/sbin/sos-audit.sh:  Bourne-Again shell script, ASCII text executable
/usr/sbin/sos-collector: Python script, ASCII text executable
/usr/sbin/sosreport:     Python script, ASCII text executable
#

Comment 3 Milos Malik 2023-02-07 14:02:16 UTC

Based on the information stored in the attached SELinux denials, the sos command was running under the abrt_t context. The transition defined in SELinux policy did NOT happen:

# rpm -qa selinux\*
selinux-policy-targeted-3.14.3-115.el8.noarch
selinux-policy-3.14.3-115.el8.noarch
# sesearch -s abrt_t -t sosreport_exec_t -c file -p execute -A
allow abrt_t exec_type:file { execute execute_no_trans getattr ioctl lock map open read };
allow abrt_t sosreport_exec_t:file { execute execute_no_trans getattr ioctl map open read };
# sesearch -s abrt_t -t sosreport_exec_t -c process -T
type_transition abrt_t sosreport_exec_t:process sosreport_t;
# sesearch -s abrt_t -t sosreport_t -c process -p transition -A
allow abrt_t sosreport_t:process transition;
#

because the /usr/sbin/sos file is labeled bin_t.

Comment 4 Zdenek Pytela 2023-02-07 19:19:37 UTC

Martine,

I cannot reproduce any problem with sos. Given the denials are for the abrt_t domain I suppose there was abrt running after some of the plugins failed - can you confirm it? Perhaps there was a coredump:

  # coredumpctl
  # abrt-cli list

If you need abrt to t execute its handlers and be able to troubleshoot further, the following boolean needs to be turned on:

  # setsebool -P abrt_handle_event on

Refer to abrt_handle_event_selinux(8) for more information.

Comment 5 Martin Kyral 2023-02-16 10:13:36 UTC

Zdenku,

I am not sure if I understand your question correctly. Anyways, abrt gets spawned upon a crash so there is a coredump.

Because the issue is quite a serious one but has a simple fix on abrt side, we're going to revert the change in abrt (sosreport -> sos report) for 8.8.

Comment 7 Zdenek Pytela 2023-07-20 15:12:00 UTC

I probably just misunderstood the request, going to assign the same label for sos.

Comment 15 errata-xmlrpc 2023-11-14 15:47:42 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:7091

Note You need to log in before you can comment on or make changes to this bug.