Bug 504765 - Restarting RA throws selinux AVCs..
Restarting RA throws selinux AVCs..
Status: CLOSED ERRATA
Product: Dogtag Certificate System
Classification: Community
Component: RA (Show other bugs)
unspecified
All Linux
low Severity medium
: ---
: ---
Assigned To: Ade Lee
Chandrasekar Kannan
:
Depends On:
Blocks: 443788
  Show dependency treegraph
 
Reported: 2009-06-09 05:38 EDT by Kashyap Chamarthy
Modified: 2015-01-04 18:39 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-07-22 19:36:18 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kashyap Chamarthy 2009-06-09 05:38:48 EDT
Description of problem:
Restarting RA throws selinux AVCs. But the RA wizard is accessible fine.

Tried this on June-8th build

Steps to Reproduce:
1. service pki-ra restart

  
Actual results:
Selinux AVC's are thrown

Expected result:
No Selinux alerts should be thrown.

Sealert and audit2allow info:

--------------------------------------------------
[root@tel53 export]# sealert -l e1fddddf-65c5-4bf2-a5aa-36b26dbb7308

Summary:

SELinux is preventing chmod (pki_ra_t) "fowner" to <Unknown> (pki_ra_t).

Detailed Description:

SELinux denied access requested by chmod. It is not expected that this access is
required by chmod and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                user_u:system_r:pki_ra_t
Target Context                user_u:system_r:pki_ra_t
Target Objects                None [ capability ]
Source                        chmod
Source Path                   /bin/chmod
Port                          <Unknown>
Host                          tel53.pnq.redhat.com
Source RPM Packages           coreutils-5.97-19.el5
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-203.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     tel53.pnq.redhat.com
Platform                      Linux tel53.pnq.redhat.com 2.6.18-128.1.6.el5 #1
                              SMP Tue Mar 24 12:10:27 EDT 2009 i686 i686
Alert Count                   4
First Seen                    Wed Jun 10 02:59:46 2009
Last Seen                     Wed Jun 10 03:02:18 2009
Local ID                      e1fddddf-65c5-4bf2-a5aa-36b26dbb7308
Line Numbers                  

Raw Audit Messages            

host=tel53.pnq.redhat.com type=AVC msg=audit(1244583138.172:102): avc:  denied  { fowner } for  pid=18635 comm="chmod" capability=3 scontext=user_u:system_r:pki_ra_t:s0 tcontext=user_u:system_r:pki_ra_t:s0 tclass=capability

host=tel53.pnq.redhat.com type=SYSCALL msg=audit(1244583138.172:102): arch=40000003 syscall=15 success=no exit=-1 a0=9099090 a1=1b0 a2=80515d4 a3=0 items=0 ppid=18630 pid=18635 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="chmod" exe="/bin/chmod" subj=user_u:system_r:pki_ra_t:s0 key=(null)

---------------------------------------------------------------------

[root@tel53 export]# cat /var/log/audit/audit.log | audit2allow 


#============= pki_ca_t ==============
allow pki_ca_t pki_ca_var_lib_t:lnk_file create;
allow pki_ca_t rpm_var_lib_t:lnk_file { read getattr };

#============= pki_ra_t ==============
allow pki_ra_t self:capability fowner;

#============= vpnc_t ==============
allow vpnc_t default_t:dir { search getattr };
[root@tel53 export]#
Comment 1 Ade Lee 2009-06-09 11:32:47 EDT
Index: dogtag/selinux/pki-selinux.spec
===================================================================
--- dogtag/selinux/pki-selinux.spec     (revision 569)
+++ dogtag/selinux/pki-selinux.spec     (working copy)
@@ -33,7 +33,7 @@
 ## Package Header Definitions
 %define base_name         %{base_prefix}-%{base_component}
 %define base_version      1.1.0
-%define base_release      6
+%define base_release      7
 %define base_group        System Environment/Shells
 %define base_vendor       Red Hat, Inc.
 %define base_license      GPLv2 with exceptions
@@ -249,6 +249,8 @@
 ###############################################################################
 
 %changelog
+* Tue Jun 9 2009 Ade Lee <alee@redhat.com> 1.1.0-7
+- Bugzilla Bug 504765 - selinux messages when restarting RA
 * Fri May 29 2009 Ade Lee <alee@redhat.com> 1.1.0-6
 - Bugzilla Bug 495212 - selinux messages from startup/ install
 * Mon May 25 2009 Ade Lee <alee@redhat.com> 1.1.0-5
Index: base/selinux/src/pki.if
===================================================================
--- base/selinux/src/pki.if     (revision 569)
+++ base/selinux/src/pki.if     (working copy)
@@ -114,6 +114,7 @@
        manage_files_pattern($1_t, $1_var_lib_t,  $1_var_lib_t)
        read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
        files_var_lib_filetrans($1_t, $1_var_lib_t, { file dir } )
+        allow $1_t rpm_var_lib_t:lnk_file { read getattr };
 
        manage_dirs_pattern($1_t, $1_log_t,  $1_log_t)
        manage_files_pattern($1_t, $1_log_t,  $1_log_t)
@@ -660,7 +661,7 @@
 
         allow pki_ra_t lib_t:file execute_no_trans;
 
-        allow pki_ra_t self:capability { setuid sys_nice setgid dac_override };
+        allow pki_ra_t self:capability { setuid sys_nice setgid dac_override fowner};
         allow pki_ra_t self:process { setsched getsched signal signull execstack execmem};
         allow pki_ra_t self:sem all_sem_perms;
         allow pki_ra_t self:tcp_socket create_stream_socket_perms;
Index: base/selinux/src/pki.te
===================================================================
--- base/selinux/src/pki.te     (revision 569)
+++ base/selinux/src/pki.te     (working copy)
@@ -1,4 +1,4 @@
-policy_module(pki,1.0.8)
+policy_module(pki,1.0.9)
 
 attribute pki_ca_config;
 attribute pki_ca_executable;
Comment 2 Ade Lee 2009-06-09 11:33:56 EDT
[builder@dhcp231-124 pki]$ svn ci -m "Bugzilla Bug 504765 - selinux messages when restarting RA" 
Sending        base/selinux/src/pki.if
Sending        base/selinux/src/pki.te
Sending        dogtag/selinux/pki-selinux.spec
Transmitting file data ...
Committed revision 571.
Comment 3 Kashyap Chamarthy 2009-06-11 16:20:39 EDT
I've still noticed the below sealert and audit alert when I restart pki-ra.
-----------------------------------------------------------------

[root@drive /]# sealert -l 898aabcd-f10e-4fe6-8119-4d64e62e2774

Summary:

SELinux is preventing chmod (pki_ra_t) "fsetid" to <Unknown> (pki_ra_t).

Detailed Description:

SELinux denied access requested by chmod. It is not expected that this access is
required by chmod and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                user_u:system_r:pki_ra_t
Target Context                user_u:system_r:pki_ra_t
Target Objects                None [ capability ]
Source                        chmod
Source Path                   /bin/chmod
Port                          <Unknown>
Host                          drive.pnq.redhat.com
Source RPM Packages           coreutils-5.97-19.el5
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-203.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     drive.pnq.redhat.com
Platform                      Linux drive.pnq.redhat.com 2.6.18-128.1.10.el5 #1
                              SMP Wed Apr 29 13:55:17 EDT 2009 i686 i686
Alert Count                   2
First Seen                    Fri Jun 12 01:43:27 2009
Last Seen                     Fri Jun 12 01:43:29 2009
Local ID                      898aabcd-f10e-4fe6-8119-4d64e62e2774
Line Numbers                  

Raw Audit Messages            

host=drive.pnq.redhat.com type=AVC msg=audit(1244751209.511:70): avc:  denied  { fsetid } for  pid=14524 comm="chmod" capability=4 scontext=user_u:system_r:pki_ra_t:s0 tcontext=user_u:system_r:pki_ra_t:s0 tclass=capability

host=drive.pnq.redhat.com type=AVC msg=audit(1244751209.511:70): avc:  denied  { fsetid } for  pid=14524 comm="chmod" capability=4 scontext=user_u:system_r:pki_ra_t:s0 tcontext=user_u:system_r:pki_ra_t:s0 tclass=capability

host=drive.pnq.redhat.com type=SYSCALL msg=audit(1244751209.511:70): arch=40000003 syscall=15 success=yes exit=0 a0=8a90090 a1=1b0 a2=80515d4 a3=0 items=0 ppid=14517 pid=14524 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="chmod" exe="/bin/chmod" subj=user_u:system_r:pki_ra_t:s0 key=(null)

--------------------------------------------

[root@drive /]# cat /var/log/audit/* | audit2allow 


#============= initrc_t ==============
allow initrc_t unlabeled_t:key search;

#============= pki_ra_t ==============
allow pki_ra_t self:capability fsetid;

#============= unconfined_t ==============
allow unconfined_t lib_t:file execmod;
allow unconfined_t usr_t:file execmod;
Comment 4 Kashyap Chamarthy 2009-06-15 08:02:58 EDT
Checked with June-13th build, still see the AVCs in Comment #3
Comment 5 Ade Lee 2009-06-15 11:34:17 EDT
added the fsetid capability.  Confirmed this is the only one needed.

Index: ../../base/selinux/src/pki.if
===================================================================
--- ../../base/selinux/src/pki.if       (revision 585)
+++ ../../base/selinux/src/pki.if       (working copy)
@@ -492,7 +492,7 @@
         allow pki_tps_t lib_t:file execute_no_trans;
 
         #fowner needed for chmod
-        allow pki_tps_t self:capability { setuid sys_nice setgid dac_override fowner};
+        allow pki_tps_t self:capability { setuid sys_nice setgid dac_override fowner fsetid};
         allow pki_tps_t self:process { setsched signal getsched  signull execstack execmem};
         allow pki_tps_t self:sem all_sem_perms;
         allow pki_tps_t self:tcp_socket create_stream_socket_perms;
@@ -661,7 +661,7 @@
 
         allow pki_ra_t lib_t:file execute_no_trans;
 
-        allow pki_ra_t self:capability { setuid sys_nice setgid dac_override fowner};
+        allow pki_ra_t self:capability { setuid sys_nice setgid dac_override fowner fsetid};
         allow pki_ra_t self:process { setsched getsched signal signull execstack execmem};
         allow pki_ra_t self:sem all_sem_perms;
         allow pki_ra_t self:tcp_socket create_stream_socket_perms;
Index: ../../base/selinux/src/pki.te
===================================================================
--- ../../base/selinux/src/pki.te       (revision 585)
+++ ../../base/selinux/src/pki.te       (working copy)
@@ -1,4 +1,4 @@
-policy_module(pki,1.0.9)
+policy_module(pki,1.0.10)
 
 attribute pki_ca_config;
 attribute pki_ca_executable;
Comment 6 Ade Lee 2009-06-15 11:36:47 EDT
[builder@dhcp231-124 pki]$ svn ci -m "selinux svc when restarting RA" 
Sending        base/selinux/src/pki.if
Sending        base/selinux/src/pki.te
Sending        dogtag/selinux/pki-selinux.spec
Transmitting file data ...
Committed revision 611.
Comment 7 Kashyap Chamarthy 2009-06-24 05:39:54 EDT
Verified.Jun-19 CS8.0 build. No AVCs were thrown when pki-ca was restarted.
Comment 8 Kashyap Chamarthy 2009-06-24 05:41:02 EDT
typo in comment #7. please  s/pki-ca/pki-ra/

Note You need to log in before you can comment on or make changes to this bug.