Bug 529570 - SELinux audits of denies with osa_dispatcher_t and spacewalk_monitoring_t
Summary: SELinux audits of denies with osa_dispatcher_t and spacewalk_monitoring_t
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Spacewalk
Classification: Community
Component: Server
Version: 0.6
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Jan Pazdziora (Red Hat)
QA Contact: Red Hat Satellite QA List
URL:
Whiteboard:
Depends On:
Blocks: space08
TreeView+ depends on / blocked
 
Reported: 2009-10-18 18:54 UTC by Vasiliy Kotikov
Modified: 2010-02-16 12:59 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2010-02-16 12:56:18 UTC
Embargoed:

Attachments (Terms of Use)
Audit log (76.21 KB, text/plain)
2009-10-18 18:54 UTC, Vasiliy Kotikov 		no flags Details
View All

Description Vasiliy Kotikov 2009-10-18 18:54:23 UTC 
Created attachment 365167 [details]
Audit log

Description of problem:
On a working installed server with Spacewalk, SELinux audit produces alerts of denies regarding spacewalk_monitoring_t and osa_dispatcher_t.

sudo audit2allow -v -i /var/log/audit/audit.log


#============= httpd_t ==============
# src="httpd_t" tgt="httpd_log_t" class="file", perms="unlink"
# comm="httpd" exe="" path=""
allow httpd_t httpd_log_t:file unlink;

#============= osa_dispatcher_t ==============
# src="osa_dispatcher_t" tgt="osa_dispatcher_t" class="netlink_route_socket", perms="{ read bind create nlmsg_read write getattr }"
# comm="osa-dispatcher" exe="" path=""
allow osa_dispatcher_t self:netlink_route_socket { write getattr read bind create nlmsg_read };

#============= spacewalk_monitoring_t ==============
# src="spacewalk_monitoring_t" tgt="spacewalk_monitoring_t" class="process", perms="setpgid"
# comm="gogo.pl" exe="" path=""
allow spacewalk_monitoring_t self:process setpgid;
# src="spacewalk_monitoring_t" tgt="winbind_t" class="unix_stream_socket", perms="connectto"
# comm="gogo.pl" exe="" path=""
allow spacewalk_monitoring_t winbind_t:unix_stream_socket connectto;
# src="spacewalk_monitoring_t" tgt="winbind_var_run_t" class="sock_file", perms="{ write getattr }"
# comm="gogo.pl" exe="" path=""
allow spacewalk_monitoring_t winbind_var_run_t:sock_file { write getattr };
[elnone@uni076 ~]$ whereis gogo.pl
gogo: /usr/bin/gogo.pl

SE perms on gogo.pl are:

ls -AlZ /usr/bin/gogo.pl
-rwxr-xr-x  root root system_u:object_r:bin_t          /usr/bin/gogo.pl

Version-Release number of selected component (if applicable):
spacewalk-certs-tools-0.6.3-1.el5
spacewalk-backend-server-0.6.31-1.el5
spacewalk-backend-app-0.6.31-1.el5
spacewalk-backend-iss-export-0.6.31-1.el5
spacewalk-backend-applet-0.6.31-1.el5
spacewalk-pxt-0.6.20-1.el5
spacewalk-grail-0.6.20-1.el5
spacewalk-java-0.6.47-1.el5
spacewalk-monitoring-0.6.7-1.el5
spacewalk-schema-0.6.22-1.el5
spacewalk-java-config-0.6.47-1.el5
spacewalk-branding-0.6.8-1.el5
spacewalk-html-0.6.20-1.el5
spacewalk-backend-0.6.31-1.el5
spacewalk-backend-xml-export-libs-0.6.31-1.el5
spacewalk-search-0.6.11-1.el5
spacewalk-backend-package-push-server-0.6.31-1.el5
spacewalk-monitoring-selinux-0.6.12-1.el5
spacewalk-cypress-0.6.20-1.el5
spacewalk-selinux-0.6.13-1.el5
spacewalk-java-lib-0.6.47-1.el5
spacewalk-doc-indexes-0.6.1-1.el5
spacewalk-backend-config-files-common-0.6.31-1.el5
spacewalk-backend-config-files-0.6.31-1.el5
spacewalk-backend-iss-0.6.31-1.el5
spacewalk-base-0.6.20-1.el5
spacewalk-backend-tools-0.6.31-1.el5
spacewalk-sniglets-0.6.20-1.el5
spacewalk-setup-0.6.21-1.el5
spacewalk-0.6.4-1.el5
spacewalk-config-0.6.13-1.el5
spacewalk-backend-sql-0.6.31-1.el5
spacewalk-backend-xmlrpc-0.6.31-1.el5
spacewalk-backend-config-files-tool-0.6.31-1.el5
spacewalk-backend-xp-0.6.31-1.el5
spacewalk-base-minimal-0.6.20-1.el5
spacewalk-admin-0.6.3-1.el5
spacewalk-moon-0.6.20-1.el5
spacewalk-taskomatic-0.6.47-1.el5


How reproducible:
Default install and restart the services with SELinux enabled in Permissive or Enforce mode.

Steps to Reproduce:
1.
2.
3.
  
Actual results:
SELinux alarms of denied access.

Expected results:
No SELinux messages.

Additional info:
The Spacewalk was installed on RHEL 5.4 updated via RHN.
Comment 1 Jan Pazdziora (Red Hat) 2009-10-19 07:19:52 UTC 
The result of # grep AVC audit.log is:

type=AVC msg=audit(1255874337.277:570): avc:  denied  { create } for  pid=9520 comm="osa-dispatcher" scontext=user_u:system_r:osa_dispatcher_t:s0 tcontext=user_u:system_r:osa_dispatcher_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1255874337.277:571): avc:  denied  { bind } for  pid=9520 comm="osa-dispatcher" scontext=user_u:system_r:osa_dispatcher_t:s0 tcontext=user_u:system_r:osa_dispatcher_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1255874337.278:572): avc:  denied  { getattr } for  pid=9520 comm="osa-dispatcher" scontext=user_u:system_r:osa_dispatcher_t:s0 tcontext=user_u:system_r:osa_dispatcher_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1255874337.278:573): avc:  denied  { write } for  pid=9520 comm="osa-dispatcher" scontext=user_u:system_r:osa_dispatcher_t:s0 tcontext=user_u:system_r:osa_dispatcher_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1255874337.278:573): avc:  denied  { nlmsg_read } for  pid=9520 comm="osa-dispatcher" scontext=user_u:system_r:osa_dispatcher_t:s0 tcontext=user_u:system_r:osa_dispatcher_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1255874337.279:574): avc:  denied  { read } for  pid=9520 comm="osa-dispatcher" scontext=user_u:system_r:osa_dispatcher_t:s0 tcontext=user_u:system_r:osa_dispatcher_t:s0 tclass=netlink_route_socket
type=AVC msg=audit(1255874342.797:579): avc:  denied  { unlink } for  pid=10061 comm="httpd" name="ssl_mutex" dev=sda2 ino=1379492 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:httpd_log_t:s0 tclass=file
type=AVC msg=audit(1255874345.872:580): avc:  denied  { setpgid } for  pid=10110 comm="gogo.pl" scontext=user_u:system_r:spacewalk_monitoring_t:s0 tcontext=user_u:system_r:spacewalk_monitoring_t:s0 tclass=process
type=AVC msg=audit(1255874345.902:581): avc:  denied  { getattr } for  pid=10111 comm="gogo.pl" path="/var/run/winbindd/pipe" dev=sda2 ino=1245375 scontext=user_u:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:winbind_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1255874345.903:582): avc:  denied  { write } for  pid=10111 comm="gogo.pl" name="pipe" dev=sda2 ino=1245375 scontext=user_u:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:winbind_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1255874345.903:582): avc:  denied  { connectto } for  pid=10111 comm="gogo.pl" path="/var/run/winbindd/pipe" scontext=user_u:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:system_r:winbind_t:s0 tclass=unix_stream_socket
Comment 2 Jan Pazdziora (Red Hat) 2009-10-19 07:22:27 UTC 
Please provide output of

# rpm -qa | grep spacewalk

Thank you.
Comment 3 Jan Pazdziora (Red Hat) 2009-10-19 07:24:05 UTC 
(In reply to comment #2)
> Please provide output of
> 
> # rpm -qa | grep spacewalk
> 
> Thank you.  

Ah, it's in the comment 0.
Comment 4 Vasiliy Kotikov 2009-10-26 08:54:05 UTC 
making clear what rules spacewalk and osa-dispatcher requires I assumed these rules within te files:

for spacewalk_monitoring_t
allow spacewalk_monitoring_t self:process setpgid;

for connection to samba maybe required as when the system does auth user from samba, as example, the system is part of M$ AD and 
/etc/nsswitch.conf contains
passwd:     files winbind
shadow:     files
group:      files winbind
/etc/pam.d/system-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_winbind.so use_first_pass cached_login require_membership_of=S-1-5-21-790525478-287218729-682003330-512
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so require_membership_of=S-1-5-21-790525478-287218729-682003330-512
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_winbind.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

samba_stream_connect_winbind(spacewalk_monitoring_t);

But really needed possibility for spacewalk-monitoring to connect to socket of winbind?

Regarding osa-dispatcher needs this rule to be added to te file:

allow osa_dispatcher_t self:netlink_route_socket create_netlink_socket_perms;

The necessity of dispatcher to netlink_route_socket I cannot answer...

Thank You
Comment 5 Jan Pazdziora (Red Hat) 2009-11-19 15:37:25 UTC 
The setpgid was addressed in bug 516073.
Comment 6 Jan Pazdziora (Red Hat) 2009-11-19 15:58:34 UTC 
Vasiliy, could you show your /etc/tnsnames.ora? I wonder what network access osa-dispatcher needs here.
Comment 7 Vasiliy Kotikov 2009-11-27 10:10:13 UTC 
 cat /etc/tnsnames.ora
invmgmt =
  (DESCRIPTION =
    (ADDRESS_LIST =
      (ADDRESS = (PROTOCOL = TCP)(HOST = 172.20.40.77)(PORT = 1521))
    )
    (CONNECT_DATA =
      (SID = invmgmt)
    )
  )

I'd to add that Oracle server is located on another server and no XE.
Comment 8 Jan Pazdziora (Red Hat) 2010-02-01 12:23:10 UTC 
The samba_stream_connect_winbind(spacewalk_monitoring_t) added to Spacewalk master 5d3d96cd5d57457de0b8c813adcb0321babc4e63.
Comment 9 Jan Pazdziora (Red Hat) 2010-02-01 15:35:41 UTC 
Built packages spacewalk-monitoring-selinux-0.8.3-1.*, will be in the next nightly repo.
Comment 10 Michael Mráka 2010-02-16 12:59:26 UTC 
Spacewalk 0.8 has been released
Note You need to log in before you can comment on or make changes to this bug.