667986 – avc: denied: selinux blocking append to TESTOUT.log on RHEL4

Bug 667986 - avc: denied: selinux blocking append to TESTOUT.log on RHEL4

Summary: avc: denied: selinux blocking append to TESTOUT.log on RHEL4

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Beaker
Classification:	Retired
Component:	beah
Sub Component:
Version:	0.7
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Bill Peck
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	662797 669665
Blocks:
TreeView+	depends on / blocked

Reported:	2011-01-07 15:29 UTC by Petr Muller
Modified:	2019-05-22 13:37 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2011-02-10 01:01:30 UTC
Embargoed:

Attachments	(Terms of Use)

Description Petr Muller 2011-01-07 15:29:44 UTC

Description of problem:
Not sure if this is the right place, but TESTOUT.log comes from Beaker, and is out of the test's scope, so I'll start in Beaker product.

During our RHEL4.9 tests, we've seen some bogus selinux problem in our tests. One test for nscd service had several AVC test failures looking like this:

audit(1294344946.711:555): avc:  denied  { append } for  pid=26235 comm="nscd" name="TESTOUT.log" dev=dm-0 ino=2654410 scontext=user_u:system_r:nscd_t tcontext=user_u:object_r:initrc_tmp_t tclass=file
audit(1294344946.729:556): avc:  denied  { append } for  pid=26235 comm="nscd" name="TESTOUT.log" dev=dm-0 ino=2654410 scontext=user_u:system_r:nscd_t tcontext=user_u:object_r:initrc_tmp_t tclass=file

The test did it's job, just these two appeared in Beaker's avc test. 

How reproducible:
seems always on RHEL4. Not seeing these on later RHELs

Additional info:
https://beaker.engineering.redhat.com/tasks/executed?task=/tools/glibc/Regression/bz478716-nscd-ignores-etc-hosts&job_id=43764

Comment 1 Marian Csontos 2011-01-17 12:17:12 UTC

Likely a duplicate of 669665.

Comment 2 Marian Csontos 2011-01-18 13:53:22 UTC

This happens with updated harness too, as TESTOUT.log moved from /tmp to /mnt/testarea which is not covered by the policy. The error messages found in dmesg are:

  audit(1295352310.832:553): avc:  denied  { append } for  pid=7675 comm="nscd" name="TESTOUT.log" dev=dm-0 ino=770064 scontext=root:system_r:nscd_t tcontext=user_u:object_r:mnt_t tclass=file
  audit(1295352310.849:554): avc:  denied  { append } for  pid=7675 comm="nscd" name="TESTOUT.log" dev=dm-0 ino=770064 scontext=root:system_r:nscd_t tcontext=user_u:object_r:mnt_t tclass=file

We need to update rhts policy to allow anyone to write to all files in that directory.

Comment 3 Bill Peck 2011-01-20 15:41:34 UTC

I was just told by Dan Walsh that we don't care about selinux on RHEL4.  They haven't shipped an selinux update in years.

So I'm using this bz to change the default RHEL4 kickstarts to selinux=disabled.  It can still be turned on but its not supported.

Comment 6 Jeff Burke 2011-01-24 19:30:58 UTC

 Since SELinux is still supported and we are still shipping RHEL4. Disabling it by default is not the correct thing to do. 

 I have a couple of questions. Is the issue with nscd? Or is the issue the way the
testing is being run in the test environment?

 Looking at the Comment #2 It looks like we could create a policy to avoid this. I don't see a test harness policy loaded for RHEL4. Perhaps we now need one.

http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/4/html/SELinux_Guide/selg-part-0062.html

Comment 7 Daniel Walsh 2011-01-24 19:35:06 UTC

rhel4 does not have the capability to do stuff like modular policy.  You need to write everything in base policy.

Comment 8 Jeff Burke 2011-01-24 19:41:31 UTC

Is there a reason this can't be fixed in the base policy?

Comment 9 Daniel Walsh 2011-01-24 19:46:26 UTC

Well we don't want to allow apps to append to mnt_t.  

Writing policy for RHEL4 is insanity at this point.

Comment 10 Jeff Burke 2011-01-24 19:59:56 UTC

Reply to Comment #9
"Well we don't want to allow apps to append to mnt_t."
 - Why not? This will allow our testing to run with SELinux enabled. Surly adding apps the ability to append to mnt_t is better then disabling SELinux all together.

"Writing policy for RHEL4 is insanity at this point."
 - No more insane then having our entire QE team test a shipping product differently then how a customer will be using the product.

Comment 11 Marian Csontos 2011-01-24 21:02:11 UTC

Could we label just the /mnt/testarea to some very liberal role (one allowing anything to anyone) but leave the creation of that directory very restricted?

That way we should ensure the directory is not created by malicious service while at the same time when created anyone could write anything there.

Comment 12 Daniel Walsh 2011-01-24 21:18:28 UTC

You could label it var_log_t and see if this works, but I would doubt it.  RHEL4 policy was not ready for prime time, and anyone who used it would need to customize policy.  

Jeff the only option would be to build an errata policy for RHEL4 that said allow domain mnt_t:file append; Which would then need to be shipped to all customers.  There is no way to do the hack that we did for RHEL5 and beyond.   We have been ignoring AVC messages from RHEL4 for years, so I am not sure why this is suddenly a big deal.

Comment 13 Jeff Burke 2011-01-25 02:50:31 UTC

Reply to Comment #11 and #12
"You could label it var_log_t and see if this works"
 - Marian is that something you can do in beaker stage to test?

"the only option would be to build an errata policy for RHEL4 that said
allow domain mnt_t:file append;Which would then need to be shipped to all
customers."
 - I agree that is too big of a hammer to fix this.

"We have been ignoring AVC messages from RHEL4 for years, so I am not sure why
this is suddenly a big deal."
 - I think there may be a mis-understand in my interest in this BZ. I don't have an interest in the actual AVC messages that are getting printed out. I am fine if you want to ignore them, but the fact is we are not ignoring them. The issue I have is the big hammer approach to stopping the AVC messages. Avoiding the by disabling SELinux IMO is not the correct answer.

Perhaps it be possible to have a harness have a whitelist of messages to ignore.

Comment 15 Eduard Benes 2011-01-25 15:55:46 UTC

If we ignore the failing avc-sub-tests for now, does it currently cause any regular tests to end with false-negatives? Going through Petr's results for nscd, only avc tests failed.

I agree with Jeff, and would suggest to hold back with disabling SELinux for RHEL 4 systems.

Jeff has a really good point with a whitelist of messages to ignore on RHEL 4 systems. It shouldn't be that hard to add a simple check to the avc subtest. This is a bug introduced by a change in the harness and if it does not break anything else I would give it a try. 

Has anyone tried the suggested "var_log_t" approach?

Maybe I'm missing something. If so, could someone please summarize what is the current problem?

Comment 16 Bill Peck 2011-01-26 02:25:56 UTC

It appears I can fix the harness to not throw the error on rhel4.

-       make run >>/mnt/testarea/TESTOUT.log 2>&1 &
+       make run | cat >>/mnt/testarea/TESTOUT.log 2>&1 &


This keeps it from reporting the particular avc that has been reported above.  It doesn't mean that other selinux errors won't be thrown. 

I will revert the kickstart change that disables selinux by default.

Comment 17 Bill Peck 2011-01-26 02:29:01 UTC

Seems I jumped the gun.  It still throws an selinux error. :-/

Following messages were found in dmesg:
audit(1296008440.142:2): avc:  denied  { write } for  pid=30361 comm="nscd" name="[134741]" dev=pipefs ino=134741 scontext=root:system_r:nscd_t tcontext=root:system_r:unconfined_t tclass=fifo_file

Dan, any suggestions?

Comment 18 Marian Csontos 2011-01-26 08:34:04 UTC

IIUC while the files were in /tmp this was not a problem.
Thus looks like policy on el4 treats tmp_t more liberally than mnt_t.
Relabeling /mnt/testarea to either tmp_t or var_log_t may be the way.

Comment 19 Marian Csontos 2011-01-26 10:45:26 UTC

(In reply to comment #12)
> You could label it var_log_t and see if this works, but I would doubt it. 

Sadly, you were right - does not work with tmp_t, initrc_tmp_t nor var_log_t:

  https://beaker.engineering.redhat.com/jobs/48794

> RHEL4 policy was not ready for prime time, and anyone who used it would need to
> customize policy.  
> 
> Jeff the only option would be to build an errata policy for RHEL4 that said
> allow domain mnt_t:file append; Which would then need to be shipped to all
> customers.

Could we ship this to beaker only?

The policy is not modular, but:

a) can we modify and rebuild the policy on runtime
b) or would we need a fork? [not-feasible IMHO]

I am giving up and will leave this up to experts :-)

One more idea:

Is this a wider spread error is does it apply only to nscd? May be we could simply tweak the tests so nscd output is sent to file with different context, relabeled when done and appended to TESTOUT...

> There is no way to do the hack that we did for RHEL5 and beyond.  
> We have been ignoring AVC messages from RHEL4 for years, so I am not sure why
> this is suddenly a big deal.

Comment 20 Daniel Walsh 2011-01-26 14:09:39 UTC

We are wasting a collossal amount of time on this.  RHEL4 should testing should just ignore the AVC's or just change the script to look for AVC's that don't include mnt_t.

Comment 21 Bill Peck 2011-01-26 17:36:39 UTC

The test is broken as well.

switch_db(){
  rlLog "Switching database $1 to $2"
  tmpf=`mktemp`
  cat /etc/nsswitch.conf | sed -e "s/^$1:.*/$1: $2/g" > $tmpf
  mv $tmpf /etc/nsswitch.conf
  rlAssertGrep "^$1: $2" "/etc/nsswitch.conf"
}


That piece of code breaks selinux context and causes the following failures:

audit(1296062668.376:6): avc:  denied  { read } for  pid=32716 comm="nscd" name="passwd.db" dev=dm-0 ino=1248426 scontext=root:system_r:nscd_t tcontext=system_u:object_r:var_t tclass=file
audit(1296062670.480:9): avc:  denied  { read } for  pid=352 comm="nscd" name="passwd.db" dev=dm-0 ino=1248426 scontext=root:system_r:nscd_t tcontext=system_u:object_r:var_t tclass=file
audit(1296062676.955:16): avc:  denied  { read } for  pid=682 comm="nscd" name="passwd.db" dev=dm-0 ino=1248426 scontext=root:system_r:nscd_t tcontext=system_u:object_r:var_t tclass=file
audit(1296062676.963:17): avc:  denied  { read } for  pid=682 comm="nscd" name="group.db" dev=dm-0 ino=1248439 scontext=root:system_r:nscd_t tcontext=system_u:object_r:var_t tclass=file


I have a version of the harness which ignores TESTOUT.log errors, so its only real errors left.

Comment 22 Petr Muller 2011-01-26 17:47:31 UTC

Thx, that test is old. I'll fix the test to edit the config file in-place. But, how can a bad context on a config file cause selinux failure on nscd reading the legitimate files? (passwd/group.db is where nscd looks for names when configured to db)

Comment 23 Bill Peck 2011-01-26 17:58:27 UTC

Maybe I was looking at the wrong bit of code...

something must have created these files with the wrong context..

[root@hp-bl685cg6-01 db]# pwd
/var/db
[root@hp-bl685cg6-01 db]# ls -lZ
-rw-r--r--  root     root     system_u:object_r:var_t          group.db
-rw-r--r--  root     root     system_u:object_r:var_t          Makefile
drwxr-xr-x  root     root     system_u:object_r:nscd_var_run_t nscd
-rw-r--r--  root     root     system_u:object_r:var_t          passwd.db
-rw-r--r--  root     root     system_u:object_r:var_t          protocols.db
-rw-r--r--  root     root     system_u:object_r:var_t          rpc.db
-rw-r--r--  root     root     system_u:object_r:var_t          services.db
-rw-------  root     root     system_u:object_r:var_t          shadow.db
[root@hp-bl685cg6-01 db]# ls -lZ nscd/
-rw-------  root     root     root:object_r:nscd_var_run_t     group
-rw-------  root     root     root:object_r:nscd_var_run_t     hosts
-rw-------  root     root     root:object_r:nscd_var_run_t     passwd

Comment 24 Petr Muller 2011-01-26 18:05:09 UTC

The .db files are created by the Makefile in the directory. The test indeed does this, and it is the part of the tested functionality.

Comment 25 Daniel Walsh 2011-01-26 18:13:53 UTC

switch_db(){
  rlLog "Switching database $1 to $2"
  tmpf=`mktemp`
  cat /etc/nsswitch.conf | sed -e "s/^$1:.*/$1: $2/g" > $tmpf
  mv $tmpf /etc/nsswitch.conf
  rlAssertGrep "^$1: $2" "/etc/nsswitch.conf"
}

should be

switch_db(){
  rlLog "Switching database $1 to $2"
  sed -i -e "s/^$1:.*/$1: $2/g" /etc/nsswitch.conf
  rlAssertGrep "^$1: $2" "/etc/nsswitch.conf"
}


The code that makes the DB needs to run a restorecon on /var/db

Comment 26 Petr Muller 2011-01-26 18:44:10 UTC

Will fix the test, thanks for the hints.

Comment 27 Bill Peck 2011-01-28 20:21:56 UTC

Marian,

Does this look like it would work?

commit 367886df1d681b6112085ea7075a62f8895cfb29
Author: Bill Peck <bpeck>
Date:   Wed Jan 26 11:14:33 2011 -0500

    Avoid reporting selinux errors on the harness itself.

diff --git a/bin/rhts-db-submit-result b/bin/rhts-db-submit-result
index 8014909..cd82655 100755
--- a/bin/rhts-db-submit-result
+++ b/bin/rhts-db-submit-result
@@ -338,6 +338,8 @@ class AuContext(object):
             str = "/bin/grep 'avc: ' %s" % (log_file,)
         else:
             str = "/bin/grep 'avc: ' %s | /bin/grep --invert-match granted" % (log_file,)
+        # Don't report on TESTOUT.log errors
+        str = "%s | /bin/grep --invert-match TESTOUT.log" % (str)
         self.append_message(str)
         (ret_val, data) = commands.getstatusoutput(str)
         data_l = data.split("\n")

Comment 31 Dan Callaghan 2011-02-10 01:01:30 UTC

Beaker 0.6.4 has been released.

Note You need to log in before you can comment on or make changes to this bug.