693590 – Add selinux policy for matahari services

Bug 693590 - Add selinux policy for matahari services

Summary: Add selinux policy for matahari services

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.1
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-04-05 01:33 UTC by Adam Stokes
Modified:	2016-04-26 15:49 UTC (History)
CC List:	5 users (show)
Fixed In Version:	selinux-policy-3.7.19-84.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-05-19 12:27:34 UTC
Target Upstream Version:

Attachments	(Terms of Use)
policy file (1.19 KB, application/octet-stream) 2011-04-05 01:41 UTC, Adam Stokes	no flags	Details
matahari-net audit log (1.94 KB, application/octet-stream) 2011-04-05 17:52 UTC, Adam Stokes	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2011:0526	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2011-05-19 09:37:41 UTC

Description Adam Stokes 2011-04-05 01:33:27 UTC

Description of problem:
selinux preventing matahari-broker from running

Version-Release number of selected component (if applicable):
3.7.19-80

How reproducible:
100%

Steps to Reproduce:
# setenforce 1
# yum install matahari-broker
# service start matahari-broker

  
Actual results:
Failure to start broker with avc denials:

type=AVC msg=audit(1301966865.549:380): avc:  denied  { lock } for  pid=3367 comm="matahari-broker" path="/var/lib/matahari/lock" dev=dm-0 ino=262197 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=unconfined_u:object_r:matahari_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1301966865.549:380): arch=c000003e syscall=72 success=no exit=-13 a0=7 a1=6 a2=7fffa018a810 a3=7fffa018a5f0 items=0 ppid=1 pid=3367 auid=0 uid=498 gid=498 euid=498 suid=498 fsuid=498 egid=498 sgid=498 fsgid=498 tty=(none) ses=16 comm="matahari-broker" exe="/usr/sbin/qpidd" subj=unconfined_u:system_r:qpidd_t:s0 key=(null)
type=AVC msg=audit(1301966865.552:381): avc:  denied  { search } for  pid=3367 comm="matahari-broker" name="matahari" dev=dm-0 ino=262214 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:matahari_var_run_t:s0 tclass=dir
type=SYSCALL msg=audit(1301966865.552:381): arch=c000003e syscall=87 success=no exit=-13 a0=1612788 a1=0 a2=15fbd80 a3=7fffa018aca0 items=0 ppid=1 pid=3367 auid=0 uid=498 gid=498 euid=498 suid=498 fsuid=498 egid=498 sgid=498 fsgid=498 tty=(none) ses=16 comm="matahari-broker" exe="/usr/sbin/qpidd" subj=unconfined_u:system_r:qpidd_t:s0 key=(null)
type=USER_START msg=audit(1301966865.677:382): user pid=3390 uid=0 auid=0 ses=16 subj=unconfined_u:system_r:initrc_t:s0 msg='op=PAM:session_open acct="qpidd" exe="/sbin/runuser" hostname=? addr=? terminal=pts/0 res=success'
type=CRED_ACQ msg=audit(1301966865.677:383): user pid=3390 uid=0 auid=0 ses=16 subj=unconfined_u:system_r:initrc_t:s0 msg='op=PAM:setcred acct="qpidd" exe="/sbin/runuser" hostname=? addr=? terminal=pts/0 res=success'
type=AVC msg=audit(1301966865.700:384): avc:  denied  { getattr } for  pid=3392 comm="matahari-broker" path="/var/run/matahari" dev=dm-0 ino=262214 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:matahari_var_run_t:s0 tclass=dir
type=SYSCALL msg=audit(1301966865.700:384): arch=c000003e syscall=4 success=no exit=-13 a0=cf4d58 a1=7fffc5cd1d20 a2=7fffc5cd1d20 a3=7fffc5cd1aa0 items=0 ppid=3391 pid=3392 auid=0 uid=498 gid=498 euid=498 suid=498 fsuid=498 egid=498 sgid=498 fsgid=498 tty=(none) ses=16 comm="matahari-broker" exe="/usr/sbin/qpidd" subj=unconfined_u:system_r:qpidd_t:s0 key=(null)
type=CRED_DISP msg=audit(1301966865.721:385): user pid=3390 uid=0 auid=0 ses=16 subj=unconfined_u:system_r:initrc_t:s0 msg='op=PAM:setcred acct="qpidd" exe="/sbin/runuser" hostname=? addr=? terminal=pts/0 res=success'
type=USER_END msg=audit(1301966865.721:386): user pid=3390 uid=0 auid=0 ses=16 subj=unconfined_u:system_r:initrc_t:s0 msg='op=PAM:session_close acct="qpidd" exe="/sbin/runuser" hostname=? addr=? terminal=pts/0 res=success'


Expected results:
broker granted access to run

Additional info:

here is audit2allow output

#============= qpidd_t ==============
allow qpidd_t initrc_var_run_t:file { write getattr };
#!!!! The source type 'qpidd_t' can write to a 'dir' of the following types:
# var_lib_t, var_run_t, qpidd_var_lib_t, qpidd_var_run_t, root_t

allow qpidd_t matahari_var_lib_t:dir { write getattr search add_name };
#!!!! The source type 'qpidd_t' can write to a 'file' of the following types:
# qpidd_var_lib_t, qpidd_var_run_t, root_t

allow qpidd_t matahari_var_lib_t:file { write lock create open read };
#!!!! The source type 'qpidd_t' can write to a 'dir' of the following types:
# var_lib_t, var_run_t, qpidd_var_lib_t, qpidd_var_run_t, root_t

allow qpidd_t matahari_var_run_t:dir { write getattr search add_name };
#!!!! The source type 'qpidd_t' can write to a 'file' of the following types:
# qpidd_var_lib_t, qpidd_var_run_t, root_t

allow qpidd_t matahari_var_run_t:file { write lock create open read };

Comment 1 Adam Stokes 2011-04-05 01:41:19 UTC

Created attachment 489895 [details]
policy file

Comment 3 Adam Stokes 2011-04-05 01:43:48 UTC

[root@localhost ~]# grep qpidd_t /var/log/audit/audit.log | audit2allow -M
mataharibroker
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i mataharibroker.pp

[root@localhost ~]# semodule -i mataharibroker.pp
[root@localhost ~]# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted
[root@localhost ~]# service matahari-broker restart
Stopping Matahari broker daemon:                           [FAILED]
Starting Matahari broker daemon:                           [  OK  ]

im pretty sure im missing some things as the audit log is still showing some
denials even though the broker starts now with enforcing on

Comment 5 Andrew Beekhof 2011-04-05 06:41:37 UTC

(In reply to comment #3)

> im pretty sure im missing some things as the audit log is still showing some
> denials even though the broker starts now with enforcing on

Did you repeat for the agents too?

Comment 6 Milos Malik 2011-04-05 07:52:23 UTC

Following AVCs appear when I run "service X start" where X is matahari-net, matahari-host or matahari-service:
----
time->Tue Apr  5 03:41:55 2011
type=SYSCALL msg=audit(1301989315.185:40): arch=c000003e syscall=2 success=yes exit=7 a0=18c1298 a1=241 a2=1b6 a3=0 items=0 ppid=1 pid=2781 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="matahari-servic" exe="/usr/sbin/matahari-serviced" subj=unconfined_u:system_r:matahari_serviced_t:s0 key=(null)
type=AVC msg=audit(1301989315.185:40): avc:  denied  { dac_override } for  pid=2781 comm="matahari-servic" capability=1  scontext=unconfined_u:system_r:matahari_serviced_t:s0 tcontext=unconfined_u:system_r:matahari_serviced_t:s0 tclass=capability
----
time->Tue Apr  5 03:42:36 2011
type=SYSCALL msg=audit(1301989356.668:41): arch=c000003e syscall=2 success=yes exit=7 a0=167c298 a1=241 a2=1b6 a3=0 items=0 ppid=1 pid=2860 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="matahari-netd" exe="/usr/sbin/matahari-netd" subj=unconfined_u:system_r:matahari_netd_t:s0 key=(null)
type=AVC msg=audit(1301989356.668:41): avc:  denied  { dac_override } for  pid=2860 comm="matahari-netd" capability=1  scontext=unconfined_u:system_r:matahari_netd_t:s0 tcontext=unconfined_u:system_r:matahari_netd_t:s0 tclass=capability
----
time->Tue Apr  5 03:43:14 2011
type=SYSCALL msg=audit(1301989394.926:42): arch=c000003e syscall=2 success=yes exit=7 a0=103b2c8 a1=241 a2=1b6 a3=0 items=0 ppid=1 pid=2894 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="matahari-hostd" exe="/usr/sbin/matahari-hostd" subj=unconfined_u:system_r:matahari_hostd_t:s0 key=(null)
type=AVC msg=audit(1301989394.926:42): avc:  denied  { dac_override } for  pid=2894 comm="matahari-hostd" capability=1  scontext=unconfined_u:system_r:matahari_hostd_t:s0 tcontext=unconfined_u:system_r:matahari_hostd_t:s0 tclass=capability
----

Comment 7 Miroslav Grepl 2011-04-05 10:50:13 UTC

Could you turn on full auditing.

Comment 8 Daniel Walsh 2011-04-05 15:43:41 UTC

We have these in F15 policy

optional_policy(`
	matahari_manage_lib_files(qpidd_t)
	matahari_manage_pid_files(qpidd_t)
')

It would be nice to know if all these matahari apps actually need dac_override.

# auditctl -w /etc/shadow -p w 

Will turn on auditing.

Then restart the matahari scripts and see if the AVCs include a path.

Comment 9 Adam Stokes 2011-04-05 17:52:11 UTC

Created attachment 490052 [details]
matahari-net audit log

Comment 10 Adam Stokes 2011-04-05 17:54:56 UTC

Here is some audit2allow info


#============= matahari_netd_t ==============
allow matahari_netd_t proc_net_t:file { read getattr open };
allow matahari_netd_t system_dbusd_var_lib_t:dir search;

Comment 11 Daniel Walsh 2011-04-05 18:28:59 UTC

Miroslav, lets make these domains unconfined, since they were just introduced and we have no idea how many AVC's they will generate.

Then we can test the policy in Fedora and slowly update the policy in RHEL6.

Comment 13 Miroslav Grepl 2011-04-06 12:41:19 UTC

Fixed in selinux-policy-3.7.19-82.el6

Comment 17 Milos Malik 2011-04-08 09:22:39 UTC

The automated test is successful in permissive mode, but still 2 AVCs appear:

----
time->Fri Apr  8 05:20:04 2011
type=SYSCALL msg=audit(1302254404.919:175): arch=40000003 syscall=11 success=yes exit=0 a0=81d27d8 a1=81d2688 a2=81d1880 a3=81d2688 items=0 ppid=7255 pid=7256 auid=0 uid=496 gid=490 euid=496 suid=496 fsuid=496 egid=490 sgid=490 fsgid=490 tty=(none) ses=3 comm="matahari-broker" exe="/usr/sbin/qpidd" subj=unconfined_u:system_r:qpidd_t:s0 key=(null)
type=AVC msg=audit(1302254404.919:175): avc:  denied  { write } for  pid=7256 comm="matahari-broker" path="/var/run/matahari-broker.pid" dev=dm-0 ino=3016659 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=unconfined_u:object_r:initrc_var_run_t:s0 tclass=file
----
time->Fri Apr  8 05:20:04 2011
type=SYSCALL msg=audit(1302254404.931:176): arch=40000003 syscall=197 success=yes exit=0 a0=1 a1=bfdb70d0 a2=e0fff4 a3=e104e0 items=0 ppid=7255 pid=7256 auid=0 uid=496 gid=490 euid=496 suid=496 fsuid=496 egid=490 sgid=490 fsgid=490 tty=(none) ses=3 comm="matahari-broker" exe="/usr/sbin/qpidd" subj=unconfined_u:system_r:qpidd_t:s0 key=(null)
type=AVC msg=audit(1302254404.931:176): avc:  denied  { getattr } for  pid=7256 comm="matahari-broker" path="/var/run/matahari-broker.pid" dev=dm-0 ino=3016659 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=unconfined_u:object_r:initrc_var_run_t:s0 tclass=file
----

Comment 18 Miroslav Grepl 2011-04-08 11:17:09 UTC

Milos,
could you give me an output of

# ls -lZ /var/run/matahari*

Comment 19 Milos Malik 2011-04-08 11:26:37 UTC

Executed in permissive mode:

# ls -Z /var/run/matahari*
-rw-r--r--. qpidd qpidd unconfined_u:object_r:initrc_var_run_t:s0 /var/run/matahari-broker.pid

/var/run/matahari:
-rw-r-----. qpidd qpidd unconfined_u:object_r:matahari_var_run_t:s0 qpidd.49000.pid
#

Comment 20 Miroslav Grepl 2011-04-08 11:40:29 UTC

Ok, I am re-rewriting matahari policy which will fix this issue.

Comment 21 Miroslav Grepl 2011-04-08 12:02:28 UTC

Actually who does create /var/run/matahari-broker.pid file?

Comment 22 Milos Malik 2011-04-08 12:42:40 UTC

I believe qpidd does it:

# ls -l /usr/sbin/matahari-*
lrwxrwxrwx. 1 root root      5 Apr  8 05:11 /usr/sbin/matahari-brokerd -> qpidd
-rwxr-xr-x. 1 root root 330160 Apr  5 17:03 /usr/sbin/matahari-hostd
-rwxr-xr-x. 1 root root 322444 Apr  5 17:03 /usr/sbin/matahari-netd
-rwxr-xr-x. 1 root root 339748 Apr  5 17:03 /usr/sbin/matahari-serviced
# ls -Z /usr/sbin/qpidd 
-rwxr-xr-x. root root system_u:object_r:qpidd_exec_t:s0 /usr/sbin/qpidd
#

Comment 23 Milos Malik 2011-04-08 13:46:49 UTC

Once you run following command on the machine the automated test succeeds in enforcing mode (no AVCs visible):

semanage fcontext -a -t qpidd_var_run_t "/var/run/matahari-broker\.pid"

Comment 24 Miroslav Grepl 2011-04-08 13:51:29 UTC

I will add it. The pid file is created in the init script using "touch" and then restorecon is applied. But we do not define this label.

Thanks.

Comment 25 Miroslav Grepl 2011-04-11 10:12:51 UTC

Fixed in selinux-policy-3.7.19-84.el6

Comment 28 errata-xmlrpc 2011-05-19 12:27:34 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0526.html

Note You need to log in before you can comment on or make changes to this bug.