Bug 709080 - enforcing MLS: lvmdump causes AVCs
enforcing MLS: lvmdump causes AVCs
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.7
All Linux
medium Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks: 709388
  Show dependency treegraph
 
Reported: 2011-05-30 10:42 EDT by Milos Malik
Modified: 2012-10-16 04:13 EDT (History)
10 users (show)

See Also:
Fixed In Version: selinux-policy-2.4.6-309.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 709388 (view as bug list)
Environment:
Last Closed: 2011-07-21 05:20:41 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Milos Malik 2011-05-30 10:42:03 EDT
Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.4.6-306.el5
selinux-policy-devel-2.4.6-306.el5
selinux-policy-strict-2.4.6-306.el5
selinux-policy-mls-2.4.6-306.el5
selinux-policy-2.4.6-306.el5
selinux-policy-minimum-2.4.6-306.el5

How reproducible:
always

Steps to Reproduce:
# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        mls
# id -Z
root:sysadm_r:sysadm_t:SystemLow-SystemHigh
# pwd
/root
# lvmdump 
Creating dump directory: /root/lvmdump-<NODE-NAME>-20110530143543
 
Gathering LVM & device-mapper version info...
Gathering dmsetup info...
Gathering process info...
Gathering console messages...
Gathering /etc/lvm info...
Gathering /dev listing...
Gathering /sys/block listing...
Creating report tarball in /root/lvmdump-<NODE-NAME>-20110530143543.tgz...
# 
  
Actual results:
multiple AVCs of this kind
----
time->Mon May 30 10:35:43 2011
type=SYSCALL msg=audit(1306766143.615:109): arch=c000003e syscall=59 success=yes exit=0 a0=12f11ee0 a1=12f125f0 a2=12f0a8a0 a3=65 items=0 ppid=2445 pid=2459 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="dmsetup" exe="/sbin/dmsetup" subj=root:sysadm_r:lvm_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1306766143.615:109): avc:  denied  { append } for  pid=2459 comm="dmsetup" path="/root/lvmdump-<NODE-NAME>-20110530143543/lvmdump.log" dev=dm-0 ino=2543447 scontext=root:sysadm_r:lvm_t:s0-s15:c0.c1023 tcontext=root:object_r:sysadm_home_t:s0 tclass=file
type=AVC msg=audit(1306766143.615:109): avc:  denied  { write } for  pid=2459 comm="dmsetup" path="/root/lvmdump-<NODE-NAME>-20110530143543/dmsetup_ls_tree" dev=dm-0 ino=2543452 scontext=root:sysadm_r:lvm_t:s0-s15:c0.c1023 tcontext=root:object_r:sysadm_home_t:s0 tclass=file
----

Expected results:
no AVCs
Comment 1 Miroslav Grepl 2011-05-31 05:54:40 EDT
This is a leak.

lvmdump runs in sysadm_t domain but then executes dmsetup which has a transition to lvm_t.

Is this always created in /root?
Comment 2 Milos Malik 2011-05-31 05:59:52 EDT
No, the lvmdump directory/file is created in current working directory.
Comment 3 Milan Broz 2011-05-31 06:11:19 EDT
Not only dmsetup also it runs lvm. (And some other programs to parse output)

It should be very similar to sos report - how it is handled there?
Comment 4 Milan Broz 2011-05-31 06:14:15 EDT
There is option for directory, default should be
$HOME/lvmdump-$HOSTNAME-$NOW/

What's the problem with creating directory in $HOME? or it is broken somehow?
Comment 5 Miroslav Grepl 2011-05-31 07:15:41 EDT
You are right. I see it in /usr/sbin/lvmdump bash script.

"append" is caused by

2>> \"$log\

which could be allowed by

allow lvm_t sysadm_home_t:file append;



But we don't want to allow "write" access to /root directory and this is caused by 

---

log "\"$DMSETUP\" info -c > \"$dir/dmsetup_info\" 2>> \"$log\""
log "\"$DMSETUP\" table > \"$dir/dmsetup_table\" 2>> \"$log\""
log "\"$DMSETUP\" status > \"$dir/dmsetup_status\" 2>> \"$log\""
log "\"$DMSETUP\" ls --tree > \"$dir/dmsetup_ls_tree\" 2>> \"$log\""

--

which could be fixed by

log "\"$DMSETUP\" info -c | cat > \"$dir/dmsetup_ls_tree\" 2>> \"$log\""

or just append

log "\"$DMSETUP\" info -c >> \"$dir/dmsetup_ls_tree\" 2>> \"$log\""
Comment 6 Milan Broz 2011-05-31 08:24:46 EDT
Why is append different here? (It creates new file).
Comment 7 Miroslav Grepl 2011-05-31 10:42:08 EDT
Not sure what you think.

$log file is created by script running as sysadm_t.
Comment 8 Milan Broz 2011-05-31 11:03:04 EDT
$dir/dmsetup_ls_tree" is not log file, it is separate per-command report file.
And this file is created by dmsetup.

For log file we are appending output already but only stderr go there.

Anyway, if it is not selinux policy problem but only patch for lvmdump, please reassign it to lvm2 package, I'll fix it.
Comment 9 Daniel Walsh 2011-05-31 11:06:58 EDT
If you use script redirection, the shell is actually creating opening the file and handing the file descriptor to the app running within the shell.  If an confined app is handed an open file descriptor like > "$dir/dmsetup_ls_tree"  it will require the ability to write to the open file.  Write allows the confined domain, the ability to truncate the file.  If you open the file with >> "$dir/dmsetup_ls_tree", the shell will hand the confined domain the ability to append only, and this will block the ability to truncate.  We have a rather large rule that allows confined domains to append to home directory content but not write.
Comment 10 Miroslav Grepl 2011-05-31 11:25:14 EDT
(In reply to comment #8)
> $dir/dmsetup_ls_tree" is not log file, it is separate per-command report file.
> And this file is created by dmsetup.
> 

Oops, I read $dir/$dmsetup_ls_tree.
Comment 11 Alasdair Kergon 2011-05-31 17:04:26 EDT
I think append should be sufficient throughout the script.
Comment 12 Milan Broz 2011-06-01 09:41:42 EDT
There is small change needed in selinux-policy too. Actually I just tested new build selinux-policy-mls-2.4.6-308.el5 and it has already fix included.

Returning it back to selinux-policy component.

The lvmdump script part is addressed by bug #709388.
Comment 13 Miroslav Grepl 2011-06-06 11:17:07 EDT
Fixed in selinux-policy-2.4.6-309.el5
Comment 16 errata-xmlrpc 2011-07-21 05:20:41 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html
Comment 17 errata-xmlrpc 2011-07-21 07:57:12 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html

Note You need to log in before you can comment on or make changes to this bug.