Description of problem: After syncing a rhel6 repo on RHUA, I found following avc denial message in audit.log. -- [root@ip-10-87-2-126 ~]# cat /var/log/audit/audit.log | grep avc type=AVC msg=audit(1328690610.193:14558): avc: denied { read } for pid=3105 comm="qpidd" name="tmp" dev=xvde1 ino=740 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=lnk_file [root@ip-10-87-2-126 ~]# -- Version-Release number of selected component (if applicable): rh-rhui-tools-2.0.52-1.el6.noarch [root@ip-10-87-2-126 ~]# rpm -qa | grep pulp m2crypto-0.21.1.pulp-7.el6.x86_64 python-oauth2-1.5.170-2.pulp.el6.noarch pulp-client-lib-0.0.263-5.el6.noarch pulp-0.0.263-5.el6.noarch python-isodate-0.4.4-4.pulp.el6.noarch pulp-selinux-server-0.0.263-5.el6.noarch mod_wsgi-3.3-2.pulp.el6.x86_64 pulp-admin-0.0.263-5.el6.noarch pulp-common-0.0.263-5.el6.noarch pulp-consumer-0.0.263-5.el6.noarch [root@ip-10-87-2-126 ~]# rpm -qa | grep gofer python-gofer-0.64-1.el6.noarch gofer-package-0.64-1.el6.noarch gofer-0.64-1.el6.noarch [root@ip-10-87-2-126 ~]# rpm -qa | grep grinder grinder-0.0.136-1.el6.noarch [root@ip-10-87-2-126 ~]# How reproducible: always Steps to Reproduce: 1. 2. 3. Actual results: avc denial message in audit.log Expected results: There should be no avc denial messages in audit.log when selinux is enabled. Additional info:
Can you attach the full audit.log, pulp.log, grinder.log, and /var/log/messages please? Hopefully one of those will have some more information that will help us debug this issue.
Created attachment 560498 [details] all requested logs are attached, I couln't help much in this case.. as I'm not sure the exact situation when this message appears in audit.log
I think this message happens when qpidd tries to read /usr/tmp which is a symbolic link. $ ls -larthZ /usr/tmp lrwxrwxrwx. root root system_u:object_r:usr_t:s0 /usr/tmp -> ../var/tmp
Looking at the qpidd policy that ships with el6 I think this should be allowed. I see a files_read_usr_files(qpidd_t) which in turn grants access to read_lnk_files_pattern. From: selinux-policy-3.7.19-126.el6.src.rpm $ cat policy/modules/services/qpidd.te policy_module(qpidd,1.0.0) ######################################## # # Declarations # type qpidd_t; type qpidd_exec_t; init_daemon_domain(qpidd_t, qpidd_exec_t) type qpidd_initrc_exec_t; init_script_file(qpidd_initrc_exec_t) type qpidd_var_run_t; files_pid_file(qpidd_var_run_t) type qpidd_var_lib_t; files_type(qpidd_var_lib_t) ######################################## # # qpidd local policy # allow qpidd_t self:process { getsched setsched signull }; allow qpidd_t self:fifo_file rw_fifo_file_perms; allow qpidd_t self:sem create_sem_perms; allow qpidd_t self:shm create_shm_perms; allow qpidd_t self:tcp_socket create_stream_socket_perms; allow qpidd_t self:unix_stream_socket create_stream_socket_perms; manage_dirs_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t) manage_files_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t) files_var_lib_filetrans(qpidd_t, qpidd_var_lib_t, { file dir } ) manage_dirs_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t) manage_files_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t) files_pid_filetrans(qpidd_t, qpidd_var_run_t, { file dir }) kernel_read_system_state(qpidd_t) corenet_all_recvfrom_unlabeled(qpidd_t) corenet_all_recvfrom_netlabel(qpidd_t) corenet_tcp_bind_generic_node(qpidd_t) corenet_tcp_sendrecv_generic_if(qpidd_t) corenet_tcp_sendrecv_generic_node(qpidd_t) corenet_tcp_sendrecv_all_ports(qpidd_t) corenet_tcp_bind_amqp_port(qpidd_t) dev_read_urand(qpidd_t) files_read_etc_files(qpidd_t) files_read_usr_files(qpidd_t) logging_send_syslog_msg(qpidd_t) miscfiles_read_localization(qpidd_t) sysnet_dns_name_resolve(qpidd_t) optional_policy(` corosync_stream_connect(qpidd_t) ') optional_policy(` matahari_manage_lib_files(qpidd_t) matahari_manage_pid_files(qpidd_t) ') From: policy/modules/kernel/files.if 4578 interface(`files_read_usr_files',` 4579 |___gen_require(` 4580 |___|___type usr_t; 4581 |___') 4582 4583 |___allow $1 usr_t:dir list_dir_perms; 4584 |___read_files_pattern($1, usr_t, usr_t) 4585 |___read_lnk_files_pattern($1, usr_t, usr_t) 4586 ')
Didn't observe these earlier with the 20120215 build, But found with RHEL-6.2-RHUI-2.0.2-20120221.0-Server-x86_64-DVD1.iso [root@ip-10-36-119-102 audit]# grep AVC * type=AVC msg=audit(1329899723.444:13185): avc: denied { search } for pid=2840 comm="genpkgmetadata." name="rpm" dev=xvde1 ino=18 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir type=AVC msg=audit(1329899723.445:13186): avc: denied { getattr } for pid=2840 comm="genpkgmetadata." path="/var/lib/rpm" dev=xvde1 ino=18 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir type=AVC msg=audit(1329903332.243:13229): avc: denied { search } for pid=3333 comm="genpkgmetadata." name="rpm" dev=xvde1 ino=18 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir type=AVC msg=audit(1329903332.244:13230): avc: denied { getattr } for pid=3333 comm="genpkgmetadata." path="/var/lib/rpm" dev=xvde1 ino=18 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir type=AVC msg=audit(1329904708.486:13243): avc: denied { search } for pid=30837 comm="genpkgmetadata." name="rpm" dev=xvde1 ino=18 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir type=AVC msg=audit(1329904708.486:13244): avc: denied { getattr } for pid=30837 comm="genpkgmetadata." path="/var/lib/rpm" dev=xvde1 ino=18 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
Created attachment 564910 [details] logs from grinder.log pulp.log var_log_messages audit.log
The QPID team does not believe that qpidd itself is accessing /usr/tmp but suspects it's something in the NSS lib used for SSL.
Installed qpid version: ------- qpid-cpp-client-0.12-6.el6.x86_64 python-qpid-0.12-1.el6.noarch qpid-cpp-server-0.12-6.el6.x86_64 qpid-cpp-server-ssl-0.12-6.el6.x86_64 qpid-cpp-client-ssl-0.12-6.el6.x86_64 -------
Looks like QPID already has a bug on this: https://bugzilla.redhat.com/show_bug.cgi?id=790759
Added this issue to the 2.0.2 release notes. Punting the issue to the 2.1 release. Going to leave it open just so that we don't forget to bump to a new build of qpid (if available).
*** Bug 806827 has been marked as a duplicate of this bug. ***
need to verify the fixed qpidd bug also fixes this issue. If this is fixed, we need to remove it from the release notes.
Looks like the version of qpid that fixes this will be available in RHEL 6.3 current qpid versions in rhui 2.0.3 [root@domU-12-31-39-0F-29-EE ~]# rpm -qa | grep qpid qpid-cpp-*-0.14-14 qpid version where the various bugs says its fixed. qpid-cpp-*0.14-15 Checking this out w/ a RHUI install on ami-48bc1b21 aki-ecfa0185 (private part x86_64) X86_64 RHEL RHEL-Starter 6.3-beta EBS backed image us-east-1 VISIBLE
[root@ip-10-4-114-127 ~]# rpm -qa | grep qpid-cpp qpid-cpp-client-0.14-15.el6.x86_64 qpid-cpp-client-ssl-0.14-15.el6.x86_64 qpid-cpp-server-0.14-15.el6.x86_64 qpid-cpp-server-ssl-0.14-15.el6.x86_64 [root@ip-10-4-114-127 ~]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.3 Beta (Santiago)
Retesting this now: RHUI 2.0.3 deployed on RHEL6.3 w/ the above qpid-cpp rpms. * Syncing RHUI2.0 and sync to cds did not cause a denial * Currently syncing RHEL6
not able to recreate in RHEL 6.3 beta w/ RHUI2.0.3. I guess this can be flipped once RHEL 6.3 is GA
The log can't be seen anymore with build: RHEL-6.3-RHUI-2.1-20120705.0/2.1.3/ Switching to verified ### Verifying screen log [root@ip-10-2-198-125 ~]# grep -i avc /var/log/audit/audit*.log [root@ip-10-2-198-125 ~]# echo $? 1 [root@ip-10-2-198-125 ~]# ls /var/log/audit/audit*.log /var/log/audit/audit.1.log /var/log/audit/audit.log [root@ip-10-2-198-125 ~]# rpm -qa | grep qpid-cpp qpid-cpp-server-ssl-0.14-16.el6.x86_64 qpid-cpp-client-0.14-16.el6.x86_64 qpid-cpp-client-ssl-0.14-16.el6.x86_64 qpid-cpp-server-0.14-16.el6.x86_64 [root@ip-10-2-198-125 ~]#
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: A qpidd AVC denial was present in the SELinux audit log. This update uses a new version of qpidd with updated SELinux policy that fixes the denial.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHEA-2012-1205.html