Bug 807678 - bcfg2-server runs as initrc_t
bcfg2-server runs as initrc_t
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.3
All Linux
unspecified Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Michal Trunecka
:
: 805818 854615 (view as bug list)
Depends On:
Blocks: 832330
  Show dependency treegraph
 
Reported: 2012-03-28 09:40 EDT by Milos Malik
Modified: 2014-09-30 19:33 EDT (History)
3 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-160.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-21 03:34:55 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Initial policy developed on Fedora (10.00 KB, application/x-gzip)
2012-03-28 11:42 EDT, Daniel Walsh
no flags Details

  None (edit)
Description Milos Malik 2012-03-28 09:40:12 EDT
Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-doc-3.7.19-143.el6.noarch
selinux-policy-3.7.19-143.el6.noarch
selinux-policy-mls-3.7.19-143.el6.noarch
selinux-policy-minimum-3.7.19-143.el6.noarch
selinux-policy-targeted-3.7.19-143.el6.noarch

How reproducible:
always

Steps to Reproduce:
# run_init service bcfg2-server status
Authenticating root.
Password: 
bcfg2-server is not running                                [FAILED]
# run_init service bcfg2-server start
Authenticating root.
Password: 
Starting Configuration Management Server: bcfg2-server     [  OK  ]
# run_init service bcfg2-server status
Authenticating root.
Password: 
bcfg2-server (pid 5647) is running...
# ps -efZ | grep bcfg2-server
system_u:system_r:initrc_t:s0   root      5647     1  0 14:38 ?        00:00:00 /usr/bin/python /usr/sbin/bcfg2-server -D /var/run/bcfg2-server.pid
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 5667 5574  0 14:38 pts/0 00:00:00 grep bcfg2-server
#

Actual results:
* bcfg2-server runs as initrc_t

Expected results:
* bcfg2-server runs in its own SELinux domain
Comment 1 Daniel Walsh 2012-03-28 11:42:08 EDT
Created attachment 573381 [details]
Initial policy developed on Fedora

Please untar and run shell script, then test the policy and attach avc's.  I have no idea how to set this up.
Comment 2 Milos Malik 2012-03-29 04:00:08 EDT
# rpm -qa selinux-policy\*
selinux-policy-doc-3.7.19-143.el6.noarch
selinux-policy-3.7.19-143.el6.noarch
selinux-policy-mls-3.7.19-143.el6.noarch
selinux-policy-minimum-3.7.19-143.el6.noarch
selinux-policy-targeted-3.7.19-143.el6.noarch
# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted
# service bcfg2-server start
Starting Configuration Management Server: bcfg2-server     [  OK  ]
# service bcfg2-server status
bcfg2-server (pid 21355) is running...
# service bcfg2-server stop
Stopping Configuration Management Server: bcfg2-server     [  OK  ]
# ausearch -m avc -m user_avc -m selinux_err -ts recent
----
time->Thu Mar 29 08:55:51 2012
type=SYSCALL msg=audit(1333004151.522:2212): arch=c000003e syscall=2 success=yes exit=5 a0=13be560 a1=241 a2=1b6 a3=0 items=0 ppid=1 pid=21355 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=32 comm="bcfg2-server" exe="/usr/bin/python" subj=unconfined_u:system_r:bcfg2_t:s0 key=(null)
type=AVC msg=audit(1333004151.522:2212): avc:  denied  { write open } for  pid=21355 comm="bcfg2-server" name="bcfg2-server.pid" dev=sda3 ino=5244626 scontext=unconfined_u:system_r:bcfg2_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1333004151.522:2212): avc:  denied  { create } for  pid=21355 comm="bcfg2-server" name="bcfg2-server.pid" scontext=unconfined_u:system_r:bcfg2_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1333004151.522:2212): avc:  denied  { add_name } for  pid=21355 comm="bcfg2-server" name="bcfg2-server.pid" scontext=unconfined_u:system_r:bcfg2_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
type=AVC msg=audit(1333004151.522:2212): avc:  denied  { write } for  pid=21355 comm="bcfg2-server" name="run" dev=sda3 ino=5243215 scontext=unconfined_u:system_r:bcfg2_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
----
time->Thu Mar 29 08:55:51 2012
type=SYSCALL msg=audit(1333004151.522:2213): arch=c000003e syscall=5 success=yes exit=0 a0=5 a1=7fff3c448620 a2=7fff3c448620 a3=0 items=0 ppid=1 pid=21355 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=32 comm="bcfg2-server" exe="/usr/bin/python" subj=unconfined_u:system_r:bcfg2_t:s0 key=(null)
type=AVC msg=audit(1333004151.522:2213): avc:  denied  { getattr } for  pid=21355 comm="bcfg2-server" path="/var/run/bcfg2-server.pid" dev=sda3 ino=5244626 scontext=unconfined_u:system_r:bcfg2_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
----
time->Thu Mar 29 08:55:51 2012
type=SYSCALL msg=audit(1333004151.526:2214): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7ffff36777a0 a2=7ffff36777a0 a3=6 items=0 ppid=1 pid=21357 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=32 comm="gam_server" exe="/usr/libexec/gam_server" subj=unconfined_u:system_r:bcfg2_t:s0 key=(null)
type=AVC msg=audit(1333004151.526:2214): avc:  denied  { getattr } for  pid=21357 comm="gam_server" path="inotify" dev=inotifyfs ino=1 scontext=unconfined_u:system_r:bcfg2_t:s0 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
----
time->Thu Mar 29 08:55:51 2012
type=SYSCALL msg=audit(1333004151.660:2215): arch=c000003e syscall=49 success=yes exit=0 a0=6 a1=7fff3c4472e0 a2=10 a3=7fff3c447168 items=0 ppid=1 pid=21355 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=32 comm="bcfg2-server" exe="/usr/bin/python" subj=unconfined_u:system_r:bcfg2_t:s0 key=(null)
type=AVC msg=audit(1333004151.660:2215): avc:  denied  { name_bind } for  pid=21355 comm="bcfg2-server" src=6789 scontext=unconfined_u:system_r:bcfg2_t:s0 tcontext=system_u:object_r:cyphesis_port_t:s0 tclass=tcp_socket
----
time->Thu Mar 29 08:55:51 2012
type=SYSCALL msg=audit(1333004151.661:2216): arch=c000003e syscall=50 success=yes exit=0 a0=6 a1=5 a2=7f85199f5dc8 a3=10 items=0 ppid=1 pid=21355 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=32 comm="bcfg2-server" exe="/usr/bin/python" subj=unconfined_u:system_r:bcfg2_t:s0 key=(null)
type=AVC msg=audit(1333004151.661:2216): avc:  denied  { listen } for  pid=21355 comm="bcfg2-server" laddr=10.34.1.190 lport=6789 scontext=unconfined_u:system_r:bcfg2_t:s0 tcontext=unconfined_u:system_r:bcfg2_t:s0 tclass=tcp_socket
----
time->Thu Mar 29 08:56:19 2012
type=SYSCALL msg=audit(1333004179.210:2218): arch=c000003e syscall=0 success=yes exit=96 a0=3 a1=247d000 a2=400 a3=800 items=0 ppid=1 pid=21357 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=32 comm="gam_server" exe="/usr/libexec/gam_server" subj=unconfined_u:system_r:bcfg2_t:s0 key=(null)
type=AVC msg=audit(1333004179.210:2218): avc:  denied  { read } for  pid=21357 comm="gam_server" path="inotify" dev=inotifyfs ino=1 scontext=unconfined_u:system_r:bcfg2_t:s0 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
----
time->Thu Mar 29 08:56:19 2012
type=SYSCALL msg=audit(1333004179.200:2217): arch=c000003e syscall=16 success=yes exit=0 a0=3 a1=541b a2=7ffff367776c a3=7ffff36774e0 items=0 ppid=1 pid=21357 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=32 comm="gam_server" exe="/usr/libexec/gam_server" subj=unconfined_u:system_r:bcfg2_t:s0 key=(null)
type=AVC msg=audit(1333004179.200:2217): avc:  denied  { ioctl } for  pid=21357 comm="gam_server" path="inotify" dev=inotifyfs ino=1 scontext=unconfined_u:system_r:bcfg2_t:s0 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
#
Comment 3 Milos Malik 2012-03-29 04:42:03 EDT
It seems that bcfg2-server or some library that is used by bcfg2-server starts gam_server.

# ps -efZ | grep -e gam -e bcfg2
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 21878 21173  0 09:38 pts/0 00:00:00 grep -e gam -e bcfg2
# run_init service bcfg2-server start
Authenticating root.
Password: 
Starting Configuration Management Server: bcfg2-server     [  OK  ]
# ps -efZ | grep -e gam -e bcfg2
system_u:system_r:bcfg2_t:s0    root     21900     1  1 09:38 ?        00:00:00 /usr/bin/python /usr/sbin/bcfg2-server -D /var/run/bcfg2-server.pid
system_u:system_r:bcfg2_t:s0    root     21902     1  0 09:38 ?        00:00:00 /usr/libexec/gam_server
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 21910 21173  0 09:38 pts/0 00:00:00 grep -e gam -e bcfg2
# 

That's why gam_server is mentioned in AVCs in previous comment.
Comment 4 Miroslav Grepl 2012-03-29 04:51:32 EDT
Could you look if there is an option to not use gam_server for bcfg2-server?
Comment 5 Miroslav Grepl 2012-03-29 05:03:48 EDT
I adde some fixes which don't relate with gam_server. We need to look at it.
Comment 6 Milos Malik 2012-03-29 05:24:37 EDT
I didn't found any bcfg2-server option that would disable the use of gam_server.

After issuing "mv /usr/libexec/gam_server /usr/libexec/gam_server.do_not_use" command bcfg2-server refuses to start.
Comment 7 Daniel Walsh 2012-03-29 07:10:47 EDT
Can you open a bug with bcfg2-server to use inotify and not gam_server.  It will be very difficult to write policy to confine an app that uses gam_server, since any app can start it, and gam_server watched files everywhere.
Comment 8 Milos Malik 2012-03-29 10:12:32 EDT
Don't know who triggered it but here is another AVC:
----
time->Thu Mar 29 15:01:01 2012
type=SYSCALL msg=audit(1333026061.779:2361): arch=c000003e syscall=43 success=yes exit=7 a0=6 a1=7fff0956b950 a2=7fff0956b94c a3=1449c30 items=0 ppid=1 pid=22597 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=36 comm="bcfg2-server" exe="/usr/bin/python" subj=system_u:system_r:bcfg2_t:s0 key=(null)
type=AVC msg=audit(1333026061.779:2361): avc:  denied  { accept } for  pid=22597 comm="bcfg2-server" laddr=10.34.1.190 lport=6789 scontext=system_u:system_r:bcfg2_t:s0 tcontext=system_u:system_r:bcfg2_t:s0 tclass=tcp_socket
----
Comment 9 Milos Malik 2012-03-29 10:27:40 EDT
Previous AVC appears each hour, which means that it's triggered by bcfg2 cron job, which is in my setup executed each hour.

If bcfg2-server is running you can use following command as reproducer:
nc <hostname> 6789
Comment 10 Miroslav Grepl 2012-04-02 12:46:16 EDT
I believe we will need to move it to RHEL6.4 and leave it as initrc_t for now. Milos did you open a bug?
Comment 11 Miroslav Grepl 2012-04-02 13:00:48 EDT
*** Bug 805818 has been marked as a duplicate of this bug. ***
Comment 12 Milos Malik 2012-04-03 02:38:21 EDT
Here is the bug opened with bcfg2:
https://bugzilla.redhat.com/show_bug.cgi?id=808045
Comment 13 RHEL Product and Program Management 2012-07-10 04:20:16 EDT
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 14 RHEL Product and Program Management 2012-07-10 21:55:27 EDT
This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development.  This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.
Comment 15 Miroslav Grepl 2012-09-04 07:50:38 EDT
Added to selinux-policy-3.7.19-160.el6. Also as unconfined policy.
Comment 16 Miroslav Grepl 2012-09-06 01:02:49 EDT
*** Bug 854615 has been marked as a duplicate of this bug. ***
Comment 19 errata-xmlrpc 2013-02-21 03:34:55 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0314.html

Note You need to log in before you can comment on or make changes to this bug.