807678 – bcfg2-server runs as initrc_t

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 807678 - bcfg2-server runs as initrc_t

Summary: bcfg2-server runs as initrc_t

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.3
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Michal Trunecka
Docs Contact:
URL:
Whiteboard:
Duplicates (2):	805818 854615 (view as bug list)
Depends On:
Blocks:	832330
TreeView+	depends on / blocked

Reported:	2012-03-28 13:40 UTC by Milos Malik
Modified:	2014-09-30 23:33 UTC (History)
CC List:	3 users (show)
Fixed In Version:	selinux-policy-3.7.19-160.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-02-21 08:34:55 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Initial policy developed on Fedora (10.00 KB, application/x-gzip) 2012-03-28 15:42 UTC, Daniel Walsh	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2013:0314	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2013-02-20 20:35:01 UTC

Description Milos Malik 2012-03-28 13:40:12 UTC

Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-doc-3.7.19-143.el6.noarch
selinux-policy-3.7.19-143.el6.noarch
selinux-policy-mls-3.7.19-143.el6.noarch
selinux-policy-minimum-3.7.19-143.el6.noarch
selinux-policy-targeted-3.7.19-143.el6.noarch

How reproducible:
always

Steps to Reproduce:
# run_init service bcfg2-server status
Authenticating root.
Password: 
bcfg2-server is not running                                [FAILED]
# run_init service bcfg2-server start
Authenticating root.
Password: 
Starting Configuration Management Server: bcfg2-server     [  OK  ]
# run_init service bcfg2-server status
Authenticating root.
Password: 
bcfg2-server (pid 5647) is running...
# ps -efZ | grep bcfg2-server
system_u:system_r:initrc_t:s0   root      5647     1  0 14:38 ?        00:00:00 /usr/bin/python /usr/sbin/bcfg2-server -D /var/run/bcfg2-server.pid
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 5667 5574  0 14:38 pts/0 00:00:00 grep bcfg2-server
#

Actual results:
* bcfg2-server runs as initrc_t

Expected results:
* bcfg2-server runs in its own SELinux domain

Comment 1 Daniel Walsh 2012-03-28 15:42:08 UTC

Created attachment 573381 [details]
Initial policy developed on Fedora

Please untar and run shell script, then test the policy and attach avc's.  I have no idea how to set this up.

Comment 2 Milos Malik 2012-03-29 08:00:08 UTC

# rpm -qa selinux-policy\*
selinux-policy-doc-3.7.19-143.el6.noarch
selinux-policy-3.7.19-143.el6.noarch
selinux-policy-mls-3.7.19-143.el6.noarch
selinux-policy-minimum-3.7.19-143.el6.noarch
selinux-policy-targeted-3.7.19-143.el6.noarch
# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted
# service bcfg2-server start
Starting Configuration Management Server: bcfg2-server     [  OK  ]
# service bcfg2-server status
bcfg2-server (pid 21355) is running...
# service bcfg2-server stop
Stopping Configuration Management Server: bcfg2-server     [  OK  ]
# ausearch -m avc -m user_avc -m selinux_err -ts recent
----
time->Thu Mar 29 08:55:51 2012
type=SYSCALL msg=audit(1333004151.522:2212): arch=c000003e syscall=2 success=yes exit=5 a0=13be560 a1=241 a2=1b6 a3=0 items=0 ppid=1 pid=21355 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=32 comm="bcfg2-server" exe="/usr/bin/python" subj=unconfined_u:system_r:bcfg2_t:s0 key=(null)
type=AVC msg=audit(1333004151.522:2212): avc:  denied  { write open } for  pid=21355 comm="bcfg2-server" name="bcfg2-server.pid" dev=sda3 ino=5244626 scontext=unconfined_u:system_r:bcfg2_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1333004151.522:2212): avc:  denied  { create } for  pid=21355 comm="bcfg2-server" name="bcfg2-server.pid" scontext=unconfined_u:system_r:bcfg2_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1333004151.522:2212): avc:  denied  { add_name } for  pid=21355 comm="bcfg2-server" name="bcfg2-server.pid" scontext=unconfined_u:system_r:bcfg2_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
type=AVC msg=audit(1333004151.522:2212): avc:  denied  { write } for  pid=21355 comm="bcfg2-server" name="run" dev=sda3 ino=5243215 scontext=unconfined_u:system_r:bcfg2_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
----
time->Thu Mar 29 08:55:51 2012
type=SYSCALL msg=audit(1333004151.522:2213): arch=c000003e syscall=5 success=yes exit=0 a0=5 a1=7fff3c448620 a2=7fff3c448620 a3=0 items=0 ppid=1 pid=21355 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=32 comm="bcfg2-server" exe="/usr/bin/python" subj=unconfined_u:system_r:bcfg2_t:s0 key=(null)
type=AVC msg=audit(1333004151.522:2213): avc:  denied  { getattr } for  pid=21355 comm="bcfg2-server" path="/var/run/bcfg2-server.pid" dev=sda3 ino=5244626 scontext=unconfined_u:system_r:bcfg2_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
----
time->Thu Mar 29 08:55:51 2012
type=SYSCALL msg=audit(1333004151.526:2214): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7ffff36777a0 a2=7ffff36777a0 a3=6 items=0 ppid=1 pid=21357 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=32 comm="gam_server" exe="/usr/libexec/gam_server" subj=unconfined_u:system_r:bcfg2_t:s0 key=(null)
type=AVC msg=audit(1333004151.526:2214): avc:  denied  { getattr } for  pid=21357 comm="gam_server" path="inotify" dev=inotifyfs ino=1 scontext=unconfined_u:system_r:bcfg2_t:s0 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
----
time->Thu Mar 29 08:55:51 2012
type=SYSCALL msg=audit(1333004151.660:2215): arch=c000003e syscall=49 success=yes exit=0 a0=6 a1=7fff3c4472e0 a2=10 a3=7fff3c447168 items=0 ppid=1 pid=21355 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=32 comm="bcfg2-server" exe="/usr/bin/python" subj=unconfined_u:system_r:bcfg2_t:s0 key=(null)
type=AVC msg=audit(1333004151.660:2215): avc:  denied  { name_bind } for  pid=21355 comm="bcfg2-server" src=6789 scontext=unconfined_u:system_r:bcfg2_t:s0 tcontext=system_u:object_r:cyphesis_port_t:s0 tclass=tcp_socket
----
time->Thu Mar 29 08:55:51 2012
type=SYSCALL msg=audit(1333004151.661:2216): arch=c000003e syscall=50 success=yes exit=0 a0=6 a1=5 a2=7f85199f5dc8 a3=10 items=0 ppid=1 pid=21355 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=32 comm="bcfg2-server" exe="/usr/bin/python" subj=unconfined_u:system_r:bcfg2_t:s0 key=(null)
type=AVC msg=audit(1333004151.661:2216): avc:  denied  { listen } for  pid=21355 comm="bcfg2-server" laddr=10.34.1.190 lport=6789 scontext=unconfined_u:system_r:bcfg2_t:s0 tcontext=unconfined_u:system_r:bcfg2_t:s0 tclass=tcp_socket
----
time->Thu Mar 29 08:56:19 2012
type=SYSCALL msg=audit(1333004179.210:2218): arch=c000003e syscall=0 success=yes exit=96 a0=3 a1=247d000 a2=400 a3=800 items=0 ppid=1 pid=21357 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=32 comm="gam_server" exe="/usr/libexec/gam_server" subj=unconfined_u:system_r:bcfg2_t:s0 key=(null)
type=AVC msg=audit(1333004179.210:2218): avc:  denied  { read } for  pid=21357 comm="gam_server" path="inotify" dev=inotifyfs ino=1 scontext=unconfined_u:system_r:bcfg2_t:s0 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
----
time->Thu Mar 29 08:56:19 2012
type=SYSCALL msg=audit(1333004179.200:2217): arch=c000003e syscall=16 success=yes exit=0 a0=3 a1=541b a2=7ffff367776c a3=7ffff36774e0 items=0 ppid=1 pid=21357 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=32 comm="gam_server" exe="/usr/libexec/gam_server" subj=unconfined_u:system_r:bcfg2_t:s0 key=(null)
type=AVC msg=audit(1333004179.200:2217): avc:  denied  { ioctl } for  pid=21357 comm="gam_server" path="inotify" dev=inotifyfs ino=1 scontext=unconfined_u:system_r:bcfg2_t:s0 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
#

Comment 3 Milos Malik 2012-03-29 08:42:03 UTC

It seems that bcfg2-server or some library that is used by bcfg2-server starts gam_server.

# ps -efZ | grep -e gam -e bcfg2
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 21878 21173  0 09:38 pts/0 00:00:00 grep -e gam -e bcfg2
# run_init service bcfg2-server start
Authenticating root.
Password: 
Starting Configuration Management Server: bcfg2-server     [  OK  ]
# ps -efZ | grep -e gam -e bcfg2
system_u:system_r:bcfg2_t:s0    root     21900     1  1 09:38 ?        00:00:00 /usr/bin/python /usr/sbin/bcfg2-server -D /var/run/bcfg2-server.pid
system_u:system_r:bcfg2_t:s0    root     21902     1  0 09:38 ?        00:00:00 /usr/libexec/gam_server
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 21910 21173  0 09:38 pts/0 00:00:00 grep -e gam -e bcfg2
# 

That's why gam_server is mentioned in AVCs in previous comment.

Comment 4 Miroslav Grepl 2012-03-29 08:51:32 UTC

Could you look if there is an option to not use gam_server for bcfg2-server?

Comment 5 Miroslav Grepl 2012-03-29 09:03:48 UTC

I adde some fixes which don't relate with gam_server. We need to look at it.

Comment 6 Milos Malik 2012-03-29 09:24:37 UTC

I didn't found any bcfg2-server option that would disable the use of gam_server.

After issuing "mv /usr/libexec/gam_server /usr/libexec/gam_server.do_not_use" command bcfg2-server refuses to start.

Comment 7 Daniel Walsh 2012-03-29 11:10:47 UTC

Can you open a bug with bcfg2-server to use inotify and not gam_server.  It will be very difficult to write policy to confine an app that uses gam_server, since any app can start it, and gam_server watched files everywhere.

Comment 8 Milos Malik 2012-03-29 14:12:32 UTC

Don't know who triggered it but here is another AVC:
----
time->Thu Mar 29 15:01:01 2012
type=SYSCALL msg=audit(1333026061.779:2361): arch=c000003e syscall=43 success=yes exit=7 a0=6 a1=7fff0956b950 a2=7fff0956b94c a3=1449c30 items=0 ppid=1 pid=22597 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=36 comm="bcfg2-server" exe="/usr/bin/python" subj=system_u:system_r:bcfg2_t:s0 key=(null)
type=AVC msg=audit(1333026061.779:2361): avc:  denied  { accept } for  pid=22597 comm="bcfg2-server" laddr=10.34.1.190 lport=6789 scontext=system_u:system_r:bcfg2_t:s0 tcontext=system_u:system_r:bcfg2_t:s0 tclass=tcp_socket
----

Comment 9 Milos Malik 2012-03-29 14:27:40 UTC

Previous AVC appears each hour, which means that it's triggered by bcfg2 cron job, which is in my setup executed each hour.

If bcfg2-server is running you can use following command as reproducer:
nc <hostname> 6789

Comment 10 Miroslav Grepl 2012-04-02 16:46:16 UTC

I believe we will need to move it to RHEL6.4 and leave it as initrc_t for now. Milos did you open a bug?

Comment 11 Miroslav Grepl 2012-04-02 17:00:48 UTC

*** Bug 805818 has been marked as a duplicate of this bug. ***

Comment 12 Milos Malik 2012-04-03 06:38:21 UTC

Here is the bug opened with bcfg2:
https://bugzilla.redhat.com/show_bug.cgi?id=808045

Comment 13 RHEL Program Management 2012-07-10 08:20:16 UTC

This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.

Comment 14 RHEL Program Management 2012-07-11 01:55:27 UTC

This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development.  This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.

Comment 15 Miroslav Grepl 2012-09-04 11:50:38 UTC

Added to selinux-policy-3.7.19-160.el6. Also as unconfined policy.

Comment 16 Miroslav Grepl 2012-09-06 05:02:49 UTC

*** Bug 854615 has been marked as a duplicate of this bug. ***

Comment 19 errata-xmlrpc 2013-02-21 08:34:55 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0314.html

Note You need to log in before you can comment on or make changes to this bug.