830860 – AVCs from certmonger

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 830860 - AVCs from certmonger

Summary: AVCs from certmonger

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.0
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Michal Trunecka
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-06-11 14:19 UTC by Michal Trunecka
Modified:	2014-09-30 23:33 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-06-13 11:35:28 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Michal Trunecka 2012-06-11 14:19:16 UTC

Description of problem:
The certomnger test (/CoreOS/selinux-policy/Regression/bz640641-certmonger-and-similar) triggers following AVCs (But the functional part of the test PASSed):

----
time->Mon Jun 11 09:50:00 2012
type=SYSCALL msg=audit(1339422600.778:1291): arch=c000003e syscall=59 success=no exit=-13 a0=20f8df0 a1=20f8e70 a2=20f75d0 a3=7fff9fe0c460 items=0 ppid=15930 pid=15931 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="service" exe="/usr/bin/bash" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1339422600.778:1291): avc:  denied  { execute } for  pid=15931 comm="service" name="systemctl" dev="dm-1" ino=8657 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file
----
time->Mon Jun 11 09:50:00 2012
type=SYSCALL msg=audit(1339422600.779:1292): arch=c000003e syscall=4 success=no exit=-13 a0=20f8df0 a1=7fff9fe0c630 a2=7fff9fe0c630 a3=7fff9fe0c460 items=0 ppid=15930 pid=15931 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="service" exe="/usr/bin/bash" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1339422600.779:1292): avc:  denied  { getattr } for  pid=15931 comm="service" path="/usr/bin/systemctl" dev="dm-1" ino=8657 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file
----
time->Mon Jun 11 09:50:00 2012
type=SYSCALL msg=audit(1339422600.779:1293): arch=c000003e syscall=4 success=no exit=-13 a0=20f8df0 a1=7fff9fe0c610 a2=7fff9fe0c610 a3=7fff9fe0c460 items=0 ppid=15930 pid=15931 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="service" exe="/usr/bin/bash" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1339422600.779:1293): avc:  denied  { getattr } for  pid=15931 comm="service" path="/usr/bin/systemctl" dev="dm-1" ino=8657 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file
----
time->Mon Jun 11 09:50:00 2012
type=SYSCALL msg=audit(1339422600.783:1294): arch=c000003e syscall=4 success=no exit=-13 a0=20f8df0 a1=7fff9fe0c6f0 a2=7fff9fe0c6f0 a3=2 items=0 ppid=15930 pid=15931 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="service" exe="/usr/bin/bash" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1339422600.783:1294): avc:  denied  { getattr } for  pid=15931 comm="service" path="/usr/bin/systemctl" dev="dm-1" ino=8657 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file



Version-Release number of selected component (if applicable):
certmonger-0.56-1.el7.x86_64
selinux-policy-3.10.0-128.el7.noarch

How reproducible:
Using the automated test:
/CoreOS/selinux-policy/Regression/bz640641-certmonger-and-similar


Actual results:
AVCs

Expected results:
No AVCs

Comment 1 Daniel Walsh 2012-06-11 15:47:48 UTC

What domains is it trying to restart?

Comment 2 Milos Malik 2012-06-12 06:34:31 UTC

The automated test restarts httpd service.

Comment 3 Daniel Walsh 2012-06-12 16:10:20 UTC

Should certmonger be allowed to restart any service?

Comment 4 Nalin Dahyabhai 2012-06-12 17:58:23 UTC

(In reply to comment #3)
> Should certmonger be allowed to restart any service?

Generally, no, since it's not required by certmonger itself.

This test appears to expect that /usr/lib${BITS}/ipa/certmonger/httpd_restart will run effectively unconfined when it's started by the daemon, and it looks like the policy includes a certmonger module which includes a transition rule that would let that happen for the sake of IPA.

Comment 5 Daniel Walsh 2012-06-12 18:54:32 UTC

ls -lZ  /usr/lib64/ipa/certmonger

Comment 6 Milos Malik 2012-06-13 06:17:42 UTC

# ls -lZ  /usr/lib64/ipa/certmonger
-rwxr-xr-x. root root unconfined_u:object_r:certmonger_unconfined_exec_t:s0 httpd_restart
#

Comment 7 Daniel Walsh 2012-06-13 15:53:41 UTC

 sesearch -T -s certmonger_t -t certmonger_unconfined_exec_t
Found 1 semantic te rules:
   type_transition certmonger_t certmonger_unconfined_exec_t : process certmonger_unconfined_t;

Comment 8 Miroslav Grepl 2012-06-28 14:14:25 UTC

Yes, there should be the transition.

Milos,
this is the same issue which we had on RHEL6. AFAIK there was a trick to make this working?

Comment 9 Milos Malik 2012-09-13 14:25:05 UTC

Here is another AVC I see on my RHEL 7.0 machine:
----
type=SYSCALL msg=audit(09/13/2012 16:19:30.145:670) : arch=x86_64 syscall=epoll_ctl success=yes exit=0 a0=0x3 a1=0x2 a2=0x4 a3=0x7fff7bd40560 items=0 ppid=1 pid=2667 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=certmonger exe=/usr/sbin/certmonger subj=system_u:system_r:certmonger_t:s0 key=(null) 
type=AVC msg=audit(09/13/2012 16:19:30.145:670) : avc:  denied  { block_suspend } for  pid=2667 comm=certmonger capability= scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:certmonger_t:s0 tclass=capability2 
----

Here is the reproducer:
# service certmonger restart
Redirecting to /bin/systemctl restart  certmonger.service
#

Comment 10 Nalin Dahyabhai 2012-09-13 16:04:44 UTC

Well, certmonger uses libtevent, which certainly calls epoll_ctl(), but I'm not clear on why this access is being checked inside of the syscall.

Comment 11 Miroslav Grepl 2012-09-13 17:22:29 UTC

Milos, Michal and how about the issue from the comment #6?

Comment 12 Milos Malik 2012-09-14 09:34:00 UTC

Here are all unique AVCs I see on my RHEL-7.0 machine in enforcing mode:
----
type=PATH msg=audit(09/14/2012 11:22:44.333:5529) : item=0 name=/sys/fs/cgroup/systemd 
type=CWD msg=audit(09/14/2012 11:22:44.333:5529) :  cwd=/ 
type=SYSCALL msg=audit(09/14/2012 11:22:44.333:5529) : arch=x86_64 syscall=stat success=no exit=
-13(Permission denied) a0=0x7fff90ec4f1f a1=0x7fff90ec2c50 a2=0x7fff90ec2c50 a3=0xb items=1 ppid
=32108 pid=32110 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
 fsgid=root tty=(none) ses=unset comm=mountpoint exe=/usr/bin/mountpoint subj=system_u:system_r:
certmonger_t:s0 key=(null) 
type=AVC msg=audit(09/14/2012 11:22:44.333:5529) : avc:  denied  { search } for  pid=32110 comm=mountpoint name=/ dev="tmpfs" ino=1189 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir 
----
type=PATH msg=audit(09/14/2012 11:22:44.335:5530) : item=0 name=/sbin/consoletype inode=3673881 dev=08:04 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:consoletype_exec_t:s0 
type=CWD msg=audit(09/14/2012 11:22:44.335:5530) :  cwd=/ 
type=SYSCALL msg=audit(09/14/2012 11:22:44.335:5530) : arch=x86_64 syscall=execve success=no exit=-13(Permission denied) a0=0xa6f090 a1=0xa650a0 a2=0xa6f160 a3=0x10 items=1 ppid=32111 pid=32112 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=service exe=/usr/bin/bash subj=system_u:system_r:certmonger_t:s0 key=(null) 
type=AVC msg=audit(09/14/2012 11:22:44.335:5530) : avc:  denied  { execute } for  pid=32112 comm=service name=consoletype dev="sda4" ino=3673881 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:consoletype_exec_t:s0 tclass=file 
----
type=PATH msg=audit(09/14/2012 11:22:44.335:5531) : item=0 name=/sbin/consoletype inode=3673881 dev=08:04 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:consoletype_exec_t:s0 
type=CWD msg=audit(09/14/2012 11:22:44.335:5531) :  cwd=/ 
type=SYSCALL msg=audit(09/14/2012 11:22:44.335:5531) : arch=x86_64 syscall=stat success=no exit=-13(Permission denied) a0=0xa6f090 a1=0x7fff05ce4400 a2=0x7fff05ce4400 a3=0x10 items=1 ppid=32111 pid=32112 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=service exe=/usr/bin/bash subj=system_u:system_r:certmonger_t:s0 key=(null) 
type=AVC msg=audit(09/14/2012 11:22:44.335:5531) : avc:  denied  { getattr } for  pid=32112 comm=service path=/usr/sbin/consoletype dev="sda4" ino=3673881 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:consoletype_exec_t:s0 tclass=file 
----
type=PATH msg=audit(09/14/2012 11:22:44.335:5532) : item=0 name=/sbin/consoletype inode=3673881 dev=08:04 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:consoletype_exec_t:s0 
type=CWD msg=audit(09/14/2012 11:22:44.335:5532) :  cwd=/ 
type=SYSCALL msg=audit(09/14/2012 11:22:44.335:5532) : arch=x86_64 syscall=stat success=no exit=-13(Permission denied) a0=0xa6f090 a1=0x7fff05ce43e0 a2=0x7fff05ce43e0 a3=0x10 items=1 ppid=32111 pid=32112 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=service exe=/usr/bin/bash subj=system_u:system_r:certmonger_t:s0 key=(null) 
type=AVC msg=audit(09/14/2012 11:22:44.335:5532) : avc:  denied  { getattr } for  pid=32112 comm=service path=/usr/sbin/consoletype dev="sda4" ino=3673881 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:consoletype_exec_t:s0 tclass=file 
----
type=PATH msg=audit(09/14/2012 11:22:44.343:5533) : item=0 name=/bin/systemctl inode=3673918 dev=08:04 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:systemd_systemctl_exec_t:s0 
type=CWD msg=audit(09/14/2012 11:22:44.343:5533) :  cwd=/ 
type=SYSCALL msg=audit(09/14/2012 11:22:44.343:5533) : arch=x86_64 syscall=execve success=no exit=-13(Permission denied) a0=0xa684e0 a1=0xa90e80 a2=0xa697c0 a3=0x8 items=1 ppid=32106 pid=32107 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=service exe=/usr/bin/bash subj=system_u:system_r:certmonger_t:s0 key=(null) 
type=AVC msg=audit(09/14/2012 11:22:44.343:5533) : avc:  denied  { execute } for  pid=32107 comm=service name=systemctl dev="sda4" ino=3673918 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file 
----
type=SYSCALL msg=audit(09/14/2012 11:22:44.343:5537) : arch=x86_64 syscall=epoll_ctl success=yes exit=0 a0=0x3 a1=0x2 a2=0x9 a3=0x7fffaa6cdf80 items=0 ppid=1 pid=32031 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=certmonger exe=/usr/sbin/certmonger subj=system_u:system_r:certmonger_t:s0 key=(null) 
type=AVC msg=audit(09/14/2012 11:22:44.343:5537) : avc:  denied  { block_suspend } for  pid=32031 comm=certmonger capability= scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:system_r:certmonger_t:s0 tclass=capability2 
----
# rpm -qa | grep -e selinux-policy -e certmonger | sort
certmonger-0.59-2.el7.x86_64
selinux-policy-3.11.1-11.el7.noarch
selinux-policy-devel-3.11.1-11.el7.noarch
selinux-policy-doc-3.11.1-11.el7.noarch
selinux-policy-minimum-3.11.1-11.el7.noarch
selinux-policy-targeted-3.11.1-11.el7.noarch
# ls -Z /usr/lib64/ipa/certmonger/httpd_restart
-rwxr-xr-x. root root unconfined_u:object_r:certmonger_unconfined_exec_t:s0 /usr/lib64/ipa/certmonger/httpd_restart
#

Comment 14 Nalin Dahyabhai 2012-09-17 14:17:09 UTC

(In reply to comment #10)
> Well, certmonger uses libtevent, which certainly calls epoll_ctl(), but I'm
> not clear on why this access is being checked inside of the syscall.

According to http://www.spinics.net/lists/selinux/msg12690.html (link from spoore@), the denial in comment #9 is due to the kernel's capability being renamed from epollwakeup to block_suspend, so I guess that's to be expected.

Comment 15 Daniel Walsh 2012-10-12 19:10:32 UTC

Fixed in selinux-policy-3.11.1-38.el7

Comment 17 Ludek Smid 2014-06-13 11:35:28 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.