955703 – Admin server restart from console denied by SELinux

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 955703 - Admin server restart from console denied by SELinux

Summary: Admin server restart from console denied by SELinux

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.4
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:	919192
Blocks:
TreeView+	depends on / blocked

Reported:	2013-04-23 14:55 UTC by Libor Miksik
Modified:	2013-05-20 14:43 UTC (History)
CC List:	12 users (show)
Fixed In Version:	selinux-policy-3.7.19-195.el6_4.5
Doc Type:	Bug Fix
Doc Text:	Due to an incorrect label on the /var/lock/subsys/dirsrv-admin file, attempts to restart the Administration server from the console or from the command line failed and AVC denial messages were returned. This update adds the proper default security context for the /var/lock/subsys/dirsrv-admin file, and denial messages are no longer returned in the described scenario.
Clone Of:
Environment:
Last Closed:	2013-05-20 14:43:34 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2013:0835	0	normal	SHIPPED_LIVE	selinux-policy bug fix update	2013-05-20 18:42:30 UTC

Description Libor Miksik 2013-04-23 14:55:03 UTC

This bug has been copied from bug #919192 and has been proposed
to be backported to 6.4 z-stream (EUS).

Comment 5 Ján Rusnačko 2013-04-26 13:57:11 UTC

In Enforcing mode, I see following in /var/log/dirsrv/admin-serv/error:

[Fri Apr 26 15:50:13 2013] [notice] caught SIGTERM, shutting down
[Fri Apr 26 15:50:14 2013] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0
[Fri Apr 26 15:50:15 2013] [notice] Access Host filter is: *.example.com
[Fri Apr 26 15:50:15 2013] [notice] Access Address filter is: *
[Fri Apr 26 15:50:16 2013] [notice] Apache/2.2.15 (Unix) configured -- resuming normal operations
[Fri Apr 26 15:50:16 2013] [notice] Access Host filter is: *.example.com
[Fri Apr 26 15:50:16 2013] [notice] Access Address filter is: *
Permission denied
[Fri Apr 26 15:50:17 2013] [notice] [client 192.168.122.184] admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.122.184

When I switch to permissive mode, "Permission denied" error from log goes away. audit.log with dontaudit rules disabled sent to mmalik.

Comment 6 Miroslav Grepl 2013-04-26 20:12:21 UTC

Ok, it looks like the problem is with the lock file.

allow httpd_dirsrvadmin_script_t var_lock_t:file { getattr unlink };

Do you run restorecon on the lock file in the init script?

Comment 7 Michal Trunecka 2013-04-27 11:40:13 UTC

As I looked at the audit.log, it seems not to be an issue with var_lock_t. The issue is with these rules (got from audit2allow):

allow httpd_dirsrvadmin_script_t default_context_t:dir search;
allow httpd_dirsrvadmin_script_t default_context_t:file { read getattr open };
allow httpd_dirsrvadmin_script_t file_context_t:dir search;
allow httpd_dirsrvadmin_script_t file_context_t:file { read getattr open };

because dirserver calles restorecon and it keeps httpd_dirsrvadmin_script_t type. That's why the lock file didn't get the correct context in enforcing.

Comment 8 Miroslav Grepl 2013-04-29 05:26:23 UTC

I don't think so. The restorecon should called from init script as we mentioned it in RHEL6.5 bug. These are dontaudit rules and we don't allow them on RHEL6.5 where we got it working.

Comment 9 Ján Rusnačko 2013-04-29 12:44:52 UTC

(In reply to comment #6)
> Ok, it looks like the problem is with the lock file.
> 
> allow httpd_dirsrvadmin_script_t var_lock_t:file { getattr unlink };
> 
> Do you run restorecon on the lock file in the init script?

Yes, restorecon is run on the lock file. I checked and lock file has correct label before and after restart.

[jrusnack@dstet dirsrv]$ ls -Z /var/lock/subsys/dirsrv-admin
-rw-------. root root unconfined_u:object_r:dirsrv_var_lock_t:s0
/var/lock/subsys/dirsrv-admin

Comment 10 Miroslav Grepl 2013-04-29 12:58:05 UTC

Ok, and if you turn on dontaudit rules

# semodule -B

re-test in permissive mode

# setenforce 0
# sesearch -m avc -ts recent

shows anything?

Comment 11 Ján Rusnačko 2013-04-30 20:35:58 UTC

(In reply to comment #10)
> Ok, and if you turn on dontaudit rules
> 
> # semodule -B
> 
> re-test in permissive mode
> 
> # setenforce 0
> # sesearch -m avc -ts recent
> 
> shows anything?

sesearch not found, so I used ausearch:

[jrusnack@dstet ~]$ sudo semodule -B
[jrusnack@dstet ~]$ sudo setenforce 0
re-test
[jrusnack@dstet ~]$ sudo ausearch -m avc -ts recent
----
time->Tue Apr 30 22:33:41 2013
type=SYSCALL msg=audit(1367354021.103:25939): arch=c000003e syscall=2 success=yes exit=5 a0=7f577063c400 a1=0 a2=1b6 a3=0 items=0 ppid=3043 pid=3185 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="restorecon" exe="/sbin/setfiles" subj=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 key=(null)
type=AVC msg=audit(1367354021.103:25939): avc:  denied  { open } for  pid=3185 comm="restorecon" name="file_contexts" dev=dm-0 ino=147067 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:object_r:file_context_t:s0 tclass=file
type=AVC msg=audit(1367354021.103:25939): avc:  denied  { read } for  pid=3185 comm="restorecon" name="file_contexts" dev=dm-0 ino=147067 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:object_r:file_context_t:s0 tclass=file
----
time->Tue Apr 30 22:33:41 2013
type=SYSCALL msg=audit(1367354021.103:25938): arch=c000003e syscall=2 success=no exit=-2 a0=7f577063ca00 a1=0 a2=1b6 a3=0 items=0 ppid=3043 pid=3185 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="restorecon" exe="/sbin/setfiles" subj=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 key=(null)
type=AVC msg=audit(1367354021.103:25938): avc:  denied  { search } for  pid=3185 comm="restorecon" name="files" dev=dm-0 ino=131533 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=dir
type=AVC msg=audit(1367354021.103:25938): avc:  denied  { search } for  pid=3185 comm="restorecon" name="contexts" dev=dm-0 ino=131527 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=dir
----
time->Tue Apr 30 22:33:41 2013
type=SYSCALL msg=audit(1367354021.103:25940): arch=c000003e syscall=5 success=yes exit=0 a0=5 a1=7fff0a05d2e0 a2=7fff0a05d2e0 a3=7fff0a05cfe0 items=0 ppid=3043 pid=3185 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="restorecon" exe="/sbin/setfiles" subj=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 key=(null)
type=AVC msg=audit(1367354021.103:25940): avc:  denied  { getattr } for  pid=3185 comm="restorecon" path="/etc/selinux/targeted/contexts/files/file_contexts" dev=dm-0 ino=147067 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=unconfined_u:object_r:file_context_t:s0 tclass=file
----
time->Tue Apr 30 22:33:41 2013
type=SYSCALL msg=audit(1367354021.198:25941): arch=c000003e syscall=2 success=yes exit=6 a0=7f577063c560 a1=0 a2=1b6 a3=0 items=0 ppid=3043 pid=3185 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="restorecon" exe="/sbin/setfiles" subj=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 key=(null)
type=AVC msg=audit(1367354021.198:25941): avc:  denied  { open } for  pid=3185 comm="restorecon" name="customizable_types" dev=dm-0 ino=131888 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=file
type=AVC msg=audit(1367354021.198:25941): avc:  denied  { read } for  pid=3185 comm="restorecon" name="customizable_types" dev=dm-0 ino=131888 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=file
----
time->Tue Apr 30 22:33:41 2013
type=SYSCALL msg=audit(1367354021.198:25942): arch=c000003e syscall=5 success=yes exit=0 a0=6 a1=7fff0a05dfb0 a2=7fff0a05dfb0 a3=7fff0a05dea0 items=0 ppid=3043 pid=3185 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="restorecon" exe="/sbin/setfiles" subj=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 key=(null)
type=AVC msg=audit(1367354021.198:25942): avc:  denied  { getattr } for  pid=3185 comm="restorecon" path="/etc/selinux/targeted/contexts/customizable_types" dev=dm-0 ino=131888 scontext=unconfined_u:system_r:httpd_dirsrvadmin_script_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=file

Comment 13 Miroslav Grepl 2013-04-30 21:19:22 UTC

Ok, it looks it is executed by different way against RHEL6.5 where we have this working without these rules.

Is it working with a local policy with these rules?

Comment 14 Ján Rusnačko 2013-05-02 11:49:27 UTC

When I build local policy with those rules:

[jrusnack@dstet ~]$ audit2allow -M adminpol -R < avc 
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i adminpol.pp

[jrusnack@dstet ~]$ sudo semodule -i adminpol.pp 
re-test
[jrusnack@dstet ~]$ sudo ausearch -m avc -ts recent
<no matches>

When I set enforcing mode, admin log does NOT contain Permission denied as it did. So, with local policy this works.

Comment 15 Miroslav Grepl 2013-05-07 10:06:07 UTC

Where is the restorecon called exactly?

Comment 16 Ján Rusnačko 2013-05-07 10:55:32 UTC

In /etc/init.d/dirsrv-admin script:

[jrusnack@dstet ~]$ cat /etc/init.d/dirsrv-admin | grep -n -C 5 restorecon
163-            RETVAL=1
164-        fi
165-    fi
166-    [ $RETVAL -eq 0 -a -d /var/lock/subsys ] && touch $lockfile
167-    if [ -f $lockfile ]; then
168:        restorecon $lockfile
169-    fi
170-}
171-
172-stop() {
173-    if [ ! -f $stop_script ]; then

Comment 17 Miroslav Grepl 2013-05-07 11:06:42 UTC

Hmm, why we don't see it in RHEL6.5. So an apache script executes this init script, right?

Comment 18 Ján Rusnačko 2013-05-07 11:15:02 UTC

On 04/26/2013 11:19 PM, Nathan Kinder wrote:
Console invokes the restart CGI, which calls the service command. 

So yes.

Comment 20 Miroslav Grepl 2013-05-09 06:36:32 UTC

Fixed in selinux-policy-3.7.19-195.el6_4.5

Comment 21 Ján Rusnačko 2013-05-09 08:50:42 UTC

(In reply to comment #20)
> Fixed in selinux-policy-3.7.19-195.el6_4.5

Works great for me, thank you ! Admin server restarts from console and I don`t see Permission denied in logs.

Comment 24 errata-xmlrpc 2013-05-20 14:43:34 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0835.html

Note You need to log in before you can comment on or make changes to this bug.