Bug 965140 - amandad runs as init_t when amanda.socket is active
amandad runs as init_t when amanda.socket is active
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.0
All Linux
medium Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks: 1004161
  Show dependency treegraph
 
Reported: 2013-05-20 09:46 EDT by Milos Malik
Modified: 2014-06-17 22:21 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-13 08:27:36 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Milos Malik 2013-05-20 09:46:36 EDT
Description of problem:


Version-Release number of selected component (if applicable):
amanda-3.3.3-1.el7.x86_64
amanda-client-3.3.3-1.el7.x86_64
amanda-server-3.3.3-1.el7.x86_64
selinux-policy-3.12.1-44.el7.noarch
selinux-policy-devel-3.12.1-44.el7.noarch
selinux-policy-doc-3.12.1-44.el7.noarch
selinux-policy-minimum-3.12.1-44.el7.noarch
selinux-policy-mls-3.12.1-44.el7.noarch
selinux-policy-targeted-3.12.1-44.el7.noarch

How reproducible:
always

Steps to Reproduce:
# systemctl enable amanda.socket
ln -s '/usr/lib/systemd/system/amanda.socket' '/etc/systemd/system/sockets.target.wants/amanda.socket'
# systemctl start amanda.socket
# systemctl status amanda.socket
amanda.socket - Amanda Activation Socket
       Loaded: loaded (/usr/lib/systemd/system/amanda.socket; enabled)
       Active: active (listening) since Mon 2013-05-20 15:40:02 CEST; 3s ago
       Listen: [::]:10080 (Stream)
     Accepted: 0; Connected: 0

May 20 15:40:02 rhel7 systemd[1]: Listening on Amanda Activation Socket.

# nc 127.0.0.1 10080 &
[1] 16109
# 

[1]+  Stopped                 nc 127.0.0.1 10080
# ps -efZ | grep amanda
system_u:system_r:init_t:s0     amandab+ 16110     1  0 15:41 ?        00:00:00 /usr/sbin/amandad -auth=bsdtcp amdump
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 16112 7103  0 15:41 pts/1 00:00:00 grep --color=auto amanda
# fg
nc 127.0.0.1 10080
^C
#

Actual results:
 * amandad runs as init_t

Expected results:
 * amandad runs as amanda_t (or another amanda* domain)
Comment 1 Miroslav Grepl 2013-05-20 10:14:02 EDT
We need more fixes to add systemd support for amanda.
Comment 2 Miroslav Grepl 2013-05-20 11:04:28 EDT
Added.

commit a8eedc8fa948f3e6d58c688a99b34fe3bf57c516
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Mon May 20 17:04:04 2013 +0200

    Add systemd support for amandad
Comment 3 Milos Malik 2013-06-05 06:34:22 EDT
Following AVC appears on my machine when prelink cronjob is running:
----
type=PATH msg=audit(06/05/2013 03:46:46.113:456973) : item=0 name=chg-lib.sh inode=2764901 dev=08:04 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:amanda_exec_t:s0 
type=CWD msg=audit(06/05/2013 03:46:46.113:456973) :  cwd=/ 
type=SYSCALL msg=audit(06/05/2013 03:46:46.113:456973) : arch=x86_64 syscall=newfstatat success=no exit=-13(Permission denied) a0=4 a1=0x1ddad8b a2=0x7fff14bd9b60 a3=0x100 items=1 ppid=18628 pid=18637 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=3484 tty=(none) comm=prelink exe=/usr/sbin/prelink subj=system_u:system_r:prelink_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/05/2013 03:46:46.113:456973) : avc:  denied  { getattr } for  pid=18637 comm=prelink path=/usr/lib64/amanda/chg-lib.sh dev="sda4" ino=2764901 scontext=system_u:system_r:prelink_t:s0-s0:c0.c1023 tcontext=system_u:object_r:amanda_exec_t:s0 tclass=file 
----
Comment 4 Milos Malik 2013-06-05 10:26:00 EDT
amanda_exec_t is a "how dare you touch me" type :-) Even following command executed by root triggers an AVC:

# matchpathcon /usr/lib64/amanda/chg-lib.sh
/usr/lib64/amanda/chg-lib.sh	system_u:object_r:amanda_exec_t:s0
#

----
type=PATH msg=audit(06/05/2013 16:20:57.504:1047) : item=0 name=/usr/lib64/amanda/chg-lib.sh inode=2764901 dev=08:04 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:amanda_exec_t:s0 
type=CWD msg=audit(06/05/2013 16:20:57.504:1047) :  cwd=/ 
type=SYSCALL msg=audit(06/05/2013 16:20:57.504:1047) : arch=x86_64 syscall=stat success=no exit=-13(Permission denied) a0=0x7fb78009d870 a1=0x7fb788084d00 a2=0x7fb788084d00 a3=0x62696c2f7273752f items=1 ppid=1 pid=2564 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=unset tty=(none) comm=setroubleshootd exe=/usr/bin/python2.7 subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/05/2013 16:20:57.504:1047) : avc:  denied  { getattr } for  pid=2564 comm=setroubleshootd path=/usr/lib64/amanda/chg-lib.sh dev="sda4" ino=2764901 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:amanda_exec_t:s0 tclass=file 
----
Comment 5 Milos Malik 2013-06-05 10:28:29 EDT
----
type=PATH msg=audit(06/05/2013 16:20:53.742:1043) : item=0 name=/usr/lib64/amanda/chg-lib.sh inode=2764901 dev=08:04 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:amanda_exec_t:s0 
type=CWD msg=audit(06/05/2013 16:20:53.742:1043) :  cwd=/root 
type=SYSCALL msg=audit(06/05/2013 16:20:53.742:1043) : arch=x86_64 syscall=lstat success=no exit=-13(Permission denied) a0=0x7fff2440f315 a1=0x7fff2440d860 a2=0x7fff2440d860 a3=0x1 items=1 ppid=17219 pid=2557 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root ses=7 tty=pts0 comm=matchpathcon exe=/usr/sbin/matchpathcon subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/05/2013 16:20:53.742:1043) : avc:  denied  { getattr } for  pid=2557 comm=matchpathcon path=/usr/lib64/amanda/chg-lib.sh dev="sda4" ino=2764901 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:amanda_exec_t:s0 tclass=file 
----
Comment 6 Miroslav Grepl 2013-06-10 07:59:28 EDT
# rpm -q selinux-policy
Comment 7 Milos Malik 2013-06-10 08:02:28 EDT
selinux-policy-devel-3.12.1-48.el7.noarch
selinux-policy-doc-3.12.1-48.el7.noarch
selinux-policy-minimum-3.12.1-48.el7.noarch
selinux-policy-3.12.1-48.el7.noarch
selinux-policy-targeted-3.12.1-48.el7.noarch
selinux-policy-mls-3.12.1-48.el7.noarch
Comment 8 Milos Malik 2013-06-11 03:57:21 EDT
selinux-policy-devel-3.12.1-49.el7.noarch
selinux-policy-doc-3.12.1-49.el7.noarch
selinux-policy-mls-3.12.1-49.el7.noarch
selinux-policy-minimum-3.12.1-49.el7.noarch
selinux-policy-3.12.1-49.el7.noarch
selinux-policy-targeted-3.12.1-49.el7.noarch

  PID USER     CONTEXT                         COMMAND
26480 amandab+ system_u:system_r:init_t:s0     /usr/sbin/amandad -auth=bsdtcp amdump
Comment 9 Miroslav Grepl 2013-06-11 07:49:49 EDT
Ok, there is a bug, definitely. Trying to find what is wrong with the policy.
Comment 10 Miroslav Grepl 2013-06-11 08:22:34 EDT
Fixed in selinux-policy-3.12.1-50.fc19
Comment 11 Milos Malik 2013-07-09 08:20:42 EDT
There are no AVCs but amandad runs with incorrect context:

  PID USER     CONTEXT                         COMMAND
15425 amandab+ system_u:system_r:init_t:s0     /usr/sbin/amandad -auth=bsdtcp amdump

# rpm -qa selinux-policy\*
selinux-policy-minimum-3.12.1-59.el7.noarch
selinux-policy-mls-3.12.1-59.el7.noarch
selinux-policy-3.12.1-59.el7.noarch
selinux-policy-doc-3.12.1-59.el7.noarch
selinux-policy-devel-3.12.1-59.el7.noarch
selinux-policy-targeted-3.12.1-59.el7.noarch
# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
#
Comment 12 Miroslav Grepl 2013-07-10 04:53:02 EDT
I see

# ps -efZ |grep amanda
system_u:system_r:amanda_t:s0   amandab+ 12238     1  0 10:51 ?        00:00:00 /usr/sbin/amandad -auth=bsdtcp amdump


Do you have the same reproduce as before?
Comment 14 Miroslav Grepl 2013-07-12 04:01:34 EDT
Could you try to run it by hand?
Comment 15 Milos Malik 2013-07-12 04:38:19 EDT
First terminal
========
# tail -f - | ncat 127.0.0.1 10080
tail: warning: following standard input indefinitely is ineffective

Second terminal
==========
# ps -efZ | grep amanda
system_u:system_r:init_t:s0     amandab+  9680     1  0 10:36 ?        00:00:00 /usr/sbin/amandad -auth=bsdtcp amdump
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 9682 9629  0 10:37 pts/1 00:00:00 grep --color=auto amanda
#
Comment 16 Miroslav Grepl 2013-07-22 04:25:48 EDT
Milos,
do you have a machine with RHEL7 where I could try to test it. I am not able to reproduce it on my virtual machine.
Comment 17 Miroslav Grepl 2013-07-30 17:17:50 EDT
Petr,
do you see this problem?
Comment 18 Petr Hracek 2013-07-31 03:33:12 EDT
Currently not.
I see the problem first time.
For sure I added guy from systemd team.
Comment 19 Petr Hracek 2013-08-01 08:58:44 EDT
Well I nstalled selinux and amanda packages on my RHEL-7 virtual machine and installed packages are:

amanda-client-3.3.3-4.el7.x86_64
amanda-3.3.3-4.el7.x86_64
amanda-server-3.3.3-4.el7.x86_64
selinux-policy-3.12.1-65.el7.noarch
selinux-policy-targeted-3.12.1-65.el7.noarch
libselinux-2.1.13-16.el7.x86_64
libselinux-python-2.1.13-16.el7.x86_64
libselinux-utils-2.1.13-16.el7.x86_64
# ps -efZ | grep amanda
system_u:system_r:init_t:s0     amandab+  2815     1  0 08:55 ?        00:00:00 /usr/sbin/amandad -auth=bsdtcp amdump
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 2817 2752  0 08:56 pts/1 00:00:00 grep --color=auto amanda
# 

I can send you IP address of my VM RHEL-7 machine over ping.
Comment 20 Miroslav Grepl 2013-08-01 09:06:32 EDT
Yes, it would be great.
Comment 21 Miroslav Grepl 2013-08-01 10:19:54 EDT
Does it work with

# chcon -t amanda_exec_t /usr/sbin/amandad
Comment 22 Miroslav Grepl 2013-08-01 10:21:36 EDT
Actually no.

# ls -Z /usr/sbin/amandad
lrwxrwxrwx. root root system_u:object_r:bin_t:s0       /usr/sbin/amandad -> /usr/lib64/amanda/amandad

# ls -Z /usr/lib64/amanda/amandad
-rwxr-xr-x. root root system_u:object_r:amanda_exec_t:s0 /usr/lib64/amanda/amandad
Comment 25 Ludek Smid 2014-06-13 08:27:36 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.