Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1516843 - certain files under /proc/sys cannot be copied to /var/tmp
Summary: certain files under /proc/sys cannot be copied to /var/tmp
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.5
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-11-23 12:39 UTC by Tereza Cerna
Modified: 2019-03-14 10:43 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.13.1-203.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1614209 (view as bug list)
Environment:
Last Closed: 2019-03-14 10:43:13 UTC


Attachments (Terms of Use)

Description Tereza Cerna 2017-11-23 12:39:22 UTC
During proccessing of my test cases on tuned, I found an AVC message. Can you repair it?

   metric: 0
   Log: /tmp/tmp.WuksTOZEFq
    Info: Searching AVC errors produced since 1511409604.7 (Thu Nov 23 09:30:04 2017)
     Searching logs...
     Fail: AVC messages found.
     Checking for errors...
     Using stronger AVC checks.
	Define empty RHTS_OPTION_STRONGER_AVC parameter if this causes any problems.
     Fail: AVC messages found.
     Info: No AVC messages found.
 Writing to /mnt/testarea/tmp.CHXvAm
:
'9f35dcf7-db46-454c-8e56-787133df564a'
Setup/avc result: FAIL

Can be this AVC message removed?

See log:
http://beaker-archive.app.eng.bos.redhat.com/beaker-logs/2017/11/21590/2159003/4496769/64370111/TESTOUT.log

Founded in test case:
/CoreOS/tuned/Regression/kernel-numa-balancing-in-sap-profiles

Comment 2 Milos Malik 2017-11-23 12:58:04 UTC
Extracted from AVC log files
http://beaker-archive.app.eng.bos.redhat.com/beaker-logs/2017/11/21590/2159003/4496769/64370111/
----
time->Thu Nov 23 09:30:08 2017
type=PROCTITLE msg=audit(1511409608.313:135): proctitle=6370002D6661002F70726F632F7379732F6B65726E656C2F6E756D615F62616C616E63696E67002F7661722F746D702F6265616B65726C69622D36343337303131312F6261636B75702F70726F632F7379732F6B65726E656C
type=SYSCALL msg=audit(1511409608.313:135): arch=c000003e syscall=2 success=no exit=-13 a0=d288f0 a1=c1 a2=180 a3=7ffcf8e004c0 items=0 ppid=29262 pid=29744 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cp" exe="/usr/bin/cp" subj=system_u:unconfined_r:unconfined_t:s0 key=(null)
type=AVC msg=audit(1511409608.313:135): avc:  denied  { associate } for  pid=29744 comm="cp" name="numa_balancing" scontext=system_u:object_r:sysctl_kernel_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
----

Comment 4 Milos Malik 2018-06-11 07:55:15 UTC
# mktemp -d
/tmp/tmp.ENhnnhwGWy
# cd /tmp/tmp.ENhnnhwGWy
# for I in `find /proc/sys -type f ` ; do cp -fa $I . ; done

Above-mentioned reproducer causes various SELinux denials. Audit2allow says that following rules are needed:

allow proc_security_t fs_t:filesystem associate;
allow sysctl_crypto_t fs_t:filesystem associate;
allow sysctl_dev_t fs_t:filesystem associate;
allow sysctl_kernel_t fs_t:filesystem associate;
allow sysctl_net_t fs_t:filesystem associate;
allow sysctl_net_unix_t fs_t:filesystem associate;
allow sysctl_vm_overcommit_t fs_t:filesystem associate;
allow sysctl_vm_t fs_t:filesystem associate;
allow usermodehelper_t fs_t:filesystem associate;

Reason for adding these rules: to enable the back-up of certain files located under /proc/sys

Comment 5 Milos Malik 2018-06-11 09:10:35 UTC
Very similar situation under /proc/irq:

# for I in `find /proc/irq -type f ` ; do cp -fa $I . ; done

SELinux denials like this are generated:
----
type=PROCTITLE msg=audit(06/11/2018 11:06:56.070:1384) : proctitle=cp -i -fa /proc/irq/default_smp_affinity . 
type=PATH msg=audit(06/11/2018 11:06:56.070:1384) : item=0 name=./ inode=17411378 dev=fd:03 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(06/11/2018 11:06:56.070:1384) : cwd=/tmp/tmp.0aLnvXdRqR 
type=SYSCALL msg=audit(06/11/2018 11:06:56.070:1384) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0xf838f0 a1=O_WRONLY|O_CREAT|O_EXCL a2=0600 a3=0x7ffca287b2e0 items=1 ppid=1383 pid=16555 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=cp exe=/usr/bin/cp subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/11/2018 11:06:56.070:1384) : avc:  denied  { associate } for  pid=16555 comm=cp name=default_smp_affinity scontext=system_u:object_r:sysctl_irq_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=0 
----

Comment 6 Milos Malik 2018-06-11 09:19:06 UTC
Similar situation in /proc directory:

# for I in `find /proc -type f -maxdepth 1 2>/dev/null` ; do cp -fa $I . ; done

SELinux denials like this are generated:
----
type=PROCTITLE msg=audit(06/11/2018 11:16:50.504:1386) : proctitle=cp -i -fa /proc/kcore . 
type=PATH msg=audit(06/11/2018 11:16:50.504:1386) : item=0 name=./ inode=17411378 dev=fd:03 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(06/11/2018 11:16:50.504:1386) : cwd=/tmp/tmp.0aLnvXdRqR 
type=SYSCALL msg=audit(06/11/2018 11:16:50.504:1386) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x19eb8f0 a1=O_WRONLY|O_CREAT|O_EXCL a2=0400 a3=0x7fff52221820 items=1 ppid=1383 pid=17570 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=cp exe=/usr/bin/cp subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/11/2018 11:16:50.504:1386) : avc:  denied  { associate } for  pid=17570 comm=cp name=kcore scontext=system_u:object_r:proc_kcore_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=0 
----
type=PROCTITLE msg=audit(06/11/2018 11:16:50.514:1387) : proctitle=cp -i -fa /proc/mdstat . 
type=PATH msg=audit(06/11/2018 11:16:50.514:1387) : item=0 name=./ inode=17411378 dev=fd:03 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(06/11/2018 11:16:50.514:1387) : cwd=/tmp/tmp.0aLnvXdRqR 
type=SYSCALL msg=audit(06/11/2018 11:16:50.514:1387) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x1e2b8f0 a1=O_WRONLY|O_CREAT|O_EXCL a2=0400 a3=0x7ffd82979ba0 items=1 ppid=1383 pid=17574 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=cp exe=/usr/bin/cp subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/11/2018 11:16:50.514:1387) : avc:  denied  { associate } for  pid=17574 comm=cp name=mdstat scontext=system_u:object_r:proc_mdstat_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=0 
----
type=PROCTITLE msg=audit(06/11/2018 11:16:50.484:1385) : proctitle=cp -i -fa /proc/kmsg . 
type=PATH msg=audit(06/11/2018 11:16:50.484:1385) : item=0 name=./ inode=17411378 dev=fd:03 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(06/11/2018 11:16:50.484:1385) : cwd=/tmp/tmp.0aLnvXdRqR 
type=SYSCALL msg=audit(06/11/2018 11:16:50.484:1385) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x178c8f0 a1=O_WRONLY|O_CREAT|O_EXCL a2=0400 a3=0x7ffe2b410960 items=1 ppid=1383 pid=17563 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=cp exe=/usr/bin/cp subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/11/2018 11:16:50.484:1385) : avc:  denied  { associate } for  pid=17563 comm=cp name=kmsg scontext=system_u:object_r:proc_kmsg_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=0 
----

Comment 7 Milos Malik 2018-06-11 11:58:14 UTC
# mktemp -d
/tmp/tmp.zgrQfKic8V
# cd /tmp/tmp.zgrQfKic8V
# touch pokus
# for I in `seinfo -aproc_type -x | grep -v proc_type` ; do chcon system_u:object_r:$I:s0 ./pokus ; done
chcon: failed to change context of ‘./pokus’ to ‘system_u:object_r:proc_afs_t:s0’: Permission denied
chcon: failed to change context of ‘./pokus’ to ‘system_u:object_r:proc_kcore_t:s0’: Permission denied
chcon: failed to change context of ‘./pokus’ to ‘system_u:object_r:proc_kmsg_t:s0’: Permission denied
chcon: failed to change context of ‘./pokus’ to ‘system_u:object_r:proc_mdstat_t:s0’: Permission denied
chcon: failed to change context of ‘./pokus’ to ‘system_u:object_r:proc_net_t:s0’: Permission denied
chcon: failed to change context of ‘./pokus’ to ‘system_u:object_r:proc_numa_t:s0’: Permission denied
chcon: failed to change context of ‘./pokus’ to ‘system_u:object_r:proc_security_t:s0’: Permission denied
chcon: failed to change context of ‘./pokus’ to ‘system_u:object_r:usermodehelper_t:s0’: Permission denied
# 

Following rules should be added to policy:

allow proc_afs_t fs_t:filesystem associate;
allow proc_kcore_t fs_t:filesystem associate;
allow proc_kmsg_t fs_t:filesystem associate;
allow proc_mdstat_t fs_t:filesystem associate;
allow proc_net_t fs_t:filesystem associate;
allow proc_numa_t fs_t:filesystem associate;
allow proc_security_t fs_t:filesystem associate;
allow usermodehelper_t fs_t:filesystem associate;

Comment 10 Milos Malik 2018-08-09 09:34:56 UTC
The automated TC triggers a lot of SELinux denials. audit2allow says that following rules are missing:

#============= bdev_t ==============
allow bdev_t fs_t:filesystem associate;

#============= configfs_t ==============
allow configfs_t fs_t:filesystem associate;

#============= cpusetfs_t ==============
allow cpusetfs_t fs_t:filesystem associate;

#============= futexfs_t ==============
allow futexfs_t fs_t:filesystem associate;

#============= httpd_bool_t ==============
allow httpd_bool_t fs_t:filesystem associate;

#============= ibmasmfs_t ==============
allow ibmasmfs_t fs_t:filesystem associate;

#============= infinibandeventfs_t ==============
allow infinibandeventfs_t fs_t:filesystem associate;

#============= inotifyfs_t ==============
allow inotifyfs_t fs_t:filesystem associate;

#============= kvmfs_t ==============
allow kvmfs_t fs_t:filesystem associate;

#============= mvfs_t ==============
allow mvfs_t fs_t:filesystem associate;

#============= nsfs_t ==============
allow nsfs_t fs_t:filesystem associate;

#============= oprofilefs_t ==============
allow oprofilefs_t fs_t:filesystem associate;

#============= proc_afs_t ==============
allow proc_afs_t fs_t:filesystem associate;

#============= proc_kcore_t ==============
allow proc_kcore_t fs_t:filesystem associate;

#============= proc_kmsg_t ==============
allow proc_kmsg_t fs_t:filesystem associate;

#============= proc_mdstat_t ==============
allow proc_mdstat_t fs_t:filesystem associate;

#============= proc_net_t ==============
allow proc_net_t fs_t:filesystem associate;

#============= proc_numa_t ==============
allow proc_numa_t fs_t:filesystem associate;

#============= proc_security_t ==============
allow proc_security_t fs_t:filesystem associate;

#============= romfs_t ==============
allow romfs_t fs_t:filesystem associate;

#============= sysctl_crypto_t ==============
allow sysctl_crypto_t fs_t:filesystem associate;

#============= sysctl_dev_t ==============
allow sysctl_dev_t fs_t:filesystem associate;

#============= sysctl_irq_t ==============
allow sysctl_irq_t fs_t:filesystem associate;

#============= sysctl_net_t ==============
allow sysctl_net_t fs_t:filesystem associate;

#============= sysctl_net_unix_t ==============
allow sysctl_net_unix_t fs_t:filesystem associate;

#============= sysctl_rpc_t ==============
allow sysctl_rpc_t fs_t:filesystem associate;

#============= sysctl_vm_overcommit_t ==============
allow sysctl_vm_overcommit_t fs_t:filesystem associate;

#============= sysctl_vm_t ==============
allow sysctl_vm_t fs_t:filesystem associate;

#============= tracefs_t ==============
allow tracefs_t fs_t:filesystem associate;

#============= usermodehelper_t ==============
allow usermodehelper_t fs_t:filesystem associate;

# rpm -qa selinux\* | sort
selinux-policy-3.13.1-214.el7.noarch
selinux-policy-devel-3.13.1-214.el7.noarch
selinux-policy-doc-3.13.1-214.el7.noarch
selinux-policy-minimum-3.13.1-214.el7.noarch
selinux-policy-mls-3.13.1-214.el7.noarch
selinux-policy-sandbox-3.13.1-214.el7.noarch
selinux-policy-targeted-3.13.1-214.el7.noarch
#

Comment 13 Zdenek Pytela 2019-03-14 10:43:13 UTC
This issue was not selected to be included in Red Hat Enterprise Linux 7.7 because it is seen either as low or moderate impact to a small number of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available.

We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.


Note You need to log in before you can comment on or make changes to this bug.