Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-29799

SELinux policy violations pmie and pmlogger with nsfs_t

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • rhel-9.5
    • rhel-9.5
    • pcp
    • None
    • pcp-6.2.2-1.el9
    • Normal
    • Customer Reported
    • sst_pt_pcp
    • ssg_platform_tools
    • 22
    • 1
    • QE ack, Dev ack
    • False
    • Hide

      None

      Show
      None
    • Red Hat Enterprise Linux
    • PCP Sprint 3, PCP Sprint 5
    • x86_64

      What were you trying to do that didn't work?

      *SELinux violations pmie and pmlogger with nsfs_t
      *

      Please provide the package NVR for which bug is seen:

      *selinux-policy-38.1.23-1.el9_3.2.noarch Sat Feb 17 20:09:16 2024
      *

      How reproducible:

      ~~~
      $ sudo audit2allow -a
      #============= pcp_pmie_t ==============
      allow pcp_pmie_t nsfs_t:file getattr;

      #============= pcp_pmlogger_t ==============
      allow pcp_pmlogger_t nsfs_t:file getattr;
      ~~~

      ~~~
      [VMWare] vrempet-admin@test@li-lc-2859 ~
      $ sudo ausearch -i -m avc,user_avc -ts today -se pcp_pmie_t | tail -n10
      node=li-lc-2859 type=PATH msg=audit(03/12/2024 13:58:29.629:10436) : item=0 name=/proc/163187/ns/uts inode=4026531838 dev=00:04 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:nsfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
      node=li-lc-2859 type=CWD msg=audit(03/12/2024 13:58:29.629:10436) : cwd=/var/lib/pcp
      node=li-lc-2859 type=SYSCALL msg=audit(03/12/2024 13:58:29.629:10436) : arch=x86_64 syscall=newfstatat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7fffbdb727e0 a2=0x7fffbdb72820 a3=0x0 items=1 ppid=163116 pid=163187 auid=unset uid=pcp gid=pcp euid=pcp suid=pcp fsuid=pcp egid=pcp sgid=pcp fsgid=pcp tty=(none) ses=unset comm=pstree exe=/usr/bin/pstree subj=system_u:system_r:pcp_pmie_t:s0 key=(null)
      node=li-lc-2859 type=AVC msg=audit(03/12/2024 13:58:29.629:10436) : avc: denied

      { getattr } for pid=163187 comm=pstree path=uts:[4026531838] dev="nsfs" ino=4026531838 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=0
      ----
      node=li-lc-2859 type=PROCTITLE msg=audit(03/12/2024 13:58:29.630:10437) : proctitle=pstree -asp 163116
      node=li-lc-2859 type=PATH msg=audit(03/12/2024 13:58:29.630:10437) : item=0 name=/proc/163187/ns/time inode=4026531834 dev=00:04 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:nsfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
      node=li-lc-2859 type=CWD msg=audit(03/12/2024 13:58:29.630:10437) : cwd=/var/lib/pcp
      node=li-lc-2859 type=SYSCALL msg=audit(03/12/2024 13:58:29.630:10437) : arch=x86_64 syscall=newfstatat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7fffbdb727e0 a2=0x7fffbdb72820 a3=0x0 items=1 ppid=163116 pid=163187 auid=unset uid=pcp gid=pcp euid=pcp suid=pcp fsuid=pcp egid=pcp sgid=pcp fsgid=pcp tty=(none) ses=unset comm=pstree exe=/usr/bin/pstree subj=system_u:system_r:pcp_pmie_t:s0 key=(null)
      node=li-lc-2859 type=AVC msg=audit(03/12/2024 13:58:29.630:10437) : avc: denied { getattr }

      for pid=163187 comm=pstree path=time:[4026531834] dev="nsfs" ino=4026531834 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=0

      [VMWare] vrempet-admin@test@li-lc-2859 ~
      $ sudo ausearch -i -m avc,user_avc -ts today -se pcp_pmlogger_t | tail -n10
      node=li-lc-2859 type=PATH msg=audit(03/12/2024 14:25:05.454:57162) : item=0 name=/proc/171997/ns/uts inode=4026531838 dev=00:04 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:nsfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
      node=li-lc-2859 type=CWD msg=audit(03/12/2024 14:25:05.454:57162) : cwd=/var/lib/pcp
      node=li-lc-2859 type=SYSCALL msg=audit(03/12/2024 14:25:05.454:57162) : arch=x86_64 syscall=newfstatat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7fff32da29a0 a2=0x7fff32da29e0 a3=0x0 items=1 ppid=171963 pid=171997 auid=unset uid=pcp gid=pcp euid=pcp suid=pcp fsuid=pcp egid=pcp sgid=pcp fsgid=pcp tty=(none) ses=unset comm=pstree exe=/usr/bin/pstree subj=system_u:system_r:pcp_pmlogger_t:s0 key=(null)
      node=li-lc-2859 type=AVC msg=audit(03/12/2024 14:25:05.454:57162) : avc: denied
      { getattr }

      for pid=171997 comm=pstree path=uts:[4026531838] dev="nsfs" ino=4026531838 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=0

      node=li-lc-2859 type=PROCTITLE msg=audit(03/12/2024 14:25:05.454:57163) : proctitle=pstree -asp 171963
      node=li-lc-2859 type=PATH msg=audit(03/12/2024 14:25:05.454:57163) : item=0 name=/proc/171997/ns/time inode=4026531834 dev=00:04 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:nsfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
      node=li-lc-2859 type=CWD msg=audit(03/12/2024 14:25:05.454:57163) : cwd=/var/lib/pcp
      node=li-lc-2859 type=SYSCALL msg=audit(03/12/2024 14:25:05.454:57163) : arch=x86_64 syscall=newfstatat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7fff32da29a0 a2=0x7fff32da29e0 a3=0x0 items=1 ppid=171963 pid=171997 auid=unset uid=pcp gid=pcp euid=pcp suid=pcp fsuid=pcp egid=pcp sgid=pcp fsgid=pcp tty=(none) ses=unset comm=pstree exe=/usr/bin/pstree subj=system_u:system_r:pcp_pmlogger_t:s0 key=(null)
      node=li-lc-2859 type=AVC msg=audit(03/12/2024 14:25:05.454:57163) : avc: denied { getattr }

      for pid=171997 comm=pstree path=time:[4026531834] dev="nsfs" ino=4026531834 scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=0

      [VMWare] vrempet-admin@test@li-lc-2859 ~
      $
      ~~~

      The SELinux AVCs are even on a server seen that is not having NFS mounts:
      ~~~
      [VMWare] vrempet-admin@test@li-lc-2859 ~
      $ findmnt -tnfs4,nfs

      [VMWare] vrempet-admin@test@li-lc-2859 ~
      $
      ~~~

      Reproducer is to restart pmie and pmloger:

      ~~~
      [VMWare] vrempet-admin@test@li-lc-2859 ~
      $ sudo find /var/log/audit -type f -ls -delete
      17261634 102408 r------- 1 root root 104857649 Jan 28 21:25 /var/log/audit/audit.log.6
      17261633 102408 r------- 1 root root 104857646 Feb 7 00:55 /var/log/audit/audit.log.5
      17261637 102408 r------- 1 root root 104857799 Feb 16 05:55 /var/log/audit/audit.log.4
      17261310 102408 r------- 1 root root 104857648 Feb 25 09:25 /var/log/audit/audit.log.3
      17261639 102408 r------- 1 root root 104857787 Mar 5 12:55 /var/log/audit/audit.log.2
      17459039 102408 r------- 1 root root 104857605 Mar 12 04:55 /var/log/audit/audit.log.1
      17260963 66112 rw------ 1 root root 51300282 Mar 12 14:28 /var/log/audit/audit.log

      [VMWare] vrempet-admin@test@li-lc-2859 ~
      $ sudo service auditd restart
      Stopping logging:
      Redirecting start to /bin/systemctl start auditd.service

      [VMWare] vrempet-admin@test@li-lc-2859 ~
      $ sudo audit2allow -a

      [VMWare] vrempet-admin@test@li-lc-2859 ~
      $ sudo systemctl restart pmie pmlogger

      [VMWare] vrempet-admin@test@li-lc-2859 ~
      $ sudo audit2allow -a

      #============= pcp_pmie_t ==============
      allow pcp_pmie_t nsfs_t:file getattr;

      #============= pcp_pmlogger_t ==============
      allow pcp_pmlogger_t nsfs_t:file getattr;

      [VMWare] vrempet-admin@test@li-lc-2859 ~
      $
      ~~~

      Expected results

      Actual results

        1. sosreport-li-lc-2859-2024-03-12-pnsshez.tar.xz
          16.77 MB

            nathans@redhat.com Nathan Scott
            rhn-support-rdulhani Rajesh Dulhani
            pcp-maint pcp-maint
            Jan Kurik Jan Kurik
            Jacob Valdez Jacob Valdez
            Votes:
            0 Vote for this issue
            Watchers:
            14 Start watching this issue

              Created:
              Updated: