Loading...

Type: Bug
Resolution: Done-Errata
Priority: Normal
Fix Version/s: rhel-8.10
Affects Version/s: rhel-8.8.0
Component/s: selinux-policy
Labels:
None

Fixed in Build:
selinux-policy-3.14.3-134.el8
Regression:
None
Severity:
None

Pool Team:

rhel-sst-security-selinux
Sub-System Group:

ssg_security

Internal Target Milestone:
21
Story Points:
None
ACKs Check:

QE ack, Dev ack
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
Yes
Sprint:
None

Acceptance Criteria:

Hide

SELinux policy defines a new type for scripts which can be executed from the rsyslog service and which can do almost anything (they are almost unconfined). The rsyslog service can execute a script with that label and the automatic SELinux transition happens.

Show
SELinux policy defines a new type for scripts which can be executed from the rsyslog service and which can do almost anything (they are almost unconfined). The rsyslog service can execute a script with that label and the automatic SELinux transition happens.
Preliminary Testing:
Pass
Errata Link:
https://errata.devel.redhat.com/advisory/121335
Test Coverage:
None

Release Note Type:
Bug Fix
Release Note Text:

Hide
.SELinux policy allows `rsyslogd` to execute confined commands

Previously, the SELinux policy was missing a rule to allow the `rsyslogd` daemon to execute SELinux-confined commands, such as `systemctl`. As a consequence, commands executed as an argument of the `omprog` directive failed. This update adds rules to the SELinux policy so that executables in the `/usr/libexec/rsyslog` directory that are run as an argument of `omprog` are in the `syslogd_unconfined_script_t` unconfined domain. As a result, commands executed as an argument of `omprog` finish successfully.

Show
.SELinux policy allows `rsyslogd` to execute confined commands Previously, the SELinux policy was missing a rule to allow the `rsyslogd` daemon to execute SELinux-confined commands, such as `systemctl`. As a consequence, commands executed as an argument of the `omprog` directive failed. This update adds rules to the SELinux policy so that executables in the `/usr/libexec/rsyslog` directory that are run as an argument of `omprog` are in the `syslogd_unconfined_script_t` unconfined domain. As a result, commands executed as an argument of `omprog` finish successfully.
Release Note Status:
Done

Experience:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

Running a script using the rsyslog's omprog module I want to be able to send a signal HUP to the rsyslog service so it does not cleanup.

Please provide the package NVR for which bug is seen:

rsyslog-8.2102.0-13.el8.x86_64
selinux-policy-3.14.3-117.el8.noarch

possibly even older - did not try

How reproducible:

100%

Steps to reproduce

setup omprog to run a script which calls systemctl --signal=HUP kill rsyslog
let it be triggered by some message

Expected results

no AVC

Actual results

[0 root@sopos-rhel8-brq ~]# ausearch -m avc -ts recent
----
time->Wed Sep 27 15:13:34 2023
type=PROCTITLE msg=audit(1695820414.146:1410): proctitle=2F7573722F62696E2F73797374656D63746C002D2D7369676E616C3D485550006B696C6C00727379736C6F67
type=PATH msg=audit(1695820414.146:1410): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=8519390 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1695820414.146:1410): item=0 name="/usr/bin/systemctl" inode=301538 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:systemd_systemctl_exec_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1695820414.146:1410): cwd="/"
type=EXECVE msg=audit(1695820414.146:1410): argc=4 a0="/usr/bin/systemctl" a1="--signal=HUP" a2="kill" a3="rsyslog"
type=BPRM_FCAPS msg=audit(1695820414.146:1410): fver=0 fp=0 fi=0 fe=0 old_pp=000001fffffeffff old_pi=0 old_pe=000001fffffeffff old_pa=0 pp=000001fffffeffff pi=0 pe=000001fffffeffff pa=0 frootid=0
type=SYSCALL msg=audit(1695820414.146:1410): arch=c000003e syscall=59 success=yes exit=0 a0=55d1dee86950 a1=55d1dee84650 a2=55d1dee81e90 a3=1b6 items=2 ppid=160570 pid=160581 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemctl" exe="/usr/bin/systemctl" subj=system_u:system_r:syslogd_t:s0 key=(null)
type=AVC msg=audit(1695820414.146:1410): avc:  denied  { execute_no_trans } for  pid=160581 comm="log_rotate.sh" path="/usr/bin/systemctl" dev="dm-0" ino=301538 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1695820414.146:1410): avc:  denied  { read open } for  pid=160581 comm="log_rotate.sh" path="/usr/bin/systemctl" dev="dm-0" ino=301538 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1695820414.146:1410): avc:  denied  { execute } for  pid=160581 comm="log_rotate.sh" name="systemctl" dev="dm-0" ino=301538 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1
----
time->Wed Sep 27 15:13:45 2023
type=PROCTITLE msg=audit(1695820425.306:1413): proctitle=2F7573722F62696E2F73797374656D63746C002D2D7369676E616C3D485550006B696C6C00727379736C6F67
type=PATH msg=audit(1695820425.306:1413): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=8519390 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1695820425.306:1413): item=0 name="/usr/bin/systemctl" inode=301538 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:systemd_systemctl_exec_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1695820425.306:1413): cwd="/"
type=EXECVE msg=audit(1695820425.306:1413): argc=4 a0="/usr/bin/systemctl" a1="--signal=HUP" a2="kill" a3="rsyslog"
type=BPRM_FCAPS msg=audit(1695820425.306:1413): fver=0 fp=0 fi=0 fe=0 old_pp=000001fffffeffff old_pi=0 old_pe=000001fffffeffff old_pa=0 pp=000001fffffeffff pi=0 pe=000001fffffeffff pa=0 frootid=0
type=SYSCALL msg=audit(1695820425.306:1413): arch=c000003e syscall=59 success=yes exit=0 a0=55f2c7153950 a1=55f2c7151650 a2=55f2c714ee90 a3=1b6 items=2 ppid=161650 pid=161661 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemctl" exe="/usr/bin/systemctl" subj=system_u:system_r:syslogd_t:s0 key=(null)
type=AVC msg=audit(1695820425.306:1413): avc:  denied  { execute_no_trans } for  pid=161661 comm="log_rotate.sh" path="/usr/bin/systemctl" dev="dm-0" ino=301538 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1695820425.306:1413): avc:  denied  { read open } for  pid=161661 comm="log_rotate.sh" path="/usr/bin/systemctl" dev="dm-0" ino=301538 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1695820425.306:1413): avc:  denied  { execute } for  pid=161661 comm="log_rotate.sh" name="systemctl" dev="dm-0" ino=301538 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=1
[0 root@sopos-rhel8-brq ~]# ausearch -m avc -ts recent  | audit2allow 


#============= syslogd_t ==============
allow syslogd_t systemd_systemctl_exec_t:file { execute execute_no_trans open read };

Additional info

in enforcing I saw also getattr permission triggered

[0 root@sopos-rhel8-brq ~]# ausearch -m avc -ts recent
----
time->Wed Sep 27 15:03:30 2023
type=PROCTITLE msg=audit(1695819810.490:1170): proctitle=2F62696E2F62617368002F7573722F6C6F63616C2F62696E2F6C6F675F726F746174652E7368
type=PATH msg=audit(1695819810.490:1170): item=0 name="/usr/bin/systemctl" inode=301538 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:systemd_systemctl_exec_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1695819810.490:1170): cwd="/"
type=SYSCALL msg=audit(1695819810.490:1170): arch=c000003e syscall=59 success=no exit=-13 a0=55cd5e6e9950 a1=55cd5e6e7650 a2=55cd5e6e4e90 a3=1b6 items=1 ppid=146336 pid=146348 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="log_rotate.sh" exe="/usr/bin/bash" subj=system_u:system_r:syslogd_t:s0 key=(null)
type=AVC msg=audit(1695819810.490:1170): avc:  denied  { execute } for  pid=146348 comm="log_rotate.sh" name="systemctl" dev="dm-0" ino=301538 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=0
----
time->Wed Sep 27 15:03:30 2023
type=PROCTITLE msg=audit(1695819810.490:1171): proctitle=2F62696E2F62617368002F7573722F6C6F63616C2F62696E2F6C6F675F726F746174652E7368
type=PATH msg=audit(1695819810.490:1171): item=0 name="/usr/bin/systemctl" inode=301538 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:systemd_systemctl_exec_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1695819810.490:1171): cwd="/"
type=SYSCALL msg=audit(1695819810.490:1171): arch=c000003e syscall=4 success=no exit=-13 a0=55cd5e6e9950 a1=7ffe041a3f70 a2=7ffe041a3f70 a3=1b6 items=1 ppid=146336 pid=146348 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="log_rotate.sh" exe="/usr/bin/bash" subj=system_u:system_r:syslogd_t:s0 key=(null)
type=AVC msg=audit(1695819810.490:1171): avc:  denied  { getattr } for  pid=146348 comm="log_rotate.sh" path="/usr/bin/systemctl" dev="dm-0" ino=301538 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=0
----
time->Wed Sep 27 15:03:30 2023
type=PROCTITLE msg=audit(1695819810.490:1172): proctitle=2F62696E2F62617368002F7573722F6C6F63616C2F62696E2F6C6F675F726F746174652E7368
type=PATH msg=audit(1695819810.490:1172): item=0 name="/usr/bin/systemctl" inode=301538 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:systemd_systemctl_exec_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1695819810.490:1172): cwd="/"
type=SYSCALL msg=audit(1695819810.490:1172): arch=c000003e syscall=4 success=no exit=-13 a0=55cd5e6e9950 a1=7ffe041a3f50 a2=7ffe041a3f50 a3=1b6 items=1 ppid=146336 pid=146348 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="log_rotate.sh" exe="/usr/bin/bash" subj=system_u:system_r:syslogd_t:s0 key=(null)
type=AVC msg=audit(1695819810.490:1172): avc:  denied  { getattr } for  pid=146348 comm="log_rotate.sh" path="/usr/bin/systemctl" dev="dm-0" ino=301538 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file permissive=0

is cloned by

RHEL-11174 selinux prevents syslogd_t from execution the systemd_systemctl_exec_t

Closed

is related to

RHEL-8676 rsyslog kills the program run by omprog on SIGHUP

Closed

links to

Add support for syslogd unconfined scripts

RHBA-2023:121335 selinux-policy bug fix and enhancement update

triggered-by: {"test-name": "/Regression/bz1411798-omprog-not-working-with-high-load-in-v7", "plan": "--default"}

mentioned on

Commit - * Wed Dec 13 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-133

Merge request - * Fri Jan 12 2024 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-134

Merge request - * Wed Dec 13 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-133

(3 mentioned on)

Details

Description

What were you trying to do that didn't work?

Please provide the package NVR for which bug is seen:

How reproducible:

Steps to reproduce

Expected results

Actual results

Additional info

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates