Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-1100

[RHEL8.6/Insights/SELinux/Bug] AVC with SAP HANA call with selinux-policy-3.14.3-95.el8_6.6

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • None
    • Moderate
    • rhel-security-selinux
    • ssg_security
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • If docs needed, set a value
    • None

      Opening this bug again, as the customer has the below feedback, that the bughttps://bugzilla.redhat.com/show_bug.cgi?id=2170511 is not fixed/accepted-as-wanted.

      =========================================================================
      With SAP HANA the call from insights to 'hdbsrvutil -v' triggers 2 AVCs not handled yet and not documented to be excluded like the write to usr_t was provided as feedback it was not fixed/accepted-as-wanted

      ~~~
      + sudo ausearch -i -m avc,user_avc -ts today

      node=li-lc-2802 type=PROCTITLE msg=audit(03/15/2023 09:05:35.693:274102) : proctitle=/usr/sap/H4C/HDB96/exe/hdbsrvutil -v
      node=li-lc-2802 type=SYSCALL msg=audit(03/15/2023 09:05:35.693:274102) : arch=x86_64 syscall=mprotect success=yes exit=0 a0=0x7f483ec03000 a1=0x10000 a2=PROT_READ|PROT_EXEC a3=0x7f483ec03000 items=0 ppid=3165740 pid=3165767 auid=unset uid=h4cadm gid=sapsys euid=h4cadm suid=h4cadm fsuid=h4cadm egid=sapsys sgid=sapsys fsgid=sapsys tty=(none) ses=unset comm=hdbsrvutil exe=/hana/shared/H4C/exe/linuxx86_64/HDB_2.00.059.04.1655794895_1cdbd35ec7472ab5d22a0bac02725a02dc3038f9/hdbsrvutil subj=system_u:system_r:insights_client_t:s0 key=(null)
      node=li-lc-2802 type=AVC msg=audit(03/15/2023 09:05:35.693:274102) : avc: denied

      { execmod }

      for pid=3165767 comm=hdbsrvutil path=/hana/shared/H4C/exe/linuxx86_64/HDB_2.00.059.04.1655794895_1cdbd35ec7472ab5d22a0bac02725a02dc3038f9/librtebasesupp.so dev="dm-6" ino=10575664 scontext=system_u:system_r:insights_client_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file permissive=1

      node=li-lc-2802 type=PROCTITLE msg=audit(03/15/2023 09:05:35.716:274103) : proctitle=/usr/sap/H4C/HDB96/exe/hdbsrvutil -v
      node=li-lc-2802 type=SYSCALL msg=audit(03/15/2023 09:05:35.716:274103) : arch=x86_64 syscall=mprotect success=yes exit=0 a0=0x7f483bdc5000 a1=0x1000 a2=PROT_READ|PROT_WRITE|PROT_EXEC a3=0x0 items=0 ppid=3165740 pid=3165767 auid=unset uid=h4cadm gid=sapsys euid=h4cadm suid=h4cadm fsuid=h4cadm egid=sapsys sgid=sapsys fsgid=sapsys tty=(none) ses=unset comm=hdbsrvutil exe=/hana/shared/H4C/exe/linuxx86_64/HDB_2.00.059.04.1655794895_1cdbd35ec7472ab5d22a0bac02725a02dc3038f9/hdbsrvutil subj=system_u:system_r:insights_client_t:s0 key=(null)
      node=li-lc-2802 type=AVC msg=audit(03/15/2023 09:05:35.716:274103) : avc: denied

      { execmem }

      for pid=3165767 comm=hdbsrvutil scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:system_r:insights_client_t:s0 tclass=process permissive=1
      + sudo audit2allow -a

      #============= insights_client_t ==============
      allow insights_client_t self:process execmem;
      allow insights_client_t usr_t:file execmod;
      ~~~

      ========================================================================================

              rhn-support-zpytela Zdenek Pytela
              rhn-support-achadha Arvinder Singh Chadha
              Zdenek Pytela Zdenek Pytela
              SSG Security QE SSG Security QE
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: