Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-128841

Sending mail or more generally connecting to remote services from action scripts (EXEC /path/to/script) fails when SELinux is in Enforcing mode

Linking RHIVOS CVEs to...Migration: Automation ...RHELPRIO AssignedTeam ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • rhel-8.10, rhel-10.1, rhel-9.7
    • audit
    • None
    • None
    • Low
    • rhel-security-special-projects
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      Most *_action directives in /etc/audit/auditd.conf allow executing scripts (e.g. EXEC /usr/local/bin/myscript).
      It appears that this nice feature doesn't work most of the time, because SELinux AVCs pop up depending on what the script executes.
      For example:

      1. it's not possible to send a mail using mailx -S smtp="smtps://xxx:465" ...)
      2. It's not possible to execute curl to post a report of the situation
      3. And many more use cases where you want to notify the world about the situation or take action

      This is because the scripts execute in the context of auditd (auditd_t), which is very restricted: the SELinux policy doesn't let auditd_t connect to SMTP, HTTP, etc. unless one enables the nis_enabled boolean but this boolean opens too much for everything running on the system.

      In order to allow many actions in the scripts, I'm proposing that a new context be created, e.g. auditd_script_exec_t, which would be used when scripts execute. Ideally scripts should be stored in a new /etc/audit/scripts.d directory so that they get the proper label automatically.

      What is the impact of this issue to you?

      Administration complicated

      Please provide the package NVR for which the bug is seen:

      All releases since RHEL8.

      How reproducible is this bug?

      Always

      Steps to reproduce

      1. Setup a script for demonstration purposes (it uses curl inside) 
        # cat > /usr/local/bin/auditd_action << EOF
#!/bin/sh
curl http://www.google.com
EOF
# chmod +x /usr/local/bin/auditd_action
      2. Configure auditd to trigger the script on space issue 
        admin_space_left_action = EXEC /usr/local/bin/auditd_action
      3. Trigger the script execution 
        # service auditd stop
# mount -t tmpfs tmpfs -o size=10M /var/log/audit
# restorecon -F /var/log/audit
# service auditd start

      Expected results

      curl executes properly

      Actual results

      Failure, as seen in the journal:

      # journalctl -u setroubleshootd.service 
[...]
Nov 17 09:10:31 vm-rhel10 setroubleshoot[1640]: SELinux is preventing /usr/bin/curl from name_connect access on the tcp_socket port 80. For complete SELinux messages run: sealert -l 47607bcf-7ace-4d61-ab6f-79318a61b213
[...]

# sealert -l 47607bcf-7ace-4d61-ab6f-79318a61b213
SELinux is preventing /usr/bin/curl from name_connect access on the tcp_socket port 80.
[...]
Additional Information:
Source Context                system_u:system_r:auditd_t:s0
Target Context                system_u:object_r:http_port_t:s0
Target Objects                port 80 [ tcp_socket ]
Source                        curl
Source Path                   /usr/bin/curl
Port                          80
[...]

              scorreia@redhat.com Sergio Correia
              rhn-support-rmetrich Renaud Métrich
              Sergio Correia Sergio Correia
              Adam Prikryl Adam Prikryl
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: