Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-5192

Fapolicyd rules not working for SAP

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • rhel-security-special-projects
    • ssg_security
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Release Note Not Required
    • None
    • 57,005

      Description of problem:

      • Fapolicyd rules are configured for SAP but denials are still shown.

      Version-Release number of selected component (if applicable):

      • Red Hat Enterprise Linux release 8.7 (Ootpa)
      • fapolicyd-1.1.3-8.el8.x86_64
      • SAP is installed

      How reproducible:

      • Always

      Steps to Reproduce:
      1. Install SAP on RHEL 8.
      2. Install Fapolicyd then run the daemon in permissive mode.
      3. Generate the rules to allow SAP binaries and libraries.
      4. Restart the fapolicyd service and check the denials again -> binary is still denied.

      Actual results:

      • Denials are seen although there are rules to allow the execution.

      Expected results:

      • Application execution should hit the rules and no denials shall be seen.

      Additional info:

      • 2 rules are configured to allow "sapuxusergetrtinfo" executable to run, however it's still denied:

      ~~~
      $ grep sapuxusergetrtinfo 0050-fapolicyd-cli_list
      65. allow perm=execute exe=/usr/bin/ksh93 trust=0 : path=/usr/sap/hostctrl/exe/sapuxusergetrtinfo ftype=application/x-executable trust=0
      69. allow perm=execute exe=/usr/bin/tcsh trust=0 : path=/usr/sap/hostctrl/exe/sapuxusergetrtinfo ftype=application/x-executable trust=0

      $ grep -i deny 0080-fapolicy.output2 | cut -d ' ' -f1,2,3,4,6,7,8,9 | sort | uniq | grep sapuxusergetrtinfo
      rule=2060 dec=deny_audit perm=execute auid=-1 exe=/usr/bin/ksh93 : path=/usr/sap/hostctrl/exe/sapuxusergetrtinfo ftype=application/x-executable
      rule=2060 dec=deny_audit perm=execute auid=-1 exe=/usr/bin/tcsh : path=/usr/sap/hostctrl/exe/sapuxusergetrtinfo ftype=application/x-executable
      ~~~

      • Checking the rule #2060:

      ~~~
      $ grep -iR 2060 0050-fapolicyd-cli_list
      2060. deny_audit perm=execute all : all
      ~~~

      • This rule is originating from 90-deny-execute.rules:

      ~~~
      $ cat 90-deny-execute.rules

      1. Deny execution for anything untrusted
        deny_audit perm=execute all : all
        ~~~
      • It seems odd hence the rules are already configured and should be matching before the deny. We need to investigate this in a greater detail hence I can see some mount change messages in fapolicy.output

              rsroka@redhat.com Radovan Sroka (Inactive)
              rhn-support-mharbi Moustafa Harbi
              Radovan Sroka Radovan Sroka (Inactive)
              SSG Security QE SSG Security QE
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: