Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-70195

selinux AVCs and pmproxy coredump

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Yes
    • Important
    • 1
    • rhel-pt-pcp
    • ssg_platform_tools
    • 21
    • 2
    • QE ack
    • False
    • False
    • Hide

      None

      Show
      None
    • No
    • Red Hat Enterprise Linux
    • PT PCP High Impact Backlog
    • None
    • Automated
    • Unspecified Release Note Type - Unknown
    • All
    • None

      With RHEL 10, running the ansible-pcp upstream testsuite (automated here https://gitlab.cee.redhat.com/toolchain-qe/tests/ansible-pcp/-/tree/master/Sanity/upstream-testsuite-on-rhel) which cause the following selinux AVCs

      ----
time->Thu Dec  5 10:35:40 2024
type=PROCTITLE msg=audit(1733412940.530:394028): proctitle=2F7573722F6C69622F73797374656D642F73797374656D642D636F726564756D700033363236303831003000300031310031373333343132393430003000333064653831373835343535006270667472616365
type=SYSCALL msg=audit(1733412940.530:394028): arch=80000016 syscall=228 success=no exit=-61 a0=2aa3fae7c50 a1=3ff86e75016 a2=2aa3faeb440 a3=67 items=0 ppid=2 pid=3626085 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-coredum" exe="/usr/lib/systemd/systemd-coredump" subj=system_u:system_r:systemd_coredump_t:s0 key=(null)
type=AVC msg=audit(1733412940.530:394028): avc:  denied  { sys_admin } for  pid=3626085 comm="systemd-coredum" capability=21  scontext=system_u:system_r:systemd_coredump_t:s0 tcontext=system_u:system_r:systemd_coredump_t:s0 tclass=capability permissive=0

      # audit2allow -a
#============= systemd_coredump_t ==============
allow systemd_coredump_t self:capability sys_admin;

      The AVC is caused by core dump from the pmproxy of pcp-6.3.2-1.el10

      # coredumpctl list
TIME                            PID UID GID SIG     COREFILE EXE                            SIZE
Mon 2024-12-02 21:18:43 EST 2081829 991 991 SIGABRT present  /usr/libexec/pcp/bin/pmproxy      822.2K

# coredumpctl info
           PID: 4061061 (pmproxy)
           UID: 991 (pcp)
           GID: 991 (pcp)
        Signal: 6 (ABRT)
     Timestamp: Thu 2024-12-05 14:34:27 EST (8s ago)
  Command Line: /usr/libexec/pcp/bin/pmproxy -F -A
    Executable: /usr/libexec/pcp/bin/pmproxy
 Control Group: /system.slice/pmproxy.service
          Unit: pmproxy.service
         Slice: system.slice
       Boot ID: 7e2d85f2ac6848928e4808fbca5598bc
    Machine ID: 0cfbf405222f484da67af4648e221446
      Hostname: s390x-kvm-001.lab.eng.rdu2.redhat.com
       Storage: /var/lib/systemd/coredump/core.pmproxy.991.7e2d85f2ac6848928e4808fbca5598bc.406>
  Size on Disk: 815.8K
       Message: Process 4061061 (pmproxy) of user 991 dumped core.
                
                Module libnss_systemd.so.2 from rpm systemd-256-16.el10.s390x
                Module libcap.so.2 from rpm libcap-2.69-7.el10.s390x
                Module libdbus-1.so.3 from rpm dbus-1.14.10-5.el10.s390x
                Module libcrypt.so.2 from rpm libxcrypt-4.4.36-10.el10.s390x
                Module libsystemd.so.0 from rpm systemd-256-16.el10.s390x
                Module liblzma.so.5 from rpm xz-5.6.2-3.el10.s390x
                Module libavahi-client.so.3 from rpm avahi-0.8-29.el10.s390x
                Module libavahi-common.so.3 from rpm avahi-0.8-29.el10.s390x
                Module libsasl2.so.3 from rpm cyrus-sasl-2.1.28-22.el10.s390x
                Module libz.so.1 from rpm zlib-ng-2.2.2-1.el10.s390x
                Module libuv.so.1 from rpm libuv-1.48.0-4.el10.s390x
                Module libcrypto.so.3 from rpm openssl-3.2.2-14.el10.s390x
                Module libssl.so.3 from rpm openssl-3.2.2-14.el10.s390x
                Stack trace of thread 4061061:
                #0  0x000003ffb74acd34 __pthread_kill_implementation (libc.so.6 + 0xacd34)
                #1  0x000003ffb7453b90 raise (libc.so.6 + 0x53b90)
                #2  0x000003ffb7433dbc abort (libc.so.6 + 0x33dbc)
                #3  0x000003ffb744abba __assert_fail_base (libc.so.6 + 0x4abba)
                #4  0x000003ffb744ac14 __assert_fail (libc.so.6 + 0x4ac14)
                #5  0x000003ffb76cc5d4 __pmLogUndeltaInDom (libpcp.so.3 + 0x4c5d4)
                #6  0x000003ffb7dc94ae process_metadata (libpcp_web.so.1 + 0x494ae)
                #7  0x000003ffb7dca2d2 directory_changed_cb (libpcp_web.so.1 + 0x4a2d2)
                #8  0x000003ffb7dca736 changed_callback.lto_priv.0 (libpcp_web.so.1 + 0x4a736)
                #9  0x000003ffb7dc72a6 fs_change_callBack.lto_priv.0 (libpcp_web.so.1 + 0x472a6)
                #10 0x000003ffb77a9bca uv__inotify_read (libuv.so.1 + 0x29bca)
                #11 0x000003ffb77ab334 uv__io_poll (libuv.so.1 + 0x2b334)
                #12 0x000003ffb7791bf2 uv_run (libuv.so.1 + 0x11bf2)
                #13 0x000002aa13f0ac4e main_loop (pmproxy + 0xac4e)
                #14 0x000002aa13f095ce main (pmproxy + 0x95ce)
                #15 0x000003ffb743437c __libc_start_call_main (libc.so.6 + 0x3437c)
                #16 0x000003ffb743447e __libc_start_main@@GLIBC_2.34 (libc.so.6 + 0x3447e)
                #17 0x000002aa13f09c50 _start (pmproxy + 0x9c50)
                
                Stack trace of thread 4061106:
                #0  0x0000000000000000 n/a (n/a + 0x0)
                ELF object binary architecture: IBM S/390

      Note: this is reproducible on all architectures.

              pcp-maint pcp-maint
              jkurik@redhat.com Jan Kurik
              pcp-maint pcp-maint
              Jan Kurik Jan Kurik
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: