[RHEL-82675] AVC check fail when running squid/Security/CVE-2018-19131-XSS-when-generating-HTTPS-response-messages-about-TLS-errors

Type: Bug
Resolution: Unresolved
Priority: Undefined
Fix Version/s: None
Affects Version/s: rhel-9.6
Component/s: selinux-policy
Labels:
None

Regression:
No
Severity:
None

Pool Team:

rhel-sst-security-selinux
Sub-System Group:

ssg_security

Story Points:
None
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
None
Sprint:
None

Preliminary Testing:
None
Test Coverage:
None

ProdDocsReview-CCS:
Unspecified
ProdDocsReview-Dev:
Unspecified
ProdDocsReview-QE:
Unspecified

Experience:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

AVC check fail when running squid/Security/CVE-2018-19131-XSS-when-generating-HTTPS-response-messages-about-TLS-errors

What is the impact of this issue to you?

Please provide the package NVR for which the bug is seen:

squid-5.5-18.el9
audit-3.1.5-4.el9.aarch64
selinux-policy-38.1.53-2.el9.noarch

Actual results

type=AVC msg=audit(02/26/2025 17:40:11.322:2097) : avc: denied

{ open }

for pid=91074 comm=squid path=/etc/hosts dev="nvme0n1p3" ino=184565788 scontext=system_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=1

log: https://artifacts.osci.redhat.com/testing-farm/b18f9ab4-fed4-4d01-bf41-f7eeab1baea5/work-squidqumtz689/plans/cs_stacks/tier2/squid/execute/data/guest/default-0/internal/Security/CVE-2018-19131-XSS-when-generating-HTTPS-response-messages-about-TLS-errors/system-19/checks/avc.txt

Zdenek Pytela added a comment - 2025/03/28 12:22 PM

needinfo bnater@redhat.com
The next step depends on the directory path state: is it somehow standardized or is it completely up to the admin?
In the former case we can assign a specific label; in the latter one you need to do it in the test. Currently these options for the SELinux type are available:

rhel10.1# sesearch -A -s squid_t -c file -p read|grep allow.squid_t.squid_.*_t
allow squid_t squid_cache_t:file

{ append create getattr ioctl link lock map open read rename setattr unlink watch watch_reads write };
allow squid_t squid_conf_t:file { getattr ioctl lock open read };
allow squid_t squid_exec_t:file { entrypoint execute execute_no_trans getattr ioctl lock map open read };
allow squid_t squid_log_t:file { create link open read rename setattr unlink watch watch_reads write };
allow squid_t squid_tmpfs_t:file { append create getattr ioctl link lock map open read rename setattr unlink watch watch_reads write }

;
allow squid_t squid_var_run_t:file

{ append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write }

;

but none seems to be a perfect fit.

Zdenek Pytela added a comment - 2025/03/28 12:22 PM needinfo bnater@redhat.com The next step depends on the directory path state: is it somehow standardized or is it completely up to the admin? In the former case we can assign a specific label; in the latter one you need to do it in the test. Currently these options for the SELinux type are available: rhel10.1# sesearch -A -s squid_t -c file -p read|grep allow.squid_t.squid_.*_t allow squid_t squid_cache_t:file { append create getattr ioctl link lock map open read rename setattr unlink watch watch_reads write }; allow squid_t squid_conf_t:file { getattr ioctl lock open read }; allow squid_t squid_exec_t:file { entrypoint execute execute_no_trans getattr ioctl lock map open read }; allow squid_t squid_log_t:file { create link open read rename setattr unlink watch watch_reads write }; allow squid_t squid_tmpfs_t:file { append create getattr ioctl link lock map open read rename setattr unlink watch watch_reads write } ; allow squid_t squid_var_run_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write } ; but none seems to be a perfect fit.

Branislav Náter added a comment - 2025/03/18 1:52 PM

Thanks guys. I've fixed two issues in this test: incorrect /etc/hosts and /etc/pki/tls/certs/ label by using "cp" instead of "mv".

The third issue is /var/lib/ssl_db/ - btw that one was created by this command:

rlRun "/usr/lib64/squid/security_file_certgen -c -s /var/lib/ssl_db -M 4MB" 0,255

/usr/lib64/squid/security_file_certgen is from squid package. I've relabeled directory and files after creation. Should it be created with right context by /usr/lib64/squid/security_file_certgen from the beginning?

Branislav Náter added a comment - 2025/03/18 1:52 PM Thanks guys. I've fixed two issues in this test: incorrect /etc/hosts and /etc/pki/tls/certs/ label by using "cp" instead of "mv". The third issue is /var/lib/ssl_db/ - btw that one was created by this command: rlRun "/usr/lib64/squid/security_file_certgen -c -s / var /lib/ssl_db -M 4MB" 0,255 /usr/lib64/squid/security_file_certgen is from squid package. I've relabeled directory and files after creation. Should it be created with right context by /usr/lib64/squid/security_file_certgen from the beginning?

Milos Malik added a comment - 2025/03/07 4:25 PM

bnater@redhat.com Please let us know more about the /var/lib/ssl_db directory. Was it created by the automated test? Does it belong to any package?

Milos Malik added a comment - 2025/03/07 4:25 PM bnater@redhat.com Please let us know more about the /var/lib/ssl_db directory. Was it created by the automated test? Does it belong to any package?

Milos Malik added a comment - 2025/03/07 4:22 PM

The following SELinux denials are visible in the linked log file:

----
type=PROCTITLE msg=audit(02/26/2025 17:40:11.392:2098) : proctitle=(security_file_certgen) -s /var/lib/ssl_db -M 4MB 
type=PATH msg=audit(02/26/2025 17:40:11.392:2098) : item=0 name=/var/lib/ssl_db/index.txt inode=260057156 dev=103:03 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/26/2025 17:40:11.392:2098) : cwd=/var/spool/squid 
type=SYSCALL msg=audit(02/26/2025 17:40:11.392:2098) : arch=aarch64 syscall=openat success=yes exit=3 a0=AT_FDCWD a1=0xaaab013daeb0 a2=O_RDONLY a3=0x0 items=1 ppid=91076 pid=91077 auid=unset uid=squid gid=squid euid=squid suid=squid fsuid=squid egid=squid sgid=squid fsgid=squid tty=(none) ses=unset comm=security_file_c exe=/usr/lib64/squid/security_file_certgen subj=system_u:system_r:squid_t:s0 key=(null) 
type=AVC msg=audit(02/26/2025 17:40:11.392:2098) : avc:  denied  { read } for  pid=91077 comm=security_file_c name=index.txt dev="nvme0n1p3" ino=260057156 scontext=system_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(02/26/2025 17:40:11.392:2099) : proctitle=(security_file_certgen) -s /var/lib/ssl_db -M 4MB 
type=PATH msg=audit(02/26/2025 17:40:11.392:2099) : item=0 name=/var/lib/ssl_db/index.txt inode=260057156 dev=103:03 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/26/2025 17:40:11.392:2099) : cwd=/var/spool/squid 
type=SYSCALL msg=audit(02/26/2025 17:40:11.392:2099) : arch=aarch64 syscall=openat success=yes exit=3 a0=AT_FDCWD a1=0xaaab047b8eb0 a2=O_RDONLY a3=0x0 items=1 ppid=91076 pid=91078 auid=unset uid=squid gid=squid euid=squid suid=squid fsuid=squid egid=squid sgid=squid fsgid=squid tty=(none) ses=unset comm=security_file_c exe=/usr/lib64/squid/security_file_certgen subj=system_u:system_r:squid_t:s0 key=(null) 
type=AVC msg=audit(02/26/2025 17:40:11.392:2099) : avc:  denied  { open } for  pid=91078 comm=security_file_c path=/var/lib/ssl_db/index.txt dev="nvme0n1p3" ino=260057156 scontext=system_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(02/26/2025 17:40:11.392:2100) : proctitle=(security_file_certgen) -s /var/lib/ssl_db -M 4MB 
type=SYSCALL msg=audit(02/26/2025 17:40:11.392:2100) : arch=aarch64 syscall=newfstat success=yes exit=0 a0=0x3 a1=0xffffcfc06db8 a2=0xffff9a2ca4c4 a3=0xa items=0 ppid=91076 pid=91078 auid=unset uid=squid gid=squid euid=squid suid=squid fsuid=squid egid=squid sgid=squid fsgid=squid tty=(none) ses=unset comm=security_file_c exe=/usr/lib64/squid/security_file_certgen subj=system_u:system_r:squid_t:s0 key=(null) 
type=AVC msg=audit(02/26/2025 17:40:11.392:2100) : avc:  denied  { getattr } for  pid=91078 comm=security_file_c path=/var/lib/ssl_db/index.txt dev="nvme0n1p3" ino=260057156 scontext=system_u:system_r:squid_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1
----

Unfortunately, I don't know what created the /var/lib/ssl_db/ directory.

Milos Malik added a comment - 2025/03/07 4:22 PM The following SELinux denials are visible in the linked log file: ---- type=PROCTITLE msg=audit( 02 / 26 / 2025 17 : 40 : 11 . 392 : 2098 ) : proctitle=(security_file_certgen) -s /var/lib/ssl_db -M 4 MB type=PATH msg=audit( 02 / 26 / 2025 17 : 40 : 11 . 392 : 2098 ) : item= 0 name=/var/lib/ssl_db/index.txt inode= 260057156 dev= 103 : 03 mode=file, 644 ouid=root ogid=root rdev= 00 : 00 obj=unconfined_u:object_r:var_lib_t:s 0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe= 0 cap_fver= 0 cap_frootid= 0 type=CWD msg=audit( 02 / 26 / 2025 17 : 40 : 11 . 392 : 2098 ) : cwd=/var/spool/squid type=SYSCALL msg=audit( 02 / 26 / 2025 17 : 40 : 11 . 392 : 2098 ) : arch=aarch 64 syscall=openat success=yes exit= 3 a 0 =AT_FDCWD a 1 = 0 xaaab 013 daeb 0 a 2 =O_RDONLY a 3 = 0 x 0 items= 1 ppid= 91076 pid= 91077 auid=unset uid=squid gid=squid euid=squid suid=squid fsuid=squid egid=squid sgid=squid fsgid=squid tty=(none) ses=unset comm=security_file_c exe=/usr/lib 64 /squid/security_file_certgen subj=system_u:system_r:squid_t:s 0 key=(null) type=AVC msg=audit( 02 / 26 / 2025 17 : 40 : 11 . 392 : 2098 ) : avc: denied { read } for pid= 91077 comm=security_file_c name=index.txt dev= "nvme 0 n 1 p 3 " ino= 260057156 scontext=system_u:system_r:squid_t:s 0 tcontext=unconfined_u:object_r:var_lib_t:s 0 tclass=file permissive= 1 ---- type=PROCTITLE msg=audit( 02 / 26 / 2025 17 : 40 : 11 . 392 : 2099 ) : proctitle=(security_file_certgen) -s /var/lib/ssl_db -M 4 MB type=PATH msg=audit( 02 / 26 / 2025 17 : 40 : 11 . 392 : 2099 ) : item= 0 name=/var/lib/ssl_db/index.txt inode= 260057156 dev= 103 : 03 mode=file, 644 ouid=root ogid=root rdev= 00 : 00 obj=unconfined_u:object_r:var_lib_t:s 0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe= 0 cap_fver= 0 cap_frootid= 0 type=CWD msg=audit( 02 / 26 / 2025 17 : 40 : 11 . 392 : 2099 ) : cwd=/var/spool/squid type=SYSCALL msg=audit( 02 / 26 / 2025 17 : 40 : 11 . 392 : 2099 ) : arch=aarch 64 syscall=openat success=yes exit= 3 a 0 =AT_FDCWD a 1 = 0 xaaab 047 b 8 eb 0 a 2 =O_RDONLY a 3 = 0 x 0 items= 1 ppid= 91076 pid= 91078 auid=unset uid=squid gid=squid euid=squid suid=squid fsuid=squid egid=squid sgid=squid fsgid=squid tty=(none) ses=unset comm=security_file_c exe=/usr/lib 64 /squid/security_file_certgen subj=system_u:system_r:squid_t:s 0 key=(null) type=AVC msg=audit( 02 / 26 / 2025 17 : 40 : 11 . 392 : 2099 ) : avc: denied { open } for pid= 91078 comm=security_file_c path=/var/lib/ssl_db/index.txt dev= "nvme 0 n 1 p 3 " ino= 260057156 scontext=system_u:system_r:squid_t:s 0 tcontext=unconfined_u:object_r:var_lib_t:s 0 tclass=file permissive= 1 ---- type=PROCTITLE msg=audit( 02 / 26 / 2025 17 : 40 : 11 . 392 : 2100 ) : proctitle=(security_file_certgen) -s /var/lib/ssl_db -M 4 MB type=SYSCALL msg=audit( 02 / 26 / 2025 17 : 40 : 11 . 392 : 2100 ) : arch=aarch 64 syscall=newfstat success=yes exit= 0 a 0 = 0 x 3 a 1 = 0 xffffcfc 06 db 8 a 2 = 0 xffff 9 a 2 ca 4 c 4 a 3 = 0 xa items= 0 ppid= 91076 pid= 91078 auid=unset uid=squid gid=squid euid=squid suid=squid fsuid=squid egid=squid sgid=squid fsgid=squid tty=(none) ses=unset comm=security_file_c exe=/usr/lib 64 /squid/security_file_certgen subj=system_u:system_r:squid_t:s 0 key=(null) type=AVC msg=audit( 02 / 26 / 2025 17 : 40 : 11 . 392 : 2100 ) : avc: denied { getattr } for pid= 91078 comm=security_file_c path=/var/lib/ssl_db/index.txt dev= "nvme 0 n 1 p 3 " ino= 260057156 scontext=system_u:system_r:squid_t:s 0 tcontext=unconfined_u:object_r:var_lib_t:s 0 tclass=file permissive= 1 ---- Unfortunately, I don't know what created the /var/lib/ssl_db/ directory.

Zdenek Pytela added a comment - 2025/03/07 12:59 PM

bnater@redhat.com The /etc/hosts file has an incorrect label. This typically happens when the file is copied from a different location, but the label is not restored. In such cases this is not a bug in selinux-policy.

Zdenek Pytela added a comment - 2025/03/07 12:59 PM bnater@redhat.com The /etc/hosts file has an incorrect label. This typically happens when the file is copied from a different location, but the label is not restored. In such cases this is not a bug in selinux-policy.

Details

Description

What were you trying to do that didn't work?

What is the impact of this issue to you?

Please provide the package NVR for which the bug is seen:

Actual results

Attachments

Easy Agile Planning Poker

Activity

Collapse comment: Zdenek Pytela added a comment - 2025/03/28 12:22 PM

Expand comment: Zdenek Pytela added a comment - 2025/03/28 12:22 PM

Collapse comment: Branislav Náter added a comment - 2025/03/18 1:52 PM

Expand comment: Branislav Náter added a comment - 2025/03/18 1:52 PM

Collapse comment: Milos Malik added a comment - 2025/03/07 4:25 PM

Expand comment: Milos Malik added a comment - 2025/03/07 4:25 PM

Collapse comment: Milos Malik added a comment - 2025/03/07 4:22 PM

Expand comment: Milos Malik added a comment - 2025/03/07 4:22 PM

Collapse comment: Zdenek Pytela added a comment - 2025/03/07 12:59 PM

Expand comment: Zdenek Pytela added a comment - 2025/03/07 12:59 PM

People

Dates