Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1186072 - SELinux is preventing /usr/sbin/upsmon from 'read' accesses on the chr_file random.
Summary: SELinux is preventing /usr/sbin/upsmon from 'read' accesses on the chr_file r...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 21
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:1c734abcfeb625afd25bf823458...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-01-27 00:20 UTC by Alexander Ploumistos
Modified: 2015-02-15 03:29 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.13.1-105.3.fc21
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-02-15 03:29:27 UTC
Type: ---


Attachments (Terms of Use)
/var/log/audit/audit.log (237.71 KB, text/plain)
2015-02-03 12:19 UTC, Alexander Ploumistos
no flags Details

Description Alexander Ploumistos 2015-01-27 00:20:21 UTC
Description of problem:
SELinux is preventing /usr/sbin/upsmon from 'read' accesses on the chr_file random.

*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************

If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server
Then you must tell SELinux about this by enabling the 'authlogin_nsswitch_use_ldap' boolean.
You can read 'None' man page for more details.
Do
setsebool -P authlogin_nsswitch_use_ldap 1

*****  Plugin catchall (11.6 confidence) suggests   **************************

If you believe that upsmon should be allowed read access on the random chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep upsmon /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:nut_upsmon_t:s0
Target Context                system_u:object_r:random_device_t:s0
Target Objects                random [ chr_file ]
Source                        upsmon
Source Path                   /usr/sbin/upsmon
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    <Unknown>
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.18.3-201.fc21.x86_64 #1 SMP Mon
                              Jan 19 15:59:31 UTC 2015 x86_64 x86_64
Alert Count                   541
First Seen                    2014-06-18 20:20:20 EEST
Last Seen                     2015-01-26 23:16:33 EET
Local ID                      1dc293db-5080-4a78-a46c-9de6706f79c0

Raw Audit Messages
type=AVC msg=audit(1422306993.669:124): avc:  denied  { read } for  pid=1717 comm="upsmon" name="random" dev="devtmpfs" ino=1032 scontext=system_u:system_r:nut_upsmon_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file permissive=0


type=SYSCALL msg=audit(1422306993.669:124): arch=x86_64 syscall=open success=no exit=EACCES a0=7fb6eca72299 a1=900 a2=6b5 a3=11f items=0 ppid=1715 pid=1717 auid=4294967295 uid=57 gid=57 euid=57 suid=57 fsuid=57 egid=57 sgid=57 fsgid=57 tty=(none) ses=4294967295 comm=upsmon exe=/usr/sbin/upsmon subj=system_u:system_r:nut_upsmon_t:s0 key=(null)

Hash: upsmon,nut_upsmon_t,random_device_t,chr_file,read

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.18.3-201.fc21.x86_64
type:           libreport

Comment 1 Lukas Vrabec 2015-02-02 12:20:40 UTC
commit ca4fb28741fdf9b47418bef9953f73e19fa064f3
Author: Lukas Vrabec <lvrabec>
Date:   Wed Jan 28 16:01:15 2015 +0100

    Allow nut_upsmon_t to read random_device_t. BZ(1186072)

Comment 2 Alexander Ploumistos 2015-02-02 12:47:20 UTC
Is it in

http://pkgs.fedoraproject.org/cgit/selinux-policy.git/

or someplace else? Because I cannot find that commit.

Comment 3 Lukas Vrabec 2015-02-02 13:16:30 UTC
It's here:
https://github.com/selinux-policy/selinux-policy/commit/ca4fb28741fdf9b47418bef9953f73e19fa064f3

Package will be available soon.

Comment 4 Alexander Ploumistos 2015-02-02 13:18:32 UTC
Thank you very much!

Comment 5 Alexander Ploumistos 2015-02-02 20:36:08 UTC
I installed the packages (3.13.1-105.2) from koji, rebooted the machine, but I'm still seeing these:

Feb  2 22:21:38 localhost sedispatch: AVC Message for setroubleshoot, dropping message
Feb  2 22:21:38 localhost sedispatch: AVC Message for setroubleshoot, dropping message
Feb  2 22:21:38 localhost sedispatch: AVC Message for setroubleshoot, dropping message
Feb  2 22:21:38 localhost sedispatch: AVC Message for setroubleshoot, dropping message
Feb  2 22:21:38 localhost sedispatch: AVC Message for setroubleshoot, dropping message
Feb  2 22:21:38 localhost sedispatch: AVC Message for setroubleshoot, dropping message
Feb  2 22:21:38 localhost sedispatch: AVC Message for setroubleshoot, dropping message
Feb  2 22:21:38 localhost sedispatch: AVC Message for setroubleshoot, dropping message
Feb  2 22:21:38 localhost setroubleshoot: Plugin Exception restorecon_source
Feb  2 22:21:38 localhost setroubleshoot: SELinux is preventing /usr/sbin/upsmon from read access on the chr_file urandom. For complete SELinux messages. run sealert -l 9c298592-7379-45e4-855e-a73dda984104
Feb  2 22:21:38 localhost python: SELinux is preventing /usr/sbin/upsmon from read access on the chr_file urandom.

*****  Plugin catchall_boolean (47.5 confidence) suggests   ******************

If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server
Then you must tell SELinux about this by enabling the 'authlogin_nsswitch_use_ldap' boolean.
You can read 'None' man page for more details.
Do
setsebool -P authlogin_nsswitch_use_ldap 1

*****  Plugin catchall_boolean (47.5 confidence) suggests   ******************

If you want to enable reading of urandom for all domains.
Then you must tell SELinux about this by enabling the 'global_ssp' boolean.
You can read 'None' man page for more details.
Do
setsebool -P global_ssp 1

*****  Plugin catchall (6.38 confidence) suggests   **************************

If you believe that upsmon should be allowed read access on the urandom chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep upsmon /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Do I need to relabel the system or something?
One interesting side-effect, after installing the update, my dropbox tray icon is visible again. It used to be a horizontal, black line, see
https://alexpl.fedorapeople.org/screenshots/gnome_message_tray.png

Comment 6 Lukas Vrabec 2015-02-03 09:53:56 UTC
HI, 

I need to see AVC related to this issue. 
Could you attach /var/log/audit.log file? 

Thank you!

Comment 7 Alexander Ploumistos 2015-02-03 12:19:35 UTC
Created attachment 987537 [details]
/var/log/audit/audit.log

While "SELinux is preventing /usr/sbin/upsmon from read access on the chr_file urandom" happens every time the system starts, SELinux Troubleshooter pops up only at nights. Is there a setting for this behavior, or is it a bug as well?

Comment 8 Lukas Vrabec 2015-02-03 13:39:39 UTC
OK, upsmon also needs read urandom device. I'll add fix ASAP.

Comment 9 Lukas Vrabec 2015-02-03 14:38:20 UTC
commit 6ed17a9861381497615030b03dfe15f18e9afa02
Author: Lukas Vrabec <lvrabec>
Date:   Tue Feb 3 15:37:25 2015 +0100

    Allow upsmon_t to read urandom device.

Comment 10 Fedora Update System 2015-02-05 13:15:26 UTC
selinux-policy-3.13.1-105.3.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.3.fc21

Comment 11 Alexander Ploumistos 2015-02-05 14:34:31 UTC
All is well now, thanks again!


P.S.: Do I need to file another report for this, or is it WIP upstream?

Feb  5 16:18:50 localhost kernel: SELinux:  Permission audit_read in class capability2 not defined in policy.
Feb  5 16:18:50 localhost kernel: SELinux: the above unknown classes and permissions will be allowed

Comment 12 Fedora Update System 2015-02-06 04:04:01 UTC
Package selinux-policy-3.13.1-105.3.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.3.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-1768/selinux-policy-3.13.1-105.3.fc21
then log in and leave karma (feedback).

Comment 13 Fedora Update System 2015-02-15 03:29:27 UTC
selinux-policy-3.13.1-105.3.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.