pmlogger selinux fix for observed denials#2404
Conversation
|
LGTM |
|
|
||
| allow pcp_pmlogger_t pcp_pmlogger_exec_t:file execute_no_trans; | ||
| allow pcp_pmlogger_t ldconfig_exec_t:file { execute execute_no_trans }; | ||
| allow pcp_pmlogger_t pcp_pmie_exec_t:file execute; |
There was a problem hiding this comment.
this seems to be mixing pmlogger and pmie ... ?
There was a problem hiding this comment.
We observed a new AVC denied message in the automated testing for fedora builds. The change introduced in the build was additional selinux rules....so we think something elsewhere, like the selinux-policy, has changed causing this new denial. The rule was created based on the AVC message:
type=AVC msg=audit(N) : avc: denied { execute } for pid=PID comm=pmiectl name=pmie dev="nvme0n1p4" ino=INO scontext=system_u:system_r:pcp_pmlogger_t:s0 tcontext=system_u:object_r:pcp_pmie_exec_t:s0 tclass=file permissive=0
There was a problem hiding this comment.
This explanation doesn't make sense. The tools involved here are pmiectl, pmie and (I guess?) pmie_check / pmie_daily, etc. These are all types from pcp policy, not core selinux policy. And there should be no pmlogger labels involved here - this seems more like a labeling problem on the filesystem where the tests are being run - can you try a restorecon(1) there?
This is definitely not the right fix though - there should be no overlap between pmie and pmlogger labelling, they are completely separate services.
There was a problem hiding this comment.
@kurik Could this just be an issue with the test environment? I recall you were able to reproduce this on the latest fedora rawhide compose.
There was a problem hiding this comment.
At first, I am sorry for being too convincing when we discussed this issue with @sfeifer and I pointed @sfeifer to a wrong direction. Thanks @natoscott for reviewing this, which forced me to do a proper investigation of the issue.
I was not able to find exactly what has changed either in PCP or in Fedora system and why we have not seen this issue before. However the root cause is in /usr/bin/pmiectl resp. /usr/bin/pmlogctl which is triggered by pmie_check.service resp. by pmlogger_check.service. These two scripts are in fact just one script being hard-linked to two scripts. The script at the beginning identifies it self if it was started as pmiectl or as pmlogctl and then it is taking care of pmie or pmlogger respectivelly.
This is OK, however selinux is not happy about this as to manage pmie the script needs to be running in pmie context while to manage pmlogger it needs pmlogger context. This command shows the issue, where we can see that even pmiectl is having pmlogger context:
# ll -iZ /usr/bin/pm*ctl
183108 -rwxr-xr-x. 2 root root system_u:object_r:pcp_pmlogger_exec_t:s0 53600 Nov 6 07:38 /usr/bin/pmiectl
183108 -rwxr-xr-x. 2 root root system_u:object_r:pcp_pmlogger_exec_t:s0 53600 Nov 6 07:38 /usr/bin/pmlogctl
As a workaround we can split the hard-link and set proper security context to /usr/bin/pmiectl
# cp /usr/bin/pmiectl /usr/bin/pmiectl.x; rm /usr/bin/pmiectl; mv /usr/bin/pmiectl.x /usr/bin/pmiectl
# chcon -u system_u -r object_r -t pcp_pmie_exec_t /usr/bin/pmiectl
# ll -iZ /usr/bin/pm*ctl
145455 -rwxr-xr-x. 1 root root system_u:object_r:pcp_pmie_exec_t:s0 53600 Nov 6 11:57 /usr/bin/pmiectl
183108 -rwxr-xr-x. 1 root root system_u:object_r:pcp_pmlogger_exec_t:s0 53600 Nov 6 07:38 /usr/bin/pmlogctl
This fixes the issue and no AVC is triggered by those "*_check" services then.
I like the concept of sharing one script for two different purposes, however I do not know how to set the proper security context then. Having two identical scrips with different security contexts (as the workaround) does not seem to be very elegant. Any thoughts how solve this in a better way ?
|
@kurik I believe your analysis is correct. This commit from last year should tackle the issue for pmiectl + pmlogctl, but looks like its not in whatever version you have there? |
|
I am using the latest build of PCP ( |
|
I guess I found the real root cause. When I download RPMs manually (from koji) and install these manually using However when I install PCP rpms using It seems like |
|
I was pointed to https://fedoraproject.org/wiki/Changes/Hardlink_identical_files_in_packages_by_default which was implemented approx. a month ago. That is the root cause. Reported regression in Fedora Rawhide: https://bugzilla.redhat.com/show_bug.cgi?id=2413314 |
|
From the https://bugzilla.redhat.com/show_bug.cgi?id=2413314 What do you think about it guys ? |
|
A third option would be to split pmlogctl into a shared script with common code, and two separate front-end scripts. This would remote all special-handling here (incl. the little comment I added to the makefile when removing the symlink). I think that would fix this permanently and without the (slight) fragility of the other approaches. |
Split these tools into two with common code in /usr/share/pcp so that we can solve this selinux policy problem permanently (prior to this we had a symlink, then two copies of the same script but these strategies were problematic with selinux and rpm hardlinks becoming default). Replaces: performancecopilot#2404
|
Resolved by #2405 |
This PR adds a rule to pcp.te to fix an observed AVC denied message while testing.