6 Replies Latest reply on Feb 26, 2014 3:32 PM by Jeff Orndorff

    selinux denies for /etc/rsc/rscd.pipe and /etc/rsc/keystroke.pipe

      I have been working with selinux on RHEL6 lately and have been trying to resolve file access denies observed in the audit log files.

       

      I am seeing multiple processes (such as iptables, sendmail, auditctl, hostname, postfix) attempting to access /etc/rsc/rscd.pipe and /etc/rsc/keystroke.pipe.

       

      I am trying to figure out how to contruct an selinux policy to permit this access, but I would like more information regarding their function and usage.  Has anyone else observed these deny messages when running selinux in enforcing mode?  Can someone give me more information regarding the nature of these files?

       

      Thanks.

        • 1. Re: selinux denies for /etc/rsc/rscd.pipe and /etc/rsc/keystroke.pipe
          Bill Robinson

          Did you run the setsebool commands as part of the agent install ?  those should automatically take care of this.

          • 2. Re: selinux denies for /etc/rsc/rscd.pipe and /etc/rsc/keystroke.pipe
            Bill Robinson

            i think the other option is to change the context to our libs to textrel_shlib_t instead of using the setsebol. 


            i'm not sure about the pipes though - what denials are you getting ?

            • 3. Re: Re: selinux denies for /etc/rsc/rscd.pipe and /etc/rsc/keystroke.pipe

              I did have allow_execmod and allow_execstack set.

               

              Examples of denials:

              type=AVC msg=audit(1392038419.637:28425): avc:  denied  { read append } for  pid=26077 comm="iptables" path="/etc/rsc/rscd.pipe" dev=dm-0 ino=5657 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=fifo_file

              type=AVC msg=audit(1392038956.237:28428): avc:  denied  { read append } for  pid=26132 comm="auditctl" path="/etc/rsc/rscd.pipe" dev=dm-0 ino=5657 scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=fifo_file

              type=AVC msg=audit(1393253516.834:43768): avc:  denied  { read append } for  pid=14015 comm="restorecon" path="/etc/rsc/rscd.pipe" dev=dm-0 ino=5657 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=fifo_file

              type=AVC msg=audit(1393257442.185:43824): avc:  denied  { read append } for  pid=14679 comm="sendmail" path="/etc/rsc/rscd.pipe" dev=dm-0 ino=5657 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=fifo_file

              type=AVC msg=audit(1393257752.645:43915): avc:  denied  { read append } for  pid=18301 comm="postalias" path="/etc/rsc/rscd.pipe" dev=dm-0 ino=5657 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=fifo_file

              type=AVC msg=audit(1393257940.615:43920): avc:  denied  { read append } for  pid=18431 comm="sendmail" path="/etc/rsc/keystroke.pipe" dev=dm-0 ino=5658 scontext=system_u:system_r:sendmail_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=fifo_file

               

              Some additional information:

              [root@servername ~]# sestatus

              SELinux status:                 enabled

              SELinuxfs mount:                /selinux

              Current mode:                   enforcing

              Mode from config file:          enforcing

              Policy version:                 24

              Policy from config file:        targeted

               

              [root@servername ~]# ls -lZ /opt/bmc/bladelogic/NSH/bin

              r-xr-x. root root system_u:object_r:usr_t:s0       actl

              r-xr-x. root root system_u:object_r:usr_t:s0       bl_gen_rand

              r-xr-x. root root system_u:object_r:usr_t:s0       blquery

              r-xr-x. root root system_u:object_r:usr_t:s0       bl_ssl_agent

              r-xr-x. root root system_u:object_r:rpm_exec_t:s0  blyum

              r-xr-x. root root system_u:object_r:usr_t:s0       cabextract

              r-xr-x. root root system_u:object_r:usr_t:s0       daalinfo

              -r-sr-xr-x. root root system_u:object_r:usr_t:s0       lsof

              r-xr-x. root root system_u:object_r:usr_t:s0       nshopt

              r-xr-x. root root system_u:object_r:usr_t:s0       openssl

              rwxrwx. root root system_u:object_r:usr_t:s0       rscd -> rscd_full

              r-xr-x. root root system_u:object_r:usr_t:s0       rscd_full

              r-xr-x. root root system_u:object_r:usr_t:s0       update

               

              [root@servername ~]# ls -lZ /opt/bmc/bladelogic/NSH/lib

              rwxrwx. root root system_u:object_r:usr_t:s0       libagentrpc.so -> libagentrpc.so.1.0

              r-xr-x. root root system_u:object_r:usr_t:s0       libagentrpc.so.1.0

              rwxrwx. root root system_u:object_r:usr_t:s0       libbladmin.so -> libbladmin.so.1.0

              r-xr-x. root root system_u:object_r:usr_t:s0       libbladmin.so.1.0

              rwxrwx. root root system_u:object_r:usr_t:s0       libBLCfgParser.so -> libBLCfgParser.so.1.0

              r-xr-x. root root system_u:object_r:usr_t:s0       libBLCfgParser.so.1.0

              rwxrwx. root root system_u:object_r:usr_t:s0       libblcrypto.so -> libblcrypto.so.0.9.8

              r-xr-x. root root system_u:object_r:usr_t:s0       libblcrypto.so.0.9.8

              rwxrwx. root root system_u:object_r:usr_t:s0       libBLerrors.so -> libBLerrors.so.1.0

              r-xr-x. root root system_u:object_r:usr_t:s0       libBLerrors.so.1.0

              rwxrwx. root root system_u:object_r:usr_t:s0       libblinexclude.so -> libblinexclude.so.1.0

              r-xr-x. root root system_u:object_r:usr_t:s0       libblinexclude.so.1.0

              rwxrwx. root root system_u:object_r:usr_t:s0       libBlMessage.so -> libBlMessage.so.1.0

              r-xr-x. root root system_u:object_r:usr_t:s0       libBlMessage.so.1.0

              rwxrwx. root root system_u:object_r:usr_t:s0       libblsrp.so -> libblsrp.so.1.0

              r-xr-x. root root system_u:object_r:usr_t:s0       libblsrp.so.1.0

              rwxrwx. root root system_u:object_r:usr_t:s0       libblssl.so -> libblssl.so.0.9.8

              r-xr-x. root root system_u:object_r:usr_t:s0       libblssl.so.0.9.8

              rwxrwx. root root system_u:object_r:usr_t:s0       libblzlib.so -> libblzlib.so.1.0

              r-xr-x. root root system_u:object_r:usr_t:s0       libblzlib.so.1.0

              rwxrwx. root root system_u:object_r:usr_t:s0       libcommonutil.so -> libcommonutil.so.1.0

              r-xr-x. root root system_u:object_r:usr_t:s0       libcommonutil.so.1.0

              r-xr-x. root root system_u:object_r:usr_t:s0       libcurl.so.4

              rwxrwx. root root system_u:object_r:usr_t:s0       libdaalplugincontainer.so -> libdaalplugincontainer.so.1.0

              r-xr-x. root root system_u:object_r:usr_t:s0       libdaalplugincontainer.so.1.0

              rwxrwx. root root system_u:object_r:usr_t:s0       libdaalplugindaalmgt.so -> libdaalplugindaalmgt.so.1.0

              r-xr-x. root root system_u:object_r:usr_t:s0       libdaalplugindaalmgt.so.1.0

              rwxrwx. root root system_u:object_r:usr_t:s0       libdaalplugindda.so -> libdaalplugindda.so.1.0

              r-xr-x. root root system_u:object_r:usr_t:s0       libdaalplugindda.so.1.0

              rwxrwx. root root system_u:object_r:usr_t:s0       libhsreg.so -> libhsreg.so.1.0

              r-xr-x. root root system_u:object_r:usr_t:s0       libhsreg.so.1.0

              rwxrwx. root root system_u:object_r:usr_t:s0       libhswreg.so -> libhswreg.so.1.0

              r-xr-x. root root system_u:object_r:usr_t:s0       libhswreg.so.1.0

              rwxrwx. root root system_u:object_r:usr_t:s0       libiconv.so -> libiconv.so.1.0

              r-xr-x. root root system_u:object_r:usr_t:s0       libiconv.so.1.0

              rwxrwx. root root system_u:object_r:usr_t:s0       liblog4c.so -> liblog4c.so.1.0

              r-xr-x. root root system_u:object_r:usr_t:s0       liblog4c.so.1.0

              rwxrwx. root root system_u:object_r:usr_t:s0       libnc.so -> libnc.so.1.0

              r-xr-x. root root system_u:object_r:usr_t:s0       libnc.so.1.0

              rwxrwx. root root system_u:object_r:usr_t:s0       librpccommon.so -> librpccommon.so.1.0

              r-xr-x. root root system_u:object_r:usr_t:s0       librpccommon.so.1.0

              rwxrwx. root root system_u:object_r:usr_t:s0       libxmlrpc.so -> libxmlrpc.so.1.0

              r-xr-x. root root system_u:object_r:usr_t:s0       libxmlrpc.so.1.0

               

              • 4. Re: selinux denies for /etc/rsc/rscd.pipe and /etc/rsc/keystroke.pipe
                Bill Robinson

                what context are the two pipe files in ?

                 

                system_u:object_r:etc_t:s0 ?

                 

                what does the selinux troubleshooter say about it ?

                • 5. Re: Re: selinux denies for /etc/rsc/rscd.pipe and /etc/rsc/keystroke.pipe

                  Yes - both of the "pipe" files in that directory are etc_t.  I noticed all others in that directory are etc_runtime_t.

                   

                  From setroubleshooter:

                   

                  SELinux is preventing iptables (iptables_t) "read append" to /etc/rsc/rscd.pipe (etc_t).

                   

                  I can reproduce the problem by doing a simple nsh command from a remote server "nexec target_server hostname".  The command appears to complete normally, so I do not understand the affect of the denial on the pipe files.

                  • 6. Re: selinux denies for /etc/rsc/rscd.pipe and /etc/rsc/keystroke.pipe

                    I made a little progress with this today.

                     

                    I see that the BL agent runs under the initrc_t domain.  This is fairly unrestricted.  Most common commands like cat, grep, and ls work without any error indications.  But some commands such as hostname and iptables have selinux transitions defined so they run in a more confined domain.  Those more confined domains do not have access to the fifo files, /etc/rsc/rscd.pipe and /etc/rsc/keystroke.pipe.

                     

                    I think a workaround would be to have the rscd run in the unconfined domain.  I am testing by setting /etc/init.d/rscd to the type unconfinded_exec_t.

                     

                    Suggestions welcome.