SeLinux denial for rhsmcertd

gvde · July 17, 2024, 7:33am

Problem:
I have noticed on some of our servers that there are selinux avcs for rhsmcertd_t caused by rhsmcertd every four hours. It’s not clear to me why some show this and some don’t, as most servers are configured the same way.

audit2allow says this is missing:

#============= rhsmcertd_t ==============
allow rhsmcertd_t user_tmp_t:dir { add_name create read remove_name rmdir };
allow rhsmcertd_t user_tmp_t:file { create open setattr unlink };

I know rhsmcertd is part of subscription-manager but as content is all managed by katello, I though I try here first.

Expected outcome:
No denials.

Foreman and Proxy versions:
katello-4.12.1-1.el8.noarch
foreman-3.10.0-1.el8.noarch

Distribution and version:
AlmaLinux 9.4

Other relevant data:
Here is the latest event from auditlog:

time->Wed Jul 17 09:01:45 2024
type=PROCTITLE msg=audit(1721199705.337:715474): proctitle=2F7573722F62696E2F707974686F6E33002F7573722F6C6962657865632F7268736D63657274642D776F726B6572
type=PATH msg=audit(1721199705.337:715474): item=1 name=(null) inode=152068909 dev=fd:00 mode=040700 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1721199705.337:715474): item=0 name=(null) inode=4194433 dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1721199705.337:715474): cwd="/"
type=SYSCALL msg=audit(1721199705.337:715474): arch=c000003e syscall=83 success=yes exit=0 a0=7ffdd90a5170 a1=1c0 a2=ba71a4f a3=7ffdd917d080 items=2 ppid=951 pid=1915939 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rhsmcertd-worke" exe="/usr/bin/python3.9" subj=system_u:system_r:rhsmcertd_t:s0 key=(null)
type=AVC msg=audit(1721199705.337:715474): avc:  denied  { create } for  pid=1915939 comm="rhsmcertd-worke" name="libdnf.AJ4yG2" scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir permissive=1
----
time->Wed Jul 17 09:01:45 2024
type=PROCTITLE msg=audit(1721199705.337:715475): proctitle=2F7573722F62696E2F707974686F6E33002F7573722F6C6962657865632F7268736D63657274642D776F726B6572
type=PATH msg=audit(1721199705.337:715475): item=1 name=(null) inode=155199320 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1721199705.337:715475): item=0 name=(null) inode=152068909 dev=fd:00 mode=040700 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1721199705.337:715475): cwd="/"
type=SYSCALL msg=audit(1721199705.337:715475): arch=c000003e syscall=83 success=yes exit=0 a0=55fa15f45430 a1=1fd a2=0 a3=7f5117bb13e0 items=2 ppid=951 pid=1915939 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rhsmcertd-worke" exe="/usr/bin/python3.9" subj=system_u:system_r:rhsmcertd_t:s0 key=(null)
type=AVC msg=audit(1721199705.337:715475): avc:  denied  { add_name } for  pid=1915939 comm="rhsmcertd-worke" name="repodata" scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir permissive=1
----
time->Wed Jul 17 09:01:45 2024
type=PROCTITLE msg=audit(1721199705.337:715476): proctitle=2F7573722F62696E2F707974686F6E33002F7573722F6C6962657865632F7268736D63657274642D776F726B6572
type=PATH msg=audit(1721199705.337:715476): item=3 name=(null) inode=156556090 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1721199705.337:715476): item=2 name=(null) inode=155199320 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1721199705.337:715476): item=1 name=(null) nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1721199705.337:715476): item=0 name=(null) inode=155199320 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1721199705.337:715476): cwd="/"
type=SYSCALL msg=audit(1721199705.337:715476): arch=c000003e syscall=257 success=yes exit=8 a0=ffffff9c a1=55fa15f453f0 a2=242 a3=1b6 items=4 ppid=951 pid=1915939 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rhsmcertd-worke" exe="/usr/bin/python3.9" subj=system_u:system_r:rhsmcertd_t:s0 key=(null)
type=AVC msg=audit(1721199705.337:715476): avc:  denied  { open } for  pid=1915939 comm="rhsmcertd-worke" path="/tmp/libdnf.AJ4yG2/repodata/repomd.xml" dev="dm-0" ino=156556090 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721199705.337:715476): avc:  denied  { create } for  pid=1915939 comm="rhsmcertd-worke" name="repomd.xml" scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=file permissive=1
----
time->Wed Jul 17 09:01:45 2024
type=PROCTITLE msg=audit(1721199705.338:715477): proctitle=2F7573722F62696E2F707974686F6E33002F7573722F6C6962657865632F7268736D63657274642D776F726B6572
type=SYSCALL msg=audit(1721199705.338:715477): arch=c000003e syscall=190 success=yes exit=0 a0=b a1=7f5115aad120 a2=7f5115ab04e7 a3=1 items=0 ppid=951 pid=1915939 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rhsmcertd-worke" exe="/usr/bin/python3.9" subj=system_u:system_r:rhsmcertd_t:s0 key=(null)
type=AVC msg=audit(1721199705.338:715477): avc:  denied  { setattr } for  pid=1915939 comm="rhsmcertd-worke" name="repomd.xml" dev="dm-0" ino=156556090 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=file permissive=1
----
time->Wed Jul 17 09:01:45 2024
type=PROCTITLE msg=audit(1721199705.366:715478): proctitle=2F7573722F62696E2F707974686F6E33002F7573722F6C6962657865632F7268736D63657274642D776F726B6572
type=SYSCALL msg=audit(1721199705.366:715478): arch=c000003e syscall=257 success=yes exit=8 a0=ffffff9c a1=7ffdd90a5170 a2=90800 a3=0 items=0 ppid=951 pid=1915939 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rhsmcertd-worke" exe="/usr/bin/python3.9" subj=system_u:system_r:rhsmcertd_t:s0 key=(null)
type=AVC msg=audit(1721199705.366:715478): avc:  denied  { read } for  pid=1915939 comm="rhsmcertd-worke" name="libdnf.AJ4yG2" dev="dm-0" ino=152068909 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir permissive=1
----
time->Wed Jul 17 09:01:45 2024
type=PROCTITLE msg=audit(1721199705.367:715479): proctitle=2F7573722F62696E2F707974686F6E33002F7573722F6C6962657865632F7268736D63657274642D776F726B6572
type=SYSCALL msg=audit(1721199705.367:715479): arch=c000003e syscall=87 success=yes exit=0 a0=55fa15af4e40 a1=0 a2=0 a3=7f5117bb13e0 items=0 ppid=951 pid=1915939 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rhsmcertd-worke" exe="/usr/bin/python3.9" subj=system_u:system_r:rhsmcertd_t:s0 key=(null)
type=AVC msg=audit(1721199705.367:715479): avc:  denied  { unlink } for  pid=1915939 comm="rhsmcertd-worke" name="repomd.xml" dev="dm-0" ino=156556090 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721199705.367:715479): avc:  denied  { remove_name } for  pid=1915939 comm="rhsmcertd-worke" name="repomd.xml" dev="dm-0" ino=156556090 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir permissive=1
----
time->Wed Jul 17 09:01:45 2024
type=PROCTITLE msg=audit(1721199705.367:715480): proctitle=2F7573722F62696E2F707974686F6E33002F7573722F6C6962657865632F7268736D63657274642D776F726B6572
type=SYSCALL msg=audit(1721199705.367:715480): arch=c000003e syscall=84 success=yes exit=0 a0=55fa15fa1c90 a1=55fa1527c010 a2=55ff4a523ce6 a3=7f5117bb13e0 items=0 ppid=951 pid=1915939 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rhsmcertd-worke" exe="/usr/bin/python3.9" subj=system_u:system_r:rhsmcertd_t:s0 key=(null)
type=AVC msg=audit(1721199705.367:715480): avc:  denied  { rmdir } for  pid=1915939 comm="rhsmcertd-worke" name="repodata" dev="dm-0" ino=155199320 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir permissive=1

iballou · July 22, 2024, 3:32pm

Hi @gvde ,

~~I found a very similar issue here: rhsmcertd-worker AVC accessing /usr/sbin/kpatch - Red Hat Customer Portal~~

In case you can’t access it, the resolution is to upgrade to selinux-policy-3.14.3-67.el8.

Here’s the erratum: https://access.redhat.com/errata/RHBA-2021:1639

gvde · July 22, 2024, 5:03pm

Hi @iballou

that issue is a different one and quite old. The client I have posted about is actually running AlmaLinux 9.

It creates a directory like /tmp/libdnf.AJ4yG2/ and stores files like /tmp/libdnf.AJ4yG2/repodata/repomd.xml. However, the selinux policy doesn’t allow access to /tmp/. That’s why it’s logged. It’s currently in permissive.

I don’t understand why it’s writing it there on that particular server while it doesn’t do that on others. The base os is the same on all of them…

iballou · July 23, 2024, 1:54pm

Oops, I saw the June updated date and got hopeful.

~~I think I may have found the Jira tracking this: https://issues.redhat.com/browse/RHEL-11250~~

Looks like it was fixed in selinux-policy-38.1.33-1.el9

I discovered the Jira label in the changelog here: https://almalinux.pkgs.org/9/almalinux-baseos-x86_64/selinux-policy-sandbox-38.1.35-2.el9_4.2.noarch.rpm.html

gvde · July 23, 2024, 2:14pm

38.1.35 is already running there. The AVCs in the RHEL-11250 look different from those I see, thus I doubt it’s directly related.

gvde · July 23, 2024, 3:48pm

O.K. I think I found out when it happens. I have a RHEL 9.4 minimal test installation running. No AVCs. Then I have set it to permissive mode. During the next certificate update (checked in /var/log/rhsm/rhsmcertd.log) the AVCs appear.

In other words: it seems the rhsmcertd-worker checks if it can create a directory in /tmp. If not, it puts it someplace. If it can, it puts it into /tmp. Either that “check” is intelligent enough to avoid an AVC or that specific AVC is in a dontaudit rule. I’ll see what I can find out.

Either way: it seems that as long as it’s in enforcing mode there won’t be those AVCs. Quite unexpected for me…

gvde · July 23, 2024, 5:03pm

So after further testing and disabling dontaudit it really seems that rhsmcertd check something to find out if it can access /tmp or not. It tries to read /etc/selinux/config. I wasn’t able to find it in the source code.

Anyway: the AVCs are no problem. They only happen when it’s in permissive mode…

iballou · July 23, 2024, 6:56pm

I’m surprised too, I wouldn’t imagine seeing more denial issues when bumping down to permissive mode.

gvde · July 23, 2024, 7:43pm

Well, not quite. You’ll always see more denials in permissive mode, because denials are only logged but not actually denied.

It’s unusual that you see no denials in enforcing mode while you see some permissive mode. Usually, you’ll see at least the first denial from permissive mode in enforcing mode, too. But as it actually fails in enforcing mode, there may nothing else be logged because control flow doesn’t get there.

But in this case, there are other denials by dontaudit rules which already change the control flow so that it doesn’t even try to create that directory in /tmp thus avoiding denials in audit logs…

So it is mostly a nuisance as it “taints” the audit logs with irrelevant denials while you are running a server in permissive mode to capture any potential selinux issues…