View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0000078Rocky-Linux-8Generalpublic2021-08-28 01:342022-05-16 06:36
Reporterrandolph Assigned ToNeil Hanlon  
PrioritynormalSeverityminorReproducibilityN/A
Status resolvedResolutionfixed 
Fixed in Version8.6 
Summary0000078: Official AMI contains incorrect SELinux security context for network config scripts
DescriptionThe Rocky Linux 8 (Official) AMI image contains an issue with the SELinux contexts


[ansible@ord1-prod-secparse001 network-scripts]$ ls -laZ
total 16
drwxr-xr-x. 2 root root system_u:object_r:net_conf_t:s0 78 Jul 16 23:41 .
drwxr-xr-x. 5 root root system_u:object_r:etc_t:s0 4096 Jul 17 01:00 ..
-rw-r--r--. 1 root root system_u:object_r:unlabeled_t:s0 197 Jul 16 23:41 ifcfg-eth0
-rw-r--r--. 1 root root system_u:object_r:net_conf_t:s0 284 Jul 16 22:41 vmimport.ifcfg-ens3
-rw-r--r--. 1 root root system_u:object_r:net_conf_t:s0 126 Jul 16 22:42 vmimport.ifcfg-eth0
[ansible@ord1-prod-secparse001 network-scripts]$

ifcfg-eth0 in this case has the unlabeled_t context, when it should have a net_conf_t context. As a result, NetworkManager cannot modify this file without being blocked by SELinux. Restorecon resolves the situation.

the vmimport.ifcfg-* files may also be unecessary to include, but are present in the CentOS8 AMI (Not the RHEL 8 one, however).
TagsNo tags attached.

Activities

Amy Tilghman

Amy Tilghman

2021-11-03 15:01

reporter   ~0000088

Adding my reddit post here, confirming what was found by Randolph Meyers


I spun up ami-086586d173a744e81 in us-east-2

Immediately after launching I ran ausearch -m avc to see if all was well in SELinux land.

Saw this repeating:

type=SYSCALL msg=audit(1624236431.107:19): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=5564117bcfc0 a2=0 a3=0 items=0 ppid=1 pid=798 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="chrony-helper" exe="/usr/bin/bash" subj=system_u:system_r:chronyd_t:s0 key=(null)

type=AVC msg=audit(1624236431.107:19): avc: denied { read } for pid=798 comm="chrony-helper" name="network" dev="xvda1" ino=758181 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0



The root cause is a mislabled /etc/sysconfig/network, it is unlabeled_t when it should be etc_t

So I went hunting for some more.



This is not a full list (it's close) but they are the ones I do not think require much thought or debate.

##

In the format of:

From:

To:

##

system_u:object_r:unlabeled_t:s0 394 Jun 21 00:46 /etc/fstab

system_u:object_r:etc_t:s0 427 Jun 2 06:05 /etc/fstab



system_u:object_r:unlabeled_t:s0 372 Jun 21 00:46 /etc/default/grub

system_u:object_r:bootloader_etc_t:s0 357 Jun 2 06:09 /etc/default/grub



system_u:object_r:unlabeled_t:s0 197 Jun 21 00:46 /etc/sysconfig/network-scripts/ifcfg-eth0

system_u:object_r:net_conf_t:s0 159 Nov 2 04:11 /etc/sysconfig/network-scripts/ifcfg-eth0



system_u:object_r:unlabeled_t:s0 66 Jun 21 00:46 /etc/sysconfig/network

system_u:object_r:etc_t:s0 102 Nov 2 04:11 /etc/sysconfig/network



system_u:object_r:unlabeled_t:s0 665 Jun 21 00:46 /etc/rc.d/rc.local.vmimport

system_u:object_r:initrc_exec_t:s0 665 Jun 21 00:46 rc.local.vmimport



system_u:object_r:unlabeled_t:s0 0 Jun 21 00:46 /etc/cloud/cloud.cfg.d/vmimport.99-disable-network-config.cfg

system_u:object_r:etc_t:s0 0 Jun 21 00:46 /etc/cloud/cloud.cfg.d/vmimport.99-disable-network-config.cfg



system_u:object_r:unlabeled_t:s0 80 Jun 21 00:46 /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg

system_u:object_r:etc_t:s0 80 Jun 21 00:46 /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg



system_u:object_r:unlabeled_t:s0 6490 Jun 21 00:46 /boot/grub2/grub.cfg-bkup

system_u:object_r:boot_t:s0 6490 Jun 21 00:46 /boot/grub2/grub.cfg-bkup
Neil Hanlon

Neil Hanlon

2022-05-16 06:35

administrator   ~0000168

Fixed in 8.6

Issue History

Date Modified Username Field Change
2022-05-16 06:35 Neil Hanlon Note Added: 0000168
2022-05-16 06:36 Neil Hanlon Status assigned => resolved
2022-05-16 06:36 Neil Hanlon Resolution open => fixed
2022-05-16 06:36 Neil Hanlon Fixed in Version => 8.6