Details
-
Bug
-
Status: Done
-
Medium
-
Resolution: Fixed
-
8.0.25-15 (Q2 2021)
-
None
Description
The default value for the `procfs_files_spec` global variable contains entries `/proc/irq//` and `/proc/sys/fs/file-nr`, which are blocked by SELinux's AVC by default. As a result, the ProcFS plugin cannot list these files or read their content. Here are the audit log statements outputted to `/var/log/audit/audit.log` on Centos 8 when an user with the `ACCESS_PROCFS` permission runs `SELECT FILE FROM INFORMATION_SCHEMA.PROCFS` with the default value for `procfs_files_spec`:
type=AVC msg=audit(1625473620.878:1030): avc: denied { read } for pid=8544 comm="mysqld" name="irq" dev="proc" ino=4026531861 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:sysctl_irq_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1625473620.878:1030): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7f33f417dee0 a2=90800 a3=0 items=0 ppid=1 pid=8544 auid=4294967295 uid=27 gid=27 euid=27 suid=27 fsuid=27 egid=27 sgid=27 fsgid=27 tty=(none) ses=4294967295 comm="mysqld" exe="/usr/sbin/mysqld" subj=system_u:system_r:mysqld_t:s0 key=(null)ARCH=x86_64 SYSCALL=openat AUID="unset" UID="mysql" GID="mysql" EUID="mysql" SUID="mysql" FSUID="mysql" EGID="mysql" SGID="mysql" FSGID="mysql"
type=PROCTITLE msg=audit(1625473620.878:1030): proctitle="/usr/sbin/mysqld"
type=AVC msg=audit(1625473620.878:1031): avc: denied { read } for pid=8544 comm="mysqld" name="file-nr" dev="proc" ino=27444 scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1625473620.878:1031): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7f338800f700 a2=0 a3=0 items=0 ppid=1 pid=8544 auid=4294967295 uid=27 gid=27 euid=27 suid=27 fsuid=27 egid=27 sgid=27 fsgid=27 tty=(none) ses=4294967295 comm="mysqld" exe="/usr/sbin/mysqld" subj=system_u:system_r:mysqld_t:s0 key=(null)ARCH=x86_64 SYSCALL=openat AUID="unset" UID="mysql" GID="mysql" EUID="mysql" SUID="mysql" FSUID="mysql" EGID="mysql" SGID="mysql" FSGID="mysql"
type=PROCTITLE msg=audit(1625473620.878:1031): proctitle="/usr/sbin/mysqld"
On the output for the query, both `/proc/sys/fs/file-nr` and any entries under `/proc/irq/` will be missing. After running `setenforce 0` to enable SELinux's permissive mode, the query output will show `/proc/sys/fs/file-nr`, but entries under `/proc/irq` will not show up due to PS-7788.
Now, this isn't strictly speaking a bug in ProcFS, but we may want to configure the SELinux/AppArmor profiles so that access to these files is given, remove them from the default list, and/or add a mention in the docs about security tools potentially getting in the way of the ProcFS plugin's expected behaviour.
Attachments
Issue Links
- relates to
-
PS-7182 Create functionality to expose defined data from procfs for agentless environment
-
- Done
-
