PAMSC does not start with server reboot on redhat 8.3

book

Article ID: 211651

calendar_today

Updated On:

Products

CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

After installing the  version of pamsc compatible with linux redhat 8.3, once selinux is enabled in Enforcing mode, the product does not start automatically on booting the server. But it does start by loading is manually by means of seload

 

 

Cause

Running the following commands to capture the rlelevant information

cp  /dev/null   /var/log/audit/audit.log 

reboot

The contents of audit.log show the following

type=AVC msg=audit(1616667523.444:28): avc:  denied  { module_load } for  pid=1978 comm="insmod" path="/opt/CA/PAMSC/bin/SEOS_syscall.80-4180-240-RHELX86_64.MP.ko" dev="dm-2" ino=131615 scontext=system_u:system_r:kmod_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=system permissive=0
type=AVC msg=audit(1616667564.830:35): avc:  denied  { unix_read } for  pid=2192 comm="(systemd)" key=101557112  scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=shm permissive=0

The above two lines reveal that insmod has tried to load the kernel module but that this action has been prevented by SELinux due to its security context.

ls -Z /opt/CA/PAMSC/bin/SEOS_syscall.80-4180-240-RHELX86_64.MP.ko --> system_u:object_r:bin_t:s0 /opt/CA/PAMSC/bin/SEOS_syscall.80-4180-240-RHELX86_64.MP.ko

In Redhat 8.3 SELinux has been updated to include security policies restricting some operations that may directly affect loading kernel modules. In particular the bin_t security label will not allow a module to be loaded via insmod at boot time. Only modules in /lib/modules/`uname -r` can be uploaded according to policy. 

 

Environment

CA PAM SC 14.X, CA PIM 12.8, 12.9 and 14.X Linux on Redhat 8.3

 

Resolution

SE is working on a permanent fix, but one simple workaround is to check the context for one of the kernel modules which the system loads at boot time, for instance

ls -lZ /usr/lib/modules/4.18.0-147.3.1.el8_1.x86_64/kernel/fs/lockd/lockd.ko.xz --> system_u:object_r:modules_object_t:s0 /usr/lib/modules/4.18.0-147.3.1.el8_1.x86_64/kernel/fs/lockd/lockd.ko.xz

and then use that module as a reference to set the security label for the module that needs to load at boot time

chcon --reference=/usr/lib/modules/4.18.0-147.3.1.el8_1.x86_64/kernel/fs/lockd/lockd.ko.xz  /opt/CA/PAMSC/bin/SEOS_syscall.80-4180-147-RHELX86_64.MP.ko

After this command is run we should see the module is in the right security context

ls -lZ /opt/CA/PAMSC/bin/SEOS_syscall.80-4180-147-RHELX86_64.MP.ko --> system_u:object_r:modules_object_t:s0 /opt/CA/PAMSC/bin/SEOS_syscall.80-4180-147-RHELX86_64.MP.ko

 

Additional Information

SE is working on a corrected package which will perform this same operation at boot time, so as to prevent this having to be done manually for every new installation