| Summary: | New OpenLMI-storage AVCs | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Jan Safranek <jsafrane> | ||||||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Milos Malik <mmalik> | ||||||||
| Severity: | medium | Docs Contact: | |||||||||
| Priority: | unspecified | ||||||||||
| Version: | 7.0 | CC: | dlehman, jsafrane, mmalik | ||||||||
| Target Milestone: | rc | ||||||||||
| Target Release: | --- | ||||||||||
| Hardware: | All | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | selinux-policy-3.12.1-109.el7 | Doc Type: | Bug Fix | ||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2014-06-13 09:44:34 UTC | Type: | Bug | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Attachments: |
|
||||||||||
Adding David Lehman (Blivet author) to cc: to provide some info why is something necessary (see @Dave below, please grep attached avc.txt to see what file is being accessed.
Editing audit2allow output, I added some comments what is being rejected and if it should be allowed. My doubts increase with nr. of question marks.
#============= mdadm_t ==============
# ???: reading & writing /dev/mapper/control
# (it's lvm file, why is mdadm writing it?)
allow mdadm_t lvm_control_t:chr_file { read write };
# ???: mdadm wants to create /tmp/.tmp.md.23125:9:126
# why?
allow mdadm_t tmp_t:blk_file { read create unlink open };
# ALLOW: reading /dev/urandom, looks harmless
allow mdadm_t urandom_device_t:chr_file { read open };
#============= pegasus_openlmi_storage_t ==============
# ALLOW: probing of block devices
allow pegasus_openlmi_storage_t fixed_disk_device_t:blk_file { getattr open ioctl };
# ALLOW: create filestems
allow pegasus_openlmi_storage_t fsadm_exec_t:file { read execute open execute_no_trans };
# ALLOW: device management
allow pegasus_openlmi_storage_t sysfs_t:file { write append };
# ALLOW: manipulate /etc/mdadm.conf
allow pegasus_openlmi_storage_t etc_t:dir { write remove_name add_name };
allow pegasus_openlmi_storage_t etc_t:file { write create unlink append };
# ALLOW?: looks harmless, but why is it needed?
# @Dave, any idea?
allow pegasus_openlmi_storage_t fs_t:filesystem getattr;
allow pegasus_openlmi_storage_t lost_found_t:dir getattr;
# ALLOW?: create+delete /tmp/btrfs-tmp.554TSzS_
# Note it's on /dev/sdb1 (= the *test* disk, where btrfs was just created;
# @Dave, any idea?
system is on /dev/vda*)
allow pegasus_openlmi_storage_t file_t:dir { read getattr open ioctl };
# ALLOW?: probably system probing
allow pegasus_openlmi_storage_t self:capability sys_rawio;
allow pegasus_openlmi_storage_t udev_var_run_t:file { read getattr open };
# ??? what is it and why is blivet doing it ???
# @Dave, any idea?
allow pegasus_openlmi_storage_t kernel_t:system ipc_info;
allow pegasus_openlmi_storage_t modules_object_t:dir getattr;
# do not allow? Blivet should probably use /var/run/blivet
allow pegasus_openlmi_storage_t tmp_t:dir { write remove_name create add_name rmdir };
allow pegasus_openlmi_storage_t tmp_t:file { write create unlink open };
# do not allow? This is creation of /var/lib/openlmi-storage directory, it should be in RPM
allow pegasus_openlmi_storage_t var_lib_t:dir create;
Note that this bug applies also to current rawhide. I added some fixes to cleanup this bug. Let's test it with the latest build which is coming today. (In reply to Jan Safranek from comment #1) > # ALLOW?: looks harmless, but why is it needed? > # @Dave, any idea? > allow pegasus_openlmi_storage_t fs_t:filesystem getattr; > allow pegasus_openlmi_storage_t lost_found_t:dir getattr; Could be related to selinux contexts. Blivet sets default selinux context when mounting a filesystem. Perhaps this should only be in installer mode? > > # ALLOW?: create+delete /tmp/btrfs-tmp.554TSzS_ > # Note it's on /dev/sdb1 (= the *test* disk, where btrfs was just created; > # @Dave, any idea? > system is on /dev/vda*) > allow pegasus_openlmi_storage_t file_t:dir { read getattr open ioctl }; You have to mount a btrfs subvolume before you can create a subvolume on it. > > # ALLOW?: probably system probing > allow pegasus_openlmi_storage_t self:capability sys_rawio; > allow pegasus_openlmi_storage_t udev_var_run_t:file { read getattr open }; > > # ??? what is it and why is blivet doing it ??? > # @Dave, any idea? > allow pegasus_openlmi_storage_t kernel_t:system ipc_info; What were you doing when you saw this? Something related to LUKS volumes? > allow pegasus_openlmi_storage_t modules_object_t:dir getattr; Blivet loads kernel modules for filesystems as part of the format constructor. Maybe this should only happen in installer mode? > > # do not allow? Blivet should probably use /var/run/blivet > allow pegasus_openlmi_storage_t tmp_t:dir { write remove_name create > add_name rmdir }; > allow pegasus_openlmi_storage_t tmp_t:file { write create unlink open }; I'll look into this. Could you re-run it with the latest policy build? (In reply to David Lehman from comment #5) > (In reply to Jan Safranek from comment #1) > > # ALLOW?: looks harmless, but why is it needed? > > # @Dave, any idea? > > allow pegasus_openlmi_storage_t fs_t:filesystem getattr; > > allow pegasus_openlmi_storage_t lost_found_t:dir getattr; > > Could be related to selinux contexts. Blivet sets default selinux context > when mounting a filesystem. Perhaps this should only be in installer mode? > > > > > # ALLOW?: create+delete /tmp/btrfs-tmp.554TSzS_ > > # Note it's on /dev/sdb1 (= the *test* disk, where btrfs was just created; > > # @Dave, any idea? > > system is on /dev/vda*) > > allow pegasus_openlmi_storage_t file_t:dir { read getattr open ioctl }; > > You have to mount a btrfs subvolume before you can create a subvolume on it. Well, I don't create subvolumes (yet), just mkfs.btrfs /dev/sdb1 and blivet.reset(). I guess it's related to bug #1015072. > > allow pegasus_openlmi_storage_t modules_object_t:dir getattr; > > Blivet loads kernel modules for filesystems as part of the format > constructor. Maybe this should only happen in installer mode? Yes please. If a tool (mkfs, cryptsetup, mdadm, mount...) needs a kernel module, it should load it by itself. And SELinux policy should have proper transitions from pegasus_openlmi_storage_t. Created attachment 809184 [details] AVCs with selinux-policy-targeted-3.12.1-86.el7 With today's RHEL7 selinux-policy-targeted-3.12.1-86.el7.noarch I get: #============= mdadm_t ============== # DENY: this one is caused by blivet leaking file descriptor with opened # /dev/mapper/control to mdadm (bug #1016467) allow mdadm_t lvm_control_t:chr_file { read write }; #============= pegasus_openlmi_storage_t ============== # DENY: Covered in bug #1015072 allow pegasus_openlmi_storage_t tmp_t:dir { write remove_name create add_name rmdir }; allow pegasus_openlmi_storage_t tmp_t:file { write create unlink open }; # DENY: fixed today in openlmi upstream allow pegasus_openlmi_storage_t var_lib_t:file { read write getattr open }; # DENY: blivet should not load modules on its own allow pegasus_openlmi_storage_t modules_object_t:dir getattr; # ALLOW: this comes from parted/pypated, in strace I can see: # 2590 write(2, "DEBUG:blivet: looking up parted "..., 49) = 49 # 2590 lstat("/dev", {st_mode=S_IFDIR|0755, st_size=3100, ...}) = 0 # 2590 lstat("/dev/vda", {st_mode=S_IFBLK|0660, st_rdev=makedev(253, 0), ...}) = 0 # 2590 semctl(0, 0, SEM_INFO, 0x7fffdb6dee30) = 0 # 2590 open("/etc/udev/udev.conf", O_RDONLY|O_CLOEXEC) = 3 # see StorageDevice.partedDevice() # The same does 'parted /dev/vda print'. allow pegasus_openlmi_storage_t kernel_t:system ipc_info; # ALLOW?: These are discussed in previous comments, I think we should allow it. # openlmi-storage can do *anything* to storage devices anyway. allow pegasus_openlmi_storage_t file_t:dir { read getattr open ioctl }; allow pegasus_openlmi_storage_t fixed_disk_device_t:blk_file { getattr open ioctl }; allow pegasus_openlmi_storage_t lost_found_t:dir getattr; Jan, it is really much more easier to update the policy with your comments. Thanks. Added to selinux-policy-3.12.1-91.el7 commit 5fdffd0fd3816fba7861614c32030d950ebcb699
Author: Miroslav Grepl <mgrepl>
Date: Wed Oct 16 10:52:24 2013 +0200
Update openlmi-storage policy to reflect #1015067
(In reply to Jan Safranek from comment #7) Please open bugs for whatever you want to see changed in F20 or RHEL7 since everything is locked down now. Thanks. Added labeling. There are some new AVCs we've noticed during testing, see attachment.
Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.12.1-108.el7.noarch
audit2allow reports:
# ALLOW: blivet imports libiscsi.so, which checks for /run/lock/iscsi/lock, sets capabilities and higher stack size.
# Basically blivet can do anything that libiscsi.so can do and that's already tracked as iscsid_exec_t (/sbin/iscsiadm).
allow pegasus_openlmi_storage_t var_lock_t:dir search;
allow pegasus_openlmi_storage_t var_lock_t:lnk_file read;
allow pegasus_openlmi_storage_t iscsi_lock_t:dir { write remove_name search add_name };
allow pegasus_openlmi_storage_t iscsi_lock_t:file { read write unlink open link };
allow pegasus_openlmi_storage_t self:netlink_route_socket { bind create getattr nlmsg_read };
allow pegasus_openlmi_storage_t self:process setrlimit;
allow pegasus_openlmi_storage_t self:capability { sys_resource ipc_lock };
# ALLOW: blivet imports libcryptsetup.so, which loads dm_crypt.ko.
# Similarly to previous paragraph, blivet can do anything that /sbin/cryptsetup can (lvm_exec_t).
allow pegasus_openlmi_storage_t kernel_t:system module_request;
# ALLOW: blivet has heuristics to determine if a filesystem is mountable. One of the technique is to check for /usr/lib/modules/<fsname>.ko.
allow pegasus_openlmi_storage_t modules_object_t:dir getattr;
# DENY: blivet reads SELinux context on /lost+found, blivet should not do it; bz#1038146.
allow pegasus_openlmi_storage_t lost_found_t:dir getattr;
# DENY: Blivet creates /tmp/XXXXXXX, which is bad; bz#1038205.
allow pegasus_openlmi_storage_t tmp_t:dir { write add_name };
allow pegasus_openlmi_storage_t tmp_t:file { write create open };
# DENY: already tracked above.
allow pegasus_openlmi_storage_t file_t:dir { read getattr open ioctl };
Created attachment 833064 [details]
OpenLMI sotrage AVCs with policy-targeted-3.12.1-108
Moving back to assigned for new AVCs, see comment #15. commit 7e5034e85b57664e19431e6edfc5324b2531fb84
Author: Miroslav Grepl <mgrepl>
Date: Fri Dec 6 14:03:04 2013 +0100
Update pegasus_openlmi_storage_t policy
This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |
Created attachment 807055 [details] openlmi-storage AVCs As development and testing of OpenLMI Storage provider continues, I've noticed new AVCs in audit.log (see attachment) which need to be reflected in our policy. Acquired with: selinux-policy-targeted-3.12.1-84 openlmi-storage-0.6.0