Bug 1323732

Summary:	Selinux prevents snapper timer services
Product:	[Fedora] Fedora	Reporter:	Ondrej Kozina <okozina>
Component:	selinux-policy-targeted	Assignee:	Lukas Vrabec <lvrabec>
Status:	CLOSED ERRATA	QA Contact:	Ben Levenson <benl>
Severity:	high	Docs Contact:
Priority:	high
Version:	24	CC:	dwalsh, lvrabec, okozina
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	selinux-policy-3.13.1-185.fc24	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2016-05-07 11:43:47 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Ondrej Kozina 2016-04-04 14:27:31 UTC

Description of problem:

Snapper is not allowed to perform some actions:

Snapper timer services (crond replacement in systemd) are not allowed to communicate with snapperd daemon.

In enforcing mode I see this message in a timer service log:
systemd-helper[2994]: Failure (org.freedesktop.DBus.Error.AccessDenied).

this can be seen in audit.log

type=USER_AVC msg=audit(1459779311.778:484): pid=3020 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.opensuse.Snapper member=ListConfigs dest=org.opensuse.Snapper spid=3128 tpid=3130 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

I guess it's caused by timer sevices executing /usr/lib/snapper/systemd-helper
which result in processes being in init_t domain?

Version-Release number of selected component (if applicable):
snapper-0.2.8-2.fc24.x86_64
selinux-policy-targeted-3.13.1-180.fc25.noarch
kernel-4.6.0-0.rc1.git0.1.fc25.x86_64

How reproducible:
always

Steps to Reproduce:
Enable and/or manually start snapper-timeline service while snapper is configured to snapshot some mounted volume

Comment 1 Ondrej Kozina 2016-04-04 15:31:40 UTC

Also snapperd seems to be restricted from performing few ioctl calls, but I will need a help on how to debug it properly. The only lines I see in audit.log wrt to blocked ioctls are:

type=AVC msg=audit(1459782391.281:764): avc:  denied  { sys_admin } for  pid=3573 comm="snapperd" capability=21  scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tclass=capability permissive=0

and ioctl syscal returns 'Operation not permitted'

snapperd seems to be unable lower the priority background threads:
type=AVC msg=audit(1459782360.278:758): avc:  denied  { setsched } for  pid=3560 comm="snapperd" scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tclass=process permissive=0

Let me know If you want me to create separate bug for it...

Comment 2 Lukas Vrabec 2016-04-12 12:13:31 UTC

Hello Ondrej, 

I fixed your first issue with this change:
 # chcon -t snapperd_exec_t /usr/lib/snapper/systemd-helper

Could you test it also, if we can add snapperd_exec_t file context for /usr/lib/snapper/systemd-helper? 

Do you have some reproducer for AVCs in comment 1 ? 

Thank you.

Comment 3 Ondrej Kozina 2016-04-12 14:12:45 UTC

(In reply to Lukas Vrabec from comment #2)
> Hello Ondrej, 
> 
> I fixed your first issue with this change:
>  # chcon -t snapperd_exec_t /usr/lib/snapper/systemd-helper

Yup, that fixed it for me. Thanks!

With regard to others:

1) ioctls issued by snapperd while performing actions on btrfs backend:

(optional: if you want to see snapperd debug messages edit /usr/share/dbus-1/system-services/org.opensuse.Snapper.service and add "-d" option to Exec= value)

1) create and mount btrfs on /mnt/btrfs
2) create snapper config: snapper -c btrfs create-config /mnt/btrfs
3) now perform restorecon -R /mnt/btrfs (selinux support is not yet merged in snapper)
4) invoke background comparison in snapper daemon by: snapper -c btrfs create -t pre-post --command "touch /mnt/btrfs/some_file"

It'll generate denied ioctl on /mnt/btrfs directory (subvolume).

2) Also it'll cause denied setpriority() for snapperd thread with param prio = 20 (which is general issue for any snapper backend not only btrfs)

(obviously 2nd denial is not so big deal)

Comment 4 Ondrej Kozina 2016-04-12 14:15:33 UTC

"ausearch -m avc,user_avc -ts recent" output for the reproduce above:

type=AVC msg=audit(1460409569.810:14537): avc:  denied  { rlimitinh } for  pid=7137 comm="snapperd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tclass=process permissive=0
----
time->Mon Apr 11 23:19:29 2016
type=AVC msg=audit(1460409569.813:14538): avc:  denied  { siginh } for  pid=7137 comm="snapperd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tclass=process permissive=0
----
time->Mon Apr 11 23:19:29 2016
type=AVC msg=audit(1460409569.813:14539): avc:  denied  { noatsecure } for  pid=7137 comm="snapperd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tclass=process permissive=0
----
time->Mon Apr 11 23:19:29 2016
type=AVC msg=audit(1460409569.952:14540): avc:  denied  { read write } for  pid=1 comm="systemd" path="socket:[208448]" dev="sockfs" ino=208448 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0
----
time->Mon Apr 11 23:19:29 2016
type=AVC msg=audit(1460409569.952:14541): avc:  denied  { read write } for  pid=1 comm="systemd" path="socket:[208450]" dev="sockfs" ino=208450 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0
----
time->Mon Apr 11 23:19:30 2016
type=AVC msg=audit(1460409570.150:14542): avc:  denied  { setsched } for  pid=7140 comm="snapperd" scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tclass=process permissive=0
----
time->Mon Apr 11 23:19:30 2016
type=AVC msg=audit(1460409570.150:14543): avc:  denied  { setsched } for  pid=7140 comm="snapperd" scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tclass=process permissive=0
----
time->Mon Apr 11 23:19:30 2016
type=AVC msg=audit(1460409570.150:14544): avc:  denied  { sys_admin } for  pid=7140 comm="snapperd" capability=21  scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tclass=capability permissive=0

Comment 5 Lukas Vrabec 2016-04-22 12:26:55 UTC

OK, I push fixes with labeling /usr/lib/snapper/systemd-helper.

commit cdd71e4d94be7e60bbeedfb65e8e6150f866ce38
Author: Lukas Vrabec <lvrabec>
Date:   Fri Apr 22 14:26:00 2016 +0200

    Label /usr/lib/snapper/systemd-helper as snapperd_exec_t. rhbz#1323732

Comment 6 Lukas Vrabec 2016-04-22 12:34:09 UTC

Could you reproduce your issue with following test policy? 

$ cat snapperd_test.te 

policy_module(snapperd_test, 1.0)

require {
	type snapperd_t;
	class process setsched;
	class capability sys_admin;
}

#============= snapperd_t ==============
allow snapperd_t self:capability sys_admin;
allow snapperd_t self:process setsched;


$ make -f /usr/share/selinux/devel/Makefile snapperd_test.pp
# semodule -i snapperd_test.pp

Thank you.

Comment 7 Ondrej Kozina 2016-04-28 14:45:12 UTC

Yup, works for me. Both errors are gone, thanks!

Comment 8 Fedora Update System 2016-05-02 10:53:14 UTC

selinux-policy-3.13.1-184.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-e163032315

Comment 9 Fedora Update System 2016-05-07 11:43:38 UTC

selinux-policy-3.13.1-184.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.