Bug 1607974

Summary: [Tracker] Need policy for boltd
Product: [Fedora] Fedora Reporter: Orion Poplawski <orion>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 28CC: alex.ploumistos, ckellner, dwalsh, lvrabec, mgrepl, plautrba, pmoore
Target Milestone: ---Keywords: Tracking
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.1-42.fc28 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-09-11 16:55:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
ausearch -m USER_AVC -ts today none

Description Orion Poplawski 2018-07-24 16:05:17 UTC
Description of problem:

system_u:system_r:unconfined_service_t:s0 root 2328 1  0 Jul23 ?       00:00:00 /usr/libexec/boltd

I think this leads to:

type=AVC msg=audit(1532360899.498:312): avc:  denied  { view } for  pid=1180 comm="rpc.gssd" scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=key permissive=0

Version-Release number of selected component (if applicable):
selinux-policy-3.14.1-32.fc28.noarch
bolt-0.4-1.fc28.x86_64

Comment 1 Alexander Ploumistos 2018-08-09 13:20:35 UTC
Hi,

After updating to selinux-policy-3.14.1-39.fc28, I got this:

"SELinux is preventing boltd from write access on the sock_file socket."

type=AVC msg=audit(1533820265.11:268): avc:  denied  { write } for  pid=1551 comm="boltd" name="socket" dev="tmpfs" ino=11117 scontext=system_u:system_r:boltd_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=sock_file permissive=1

Comment 2 Christian Kellner 2018-08-29 09:19:36 UTC
With selinux-policy-3.14.1-40.fc28, boltd seems to not be able to talk to polkitd:

error time=1535530547.127210 sender=org.freedesktop.DBus -> destination=:1.9 error_name=org.freedesktop.DBus.Error.AccessDenied reply_serial=916
   string "An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_return", sender=":1.9" (uid=998 pid=1224 comm="/usr/lib/polkit-1/polkitd --no-debug " label="system_u:system_r:policykit_t:s0") interface="(unset)" member="(unset)" error name="(unset)" requested_reply="0" destination=":1.5" (uid=0 pid=1148 comm="/usr/libexec/boltd " label="system_u:system_r:boltd_t:s0")"

I am by no means an selinux expert, but maybe boltd.te  it is missing something like:

optional_policy(`
	dbus_system_domain(boltd_t,boltd_exec_t)
	optional_policy(`
		policykit_dbus_chat(boltd_t)
	')
')

Does the interface also need something like the following?

########################################
## <summary>
##	Send and receive messages from
##	boltd over dbus.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`boltd_dbus_chat',`
	gen_require(`
		type boltd_t;
		class dbus send_msg;
	')

	allow $1 boltd_t:dbus send_msg;
	allow boltd_t $1:dbus send_msg;
')

Comment 3 Christian Kellner 2018-08-29 09:22:28 UTC
Created attachment 1479415 [details]
ausearch -m USER_AVC -ts today

Comment 4 Fedora Update System 2018-09-06 21:57:12 UTC
selinux-policy-3.14.1-42.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-2d1b09d217

Comment 5 Fedora Update System 2018-09-07 17:12:39 UTC
selinux-policy-3.14.1-42.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-2d1b09d217

Comment 6 Fedora Update System 2018-09-11 16:55:59 UTC
selinux-policy-3.14.1-42.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.