Bug 1698405

Summary: Update policy for cockpit-cert-session
Product: [Fedora] Fedora Reporter: Martin Pitt <mpitt>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 29CC: dwalsh, lvrabec, mgrepl, plautrba, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.14.2-54.fc29 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-04-15 17:43:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Pitt 2019-04-10 10:23:44 UTC 
Description of problem: The recent policy update in bug 1690444 brought the initial bits for adding smart card authentication support to Cockpit. But we had to improve the design a bit to allow a more trustworthy way of treating the client certificates. These now get passed around as sealed memfds, which SELinux treats as tmpfs_t.

Thus we need to allow cockpit-ws and cockpit-cert-session to handle tmpfs files:

audit: type=1400 audit(1554890529.511:520): avc:  denied  { write } for  pid=7871 comm="cockpit-ws" path=2F6D656D66643A636C69656E742D63657274202864656C6574656429 dev="tmpfs" ino=45387 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0
audit: type=1400 audit(1554890542.604:530): avc:  denied  { read write } for  pid=7896 comm="cockpit-cert-se" path=2F6D656D66643A636C69656E742D63657274202864656C6574656429 dev="tmpfs" ino=45900 scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0
audit: type=1400 audit(1554890542.621:531): avc:  denied  { getattr } for  pid=7896 comm="cockpit-cert-se" path=2F6D656D66643A636C69656E742D63657274202864656C6574656429 dev="tmpfs" ino=45900 scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0

The diff of my local policy adjustment looks like this:

 module local 1.0;
-require { type cockpit_session_t; type sssd_t; type cockpit_ws_t; type cert_t; class dbus send_msg; class file { read map }; }
+require { type cockpit_session_t; type sssd_t; type cockpit_ws_t; type cert_t; type tmpfs_t; class dbus send_msg; class file { read write map getattr }; }
+allow cockpit_session_t tmpfs_t:file { read write map getattr };
 allow cockpit_session_t sssd_t:dbus send_msg;
 allow sssd_t cockpit_session_t:dbus send_msg;
+allow cockpit_ws_t tmpfs_t:file { read write map getattr };
 dontaudit cockpit_ws_t cert_t:file { read map };

Note that this is a tiny bit more leeway than currently required (ws_t doesn't need to read, and neither currently needs to map), but IMHO these don't hurt and will allow some more flexibility later on.

Thank you!

Version-Release number of selected component (if applicable):

selinux-policy-3.14.2-51.fc29.noarch
Comment 1 Lukas Vrabec 2019-04-10 12:38:58 UTC 
commit 8f8113db710c73145e668ae8c7e479fcc53bfa89 (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec>
Date:   Wed Apr 10 14:38:39 2019 +0200

    Create cockpit_tmpfs_t and allow cockpit ws and session to use it BZ(1698405)
Comment 2 Martin Pitt 2019-04-11 08:30:56 UTC 
I locally built the selinux-policy rpm with this patch applied and confirm that it works. Many thanks!
Comment 3 Fedora Update System 2019-04-13 11:50:58 UTC 
selinux-policy-3.14.2-54.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-6add7b193f
Comment 4 Fedora Update System 2019-04-14 04:45:55 UTC 
selinux-policy-3.14.2-54.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-6add7b193f
Comment 5 Fedora Update System 2019-04-15 17:43:54 UTC 
selinux-policy-3.14.2-54.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.