Bug 1719067
| Summary: | BUG: EACCES on writing empty value to /proc/self/attr/keycreate | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Kirill Kolyshkin <kolyshkin> |
| Component: | kernel | Assignee: | Ondrej Mosnacek <omosnace> |
| kernel sub component: | SELinux | QA Contact: | Milos Malik <mmalik> |
| Status: | CLOSED ERRATA | Docs Contact: | |
| Severity: | medium | ||
| Priority: | medium | CC: | dwalsh, lsm5, plautrba, zpytela |
| Version: | 8.1 | Keywords: | AutoVerified, FastFix, Patch, Reproducer |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | kernel-4.18.0-112.el8 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-11-05 21:57:39 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I am always able to reproduce it on a freshly installed (latest) CentOS. Once I do something, say install container-selinux package, the bug disappears entirely, and removing container-selinux won't help. Sometimes a reboot helps to bring it back, sometimes not, and to repro I have to install a fresh CentOS system. After going through the code, I agree that this is a bug. The kernel shouldn't check the key/create permission when the value is being cleared. The bug has been present upstream since the very introduction of the keycreate file (almost 13 years)... I'll send a fix to upstream soon. It is not clear at this point whether we will fix this in RHEL-7 or defer to RHEL-8. Patch posted upstream: https://lore.kernel.org/selinux/20190612081226.21004-1-omosnace@redhat.com/T/ I think this is fine in RHEL7, we can work around with the updated container-selinux policy. Thanks, Dan. I'm moving this to RHEL-8 then. Upstream commit:
commit 464c258aa45b09f16aa0f05847ed8895873262d9
Author: Ondrej Mosnacek <omosnace>
Date: Wed Jun 12 10:12:26 2019 +0200
selinux: fix empty write to keycreate file
https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git/commit/?id=464c258aa45b09f16aa0f05847ed8895873262d9
Patch(es) available on kernel-4.18.0-112.el8 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:3517 |
Description of problem: The kernel returns EACCES when trying to write an empty value to /proc/self/attr/keycreate. According to Dan Walsh, writing an empty value is legitimate way to tell "reset it to whatever defaults are there", and yet the kernel returns an error. I believe this is a bug. Here's a repro and how it works: [root@kir-ce7-selinux-01 ~]# cat a.c #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <unistd.h> #include <stdio.h> int main(void) { int fd, r; fd = open("/proc/self/attr/keycreate", O_WRONLY); if (fd < 0) { perror("open"); } r = write(fd, "", 0); if (r < 0) { perror("write"); } return 0; } [root@kir-ce7-selinux-01 ~]# uname -a Linux kir-ce7-selinux-01 3.10.0-957.12.2.el7.x86_64 #1 SMP Tue May 14 21:24:32 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux [root@kir-ce7-selinux-01 ~]# gcc -Wall -O2 -o a a.c [root@kir-ce7-selinux-01 ~]# ./a write: Permission denied [root@kir-ce7-selinux-01 ~]# strace ./a ... open("/proc/self/attr/keycreate", O_WRONLY) = 3 write(3, "", 0) = -1 EACCES (Permission denied) ... NOTE you need a freshly booted kernel for that. Something like yum update container-selinux makes the bug disappear (I suspect something in the post-install scripts resets the selinux state in the kernel or something). Version-Release number of selected component (if applicable): [root@kir-ce7-selinux-01 ~]# uname -a Linux kir-ce7-selinux-01 3.10.0-957.12.2.el7.x86_64 #1 SMP Tue May 14 21:24:32 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux How reproducible: See above. NOTE you need a freshly booted kernel for that. Something like yum update container-selinux makes the bug disappear (I suspect something in the post-install scripts resets the selinux state in the kernel or something). Actual results: See above (EACCES returned from write). Expected results: No error. Additional info: This breaks runc, containerd, and docker :)