Bug 1726259

Summary: the stratisd service runs as unconfined_service_t
Product: Red Hat Enterprise Linux 8 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact: Jan Fiala <jafiala>
Priority: medium    
Version: 8.1CC: jafiala, lvrabec, mmalik, nknazeko, pkoncity, plautrba, ssekidde, zpytela
Target Milestone: rcKeywords: Patch
Target Release: 8.2   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
.New SELinux types enable services to run confined This update introduces new SELinux types that enable the following services to run as confined services in SELinux enforcing mode instead of running in the `unconfined_service_t` domain: * `lldpd` now runs as `lldpad_t` * `rrdcached` now runs as `rrdcached_t` * `stratisd` now runs as `stratisd_t` * `timedatex` now runs as `timedatex_t`
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-28 16:40:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1726199    

Description Milos Malik 2019-07-02 12:48:17 UTC 
Description of problem:
 * the service is shipped but it is not confined

Version-Release number of selected component (if applicable):
selinux-policy-3.14.3-9.el8.noarch
selinux-policy-targeted-3.14.3-9.el8.noarch
stratisd-1.0.4-2.el8.x86_64

How reproducible:
 * always

Steps to Reproduce:
# service stratisd status
Redirecting to /bin/systemctl status stratisd.service
● stratisd.service - A daemon that manages a pool of block devices to create flexible file systems
   Loaded: loaded (/usr/lib/systemd/system/stratisd.service; enabled; vendor preset: enabled)
   Active: inactive (dead) since Tue 2019-07-02 08:42:40 EDT; 5s ago
     Docs: man:stratisd(8)
  Process: 10992 ExecStart=/usr/libexec/stratisd --debug (code=exited, status=0/SUCCESS)
 Main PID: 10992 (code=exited, status=0/SUCCESS)

Jul 02 08:40:24 ci-vm-10-0-136-62.hosted.upshift.rdu2.redhat.com stratisd[10992]:  INFO stratisd: Dump timer expired, dumpi…tate
Jul 02 08:40:24 ci-vm-10-0-136-62.hosted.upshift.rdu2.redhat.com stratisd[10992]: DEBUG stratisd: Engine state:
Jul 02 08:40:24 ci-vm-10-0-136-62.hosted.upshift.rdu2.redhat.com stratisd[10992]: StratEngine {
Jul 02 08:40:24 ci-vm-10-0-136-62.hosted.upshift.rdu2.redhat.com stratisd[10992]:     pools: {},
Jul 02 08:40:24 ci-vm-10-0-136-62.hosted.upshift.rdu2.redhat.com stratisd[10992]:     incomplete_pools: {},
Jul 02 08:40:24 ci-vm-10-0-136-62.hosted.upshift.rdu2.redhat.com stratisd[10992]:     watched_dev_last_event_nrs: {},
Jul 02 08:40:24 ci-vm-10-0-136-62.hosted.upshift.rdu2.redhat.com stratisd[10992]: }
Jul 02 08:42:40 ci-vm-10-0-136-62.hosted.upshift.rdu2.redhat.com systemd[1]: Stopping A daemon that manages a pool of bloc…ms...
Jul 02 08:42:40 ci-vm-10-0-136-62.hosted.upshift.rdu2.redhat.com stratisd[10992]:  INFO stratisd: SIGINT received, exiting
Jul 02 08:42:40 ci-vm-10-0-136-62.hosted.upshift.rdu2.redhat.com systemd[1]: Stopped A daemon that manages a pool of block…tems.
Hint: Some lines were ellipsized, use -l to show in full.
# service stratisd start
Redirecting to /bin/systemctl start stratisd.service
# service stratisd status
Redirecting to /bin/systemctl status stratisd.service
● stratisd.service - A daemon that manages a pool of block devices to create flexible file systems
   Loaded: loaded (/usr/lib/systemd/system/stratisd.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2019-07-02 08:42:49 EDT; 1s ago
     Docs: man:stratisd(8)
 Main PID: 18133 (stratisd)
    Tasks: 1 (limit: 11518)
   Memory: 788.0K
   CGroup: /system.slice/stratisd.service
           └─18133 /usr/libexec/stratisd --debug

Jul 02 08:42:49 ci-vm-10-0-136-62.hosted.upshift.rdu2.redhat.com systemd[1]: Started A daemon that manages a pool of block…tems.
Jul 02 08:42:49 ci-vm-10-0-136-62.hosted.upshift.rdu2.redhat.com stratisd[18133]: DEBUG libstratis::stratis::buff_log: Buff…none
Jul 02 08:42:49 ci-vm-10-0-136-62.hosted.upshift.rdu2.redhat.com stratisd[18133]:  INFO stratisd: Using StratEngine
Jul 02 08:42:49 ci-vm-10-0-136-62.hosted.upshift.rdu2.redhat.com stratisd[18133]: DEBUG stratisd: Engine state:
Jul 02 08:42:49 ci-vm-10-0-136-62.hosted.upshift.rdu2.redhat.com stratisd[18133]: StratEngine {
Jul 02 08:42:49 ci-vm-10-0-136-62.hosted.upshift.rdu2.redhat.com stratisd[18133]:     pools: {},
Jul 02 08:42:49 ci-vm-10-0-136-62.hosted.upshift.rdu2.redhat.com stratisd[18133]:     incomplete_pools: {},
Jul 02 08:42:49 ci-vm-10-0-136-62.hosted.upshift.rdu2.redhat.com stratisd[18133]:     watched_dev_last_event_nrs: {},
Jul 02 08:42:49 ci-vm-10-0-136-62.hosted.upshift.rdu2.redhat.com stratisd[18133]: }
Jul 02 08:42:49 ci-vm-10-0-136-62.hosted.upshift.rdu2.redhat.com stratisd[18133]:  INFO stratisd: D-Bus API is available
Hint: Some lines were ellipsized, use -l to show in full.
# ps -efZ | grep stratisd
system_u:system_r:unconfined_service_t:s0 root 18133 1  0 08:42 ?      00:00:00 /usr/libexec/stratisd --debug
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 18180 4655  0 08:43 pts/0 00:00:00 grep --color=auto stratisd
# ls -Z /usr/libexec/stratisd
system_u:object_r:bin_t:s0 /usr/libexec/stratisd
#

Actual results:
 * the service is not confined

Expected results:
 * the service is confined
Comment 2 Patrik Koncity 2019-08-20 11:23:35 UTC 
https://github.com/fedora-selinux/selinux-policy-contrib/pull/132/commits/e27376b775abc93092a2ba233754d9c848c4fba8
Comment 4 Nikola Knazekova 2019-10-25 09:37:59 UTC 
During manual testing a USER_AVC was found:
----
type=USER_AVC msg=audit(10/25/2019 05:28:33.468:461) : pid=504 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { acquire_svc } for  scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=0  exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?' 
----
Comment 5 Nikola Knazekova 2019-10-25 09:56:16 UTC 
This selinux denial will be fixed in the Stratis component, because the service is trying to create a directory in wrong location /stratis
----
type=PROCTITLE msg=audit(10/25/2019 05:17:02.313:392) : proctitle=/usr/libexec/stratisd --debug 
type=PATH msg=audit(10/25/2019 05:17:02.313:392) : item=1 name=/stratis nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(10/25/2019 05:17:02.313:392) : item=0 name=/ inode=2 dev=fc:01 mode=dir,555 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:root_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(10/25/2019 05:17:02.313:392) : cwd=/ 
type=SYSCALL msg=audit(10/25/2019 05:17:02.313:392) : arch=x86_64 syscall=mkdir success=no exit=EACCES(Permission denied) a0=0x561728dd59d0 a1=0777 a2=0x9 a3=0x561728dddbf8 items=2 ppid=1 pid=4969 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=stratisd exe=/usr/libexec/stratisd subj=system_u:system_r:stratisd_t:s0 key=(null) 
type=AVC msg=audit(10/25/2019 05:17:02.313:392) : avc:  denied  { dac_override } for  pid=4969 comm=stratisd capability=dac_override  scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:system_r:stratisd_t:s0 tclass=capability permissive=0
Comment 7 Nikola Knazekova 2019-10-30 17:04:55 UTC 
Fixed USER_AVC.
PR for Fedora: https://github.com/fedora-selinux/selinux-policy-contrib/pull/157
Comment 19 errata-xmlrpc 2020-04-28 16:40:41 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1773