Bug 1730204
| Summary: | the timedatex service runs as unconfined_service_t | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Milos Malik <mmalik> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | Jan Fiala <jafiala> |
| Priority: | medium | ||
| Version: | 8.1 | CC: | jafiala, lvrabec, mmalik, nknazeko, plautrba, ssekidde, zpytela |
| Target Milestone: | rc | Keywords: | AutoVerified, Patch |
| Target Release: | 8.2 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.14.3-26.el8 | Doc Type: | Enhancement |
| Doc Text: |
.New SELinux types enable services to run confined
This update introduces new SELinux types that enable the following services to run as confined services in SELinux enforcing mode instead of running in the `unconfined_service_t` domain:
* `lldpd` now runs as `lldpad_t`
* `rrdcached` now runs as `rrdcached_t`
* `stratisd` now runs as `stratisd_t`
* `timedatex` now runs as `timedatex_t`
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-04-28 16:40:41 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | |||
| Bug Blocks: | 1726199 | ||
Following SELinux denials were found on Fedora 31 machines during yesterday's testing session with interns:
----
type=USER_AVC msg=audit(09/18/2019 03:01:38.324:319) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=unset uid=root gid=root cmdline="/usr/sbin/timedatex" scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system permissive=0 exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?'
----
type=USER_AVC msg=audit(09/18/2019 03:01:38.828:321) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=unset uid=root gid=root path=/usr/lib/systemd/system/systemd-timesyncd.service cmdline="/usr/sbin/timedatex" scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:object_r:systemd_timedated_unit_file_t:s0 tclass=service permissive=0 exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?'
----
type=USER_AVC msg=audit(09/18/2019 03:01:38.829:322) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=unset uid=root gid=root path=/usr/lib/systemd/system/chronyd.service cmdline="/usr/sbin/timedatex" scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:object_r:chronyd_unit_file_t:s0 tclass=service permissive=0 exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?'
----
During the same session we prepared the following policy module, which solves the issue:
# cat mypolicy.te
policy_module(mypolicy, 1.0)
require {
type timedatex_t;
type systemd_timedated_unit_file_t;
class service status;
}
#============= timedatex_t ==============
allow timedatex_t systemd_timedated_unit_file_t:service status;
chronyd_systemctl(timedatex_t)
init_status(timedatex_t)
#
No SELinux denials appear after loading this policy module.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:1773 |
Description of problem: * the service is shipped but it is not confined Version-Release number of selected component (if applicable): selinux-policy-3.14.3-9.el8.noarch selinux-policy-targeted-3.14.3-9.el8.noarch timedatex-0.5-3.el8.x86_64 How reproducible: * always Steps to Reproduce: 1. get a RHEL-8.1 machine (targeted policy is active) # service timedatex status Redirecting to /bin/systemctl status timedatex.service ● timedatex.service - System clock and RTC settings service Loaded: loaded (/usr/lib/systemd/system/timedatex.service; enabled; vendor preset: enabled) Active: inactive (dead) # service timedatex start Redirecting to /bin/systemctl start timedatex.service # service timedatex status Redirecting to /bin/systemctl status timedatex.service ● timedatex.service - System clock and RTC settings service Loaded: loaded (/usr/lib/systemd/system/timedatex.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2019-07-16 03:34:42 EDT; 1s ago Main PID: 1702 (timedatex) Tasks: 4 (limit: 11518) Memory: 1.3M CGroup: /system.slice/timedatex.service └─1702 /usr/sbin/timedatex Jul 16 03:34:42 intentionally-removed systemd[1]: ... Jul 16 03:34:42 intentionally-removed systemd[1]: ... Hint: Some lines were ellipsized, use -l to show in full. # ps -efZ | grep time system_u:system_r:unconfined_service_t:s0 root 1702 1 0 03:34 ? 00:00:00 /usr/sbin/timedatex unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 1718 1241 0 03:34 pts/0 00:00:00 grep --color=auto time # Actual results: * the timedatex service is not confined Expected results: * the timedatex service is confined