Bug 1750112

Summary: selinux is blocking gdm from accessing boot_t files, breaking the grub hidden menu feature
Product: [Fedora] Fedora Reporter: Hans de Goede <hdegoede>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: medium    
Version: 30CC: dwalsh, lvrabec, mgrepl, nknazeko, plautrba, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-52.fc30 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-17 01:13:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Hans de Goede 2019-09-08 12:58:26 UTC 
This is an (unfixed) variant of bug 1645770.

Quoting from bug 1645770 for some background: "When rebooting using the GNOME3 system menu from within gdm, gnome-session calls the grub2-set-bootflag helper to modify the grubenv (which sets on the UEFI ESP partition which is vfat) to indicate that this was a user initiated reboot and that the previous boot thus was successful, so that the grub menu will stay hidden."

The problem in bug 1645770 was selinux blocking xdm_t from accessing dosfs_t files, such as the grubenv file when the system is booted through UEFI and /boot/EFI is a separate VFAT partition.

The Fedora 30 problem which I just noticed is that when rebooting from within gdm on a system using classic PC BIOS boot, the setting of the boot_success flag in the grubenv still gets blocked by selinux and the boot-menu is still shown even though this was a "clean" reboot.

This caused by /boot/EFI not being a separate VFAT parition when using classic PC BIOS boot. In this case it is just a subdir of the ext4 /boot partition and the selinux type of grubenv is not dosfs_t but rather boot_t, leading to this denial getting logged (there may be other silent ones):

  type=AVC msg=audit(1567796410.435:125): avc:  denied  { write } for  pid=1490
   comm="grub2-set-bootf" name="grubenv" dev="sda1" ino=395
   scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
   tcontext=unconfined_u:object_r:boot_t:s0 tclass=file permissive=0

And to illustrate the UEFI vs BIOS boot system difference:

  Classic BIOS boot:
   [root@localhost ~]# ls -Z /boot/efi/EFI/fedora/grubenv 
   unconfined_u:object_r:boot_t:s0 /boot/efi/EFI/fedora/grubenv
  EFI:
   [hans@shalem gnome-session]$ sudo ls -Z /boot/efi/EFI/fedora/grubenv
   system_u:object_r:dosfs_t:s0 /boot/efi/EFI/fedora/grubenv

Note I've not tested this on F31, but I expect F31 to also be affected, it would be good if we can get this fixed before F31 final.
Comment 1 Nikola Knazekova 2019-09-18 14:20:54 UTC 
PR for Fedora: https://github.com/fedora-selinux/selinux-policy/pull/277
Comment 2 Lukas Vrabec 2019-09-19 08:25:39 UTC 
commit 43a040b61451c4bc7f0cfc0132843621f0359b52
Author: Nikola Knazekova <nknazeko>
Date:   Tue Sep 10 18:47:52 2019 +0200

    Introduce xdm_manage_bootloader booelan
    
    Created xdm_manage_bootloader boolean to create, read, write, and delete files in the /boot director
 & DOS filesystem.
    
    Fixed Red Hat Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1750112#
Comment 3 Fedora Update System 2019-10-04 13:36:23 UTC 
FEDORA-2019-6bbf3d600d has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-6bbf3d600d
Comment 4 Fedora Update System 2019-10-04 22:14:56 UTC 
selinux-policy-3.14.3-48.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-6bbf3d600d
Comment 5 Fedora Update System 2019-10-10 07:49:09 UTC 
FEDORA-2019-6bbf3d600d has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-6bbf3d600d
Comment 6 Fedora Update System 2019-10-10 17:29:14 UTC 
selinux-policy-3.14.3-49.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-6bbf3d600d
Comment 7 Fedora Update System 2019-10-23 07:00:32 UTC 
FEDORA-2019-d68c9e27f8 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-d68c9e27f8
Comment 8 Fedora Update System 2019-10-25 19:34:06 UTC 
selinux-policy-3.14.3-50.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-d68c9e27f8
Comment 9 Fedora Update System 2019-10-26 17:02:55 UTC 
FEDORA-2019-f83217e2bf has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-f83217e2bf
Comment 10 Fedora Update System 2019-10-27 03:54:53 UTC 
selinux-policy-3.14.3-51.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-f83217e2bf
Comment 11 Fedora Update System 2019-11-03 14:10:56 UTC 
FEDORA-2019-70d80ad4bc has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-70d80ad4bc
Comment 12 Fedora Update System 2019-11-04 02:10:20 UTC 
selinux-policy-3.14.3-52.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-70d80ad4bc
Comment 13 Fedora Update System 2019-11-17 01:13:19 UTC 
selinux-policy-3.14.3-52.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.