Bug 1755828
| Summary: | SELinux prevents bitlbee from mmap()-ing the /usr/share/p11-kit/modules/p11-kit-trust.module file | |||
|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Milos Malik <mmalik> | |
| Component: | selinux-policy | Assignee: | Richard Fiľo <rfilo> | |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 31 | CC: | dwalsh, lvrabec, mgrepl, plautrba, rfilo, zpytela | |
| Target Milestone: | --- | |||
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | selinux-policy-3.14.4-39.fc31 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1801183 (view as bug list) | Environment: | ||
| Last Closed: | 2019-10-29 01:27:47 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
The second SELinux denial will be fixed in SELinux policy package. SELinux denials that contain dac_override appear because the service runs as root but in /var/lib/bitlbee/ there is no permissions for root. Owner and group of these files is bitlbee and just owner has read/write permissions. # ls -l /var/lib/bitlbee/ total 4 drwx------. 3 bitlbee bitlbee 4096 Sep 27 11:22 purple # It is not an SELinux issue and it needs to be fixed in bitlbee package. When I change group to root and add read/write permissions for group, there are no more dac_override SELinux denials. # chown -R bitlbee:root /var/lib/bitlbee # chmod -R g+rwx /var/lib/bitlbee/ # ls -l /var/lib/bitlbee/ total 4 drwxrwx---. 3 bitlbee root 4096 Sep 27 11:22 purple # Proposed PR: https://github.com/fedora-selinux/selinux-policy-contrib/pull/145 More info about dac_override denials: https://lukas-vrabec.com/index.php/2018/07/03/why-do-you-see-dac_override-selinux-denials/ PR Merged.
commit c916dd32cc8d2b223721a7a85e4eaf14dba77b62 (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Richard Filo <rfilo>
Date: Fri Sep 27 15:30:12 2019 +0200
Allow bitlbee_t domain map files in /usr
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1755828
Signed-off-by: Richard Filo <rfilo>
I got an e-mail from Bugzilla that there is a needinfo for me. I'm so sorry that I haven't responded sooner, must have missed the original e-mail. What kind of info is needed and why from me? If you are maintainer of bitlbee package I wanted to inform you about incorrectly set owner and permissions on directories /var/lib/bitlbee/, see above. I'm not, sorry. FEDORA-2019-7d65c50fd6 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-7d65c50fd6 selinux-policy-3.14.4-39.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-7d65c50fd6 selinux-policy-3.14.4-39.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: * the steps to reproduce lead to 2 different SELinux denials Version-Release number of selected component (if applicable): bitlbee-3.5.2-0.3.20180919git0b1448f.fc31.x86_64 selinux-policy-3.14.4-31.fc31.noarch selinux-policy-targeted-3.14.4-31.fc31.noarch How reproducible: * always Steps to Reproduce: 1. get a Fedora 31 machine (targeted policy is active) 2. start the bitlbee service # systemctl start bitlbee 3. connect to the service # tail -f /dev/null | nc -v 127.0.0.1 6667 Actual results: ---- type=PROCTITLE msg=audit(09/26/2019 05:50:29.824:321) : proctitle=/usr/sbin/bitlbee -F -n type=PATH msg=audit(09/26/2019 05:50:29.824:321) : item=0 name=/var/lib/bitlbee/ inode=536421 dev=fc:01 mode=dir,700 ouid=bitlbee ogid=bitlbee rdev=00:00 obj=system_u:object_r:bitlbee_var_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(09/26/2019 05:50:29.824:321) : cwd=/ type=SYSCALL msg=audit(09/26/2019 05:50:29.824:321) : arch=x86_64 syscall=access success=no exit=EACCES(Permission denied) a0=0x555bbbf65230 a1=W_OK a2=0x0 a3=0x7fe668501770 items=1 ppid=1 pid=1922 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=bitlbee exe=/usr/sbin/bitlbee subj=system_u:system_r:bitlbee_t:s0 key=(null) type=AVC msg=audit(09/26/2019 05:50:29.824:321) : avc: denied { dac_override } for pid=1922 comm=bitlbee capability=dac_override scontext=system_u:system_r:bitlbee_t:s0 tcontext=system_u:system_r:bitlbee_t:s0 tclass=capability permissive=0 ---- type=PROCTITLE msg=audit(09/26/2019 05:51:14.090:322) : proctitle=/usr/sbin/bitlbee -F -n type=MMAP msg=audit(09/26/2019 05:51:14.090:322) : fd=16 flags=MAP_PRIVATE type=SYSCALL msg=audit(09/26/2019 05:51:14.090:322) : arch=x86_64 syscall=mmap success=no exit=EACCES(Permission denied) a0=0x0 a1=0x386 a2=PROT_READ a3=MAP_PRIVATE items=0 ppid=1922 pid=1945 auid=unset uid=bitlbee gid=bitlbee euid=bitlbee suid=bitlbee fsuid=bitlbee egid=bitlbee sgid=bitlbee fsgid=bitlbee tty=(none) ses=unset comm=bitlbee exe=/usr/sbin/bitlbee subj=system_u:system_r:bitlbee_t:s0 key=(null) type=AVC msg=audit(09/26/2019 05:51:14.090:322) : avc: denied { map } for pid=1945 comm=bitlbee path=/usr/share/p11-kit/modules/p11-kit-trust.module dev="vda1" ino=138682 scontext=system_u:system_r:bitlbee_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0 ---- Expected results: * no SELinux denials Additional info: # getsebool -a | grep mmap domain_can_mmap_files --> off mmap_low_allowed --> off wine_mmap_zero_ignore --> off #