Bug 1756006

Summary:	dracut/ldconfig cannot run as a service
Product:	Red Hat Enterprise Linux 8	Reporter:	Renaud Métrich <rmetrich>
Component:	selinux-policy	Assignee:	Lukas Vrabec <lvrabec>
Status:	CLOSED ERRATA	QA Contact:	Milos Malik <mmalik>
Severity:	low	Docs Contact:
Priority:	medium
Version:	8.0	CC:	lvrabec, mmalik, plautrba, ssekidde, zpytela
Target Milestone:	rc	Keywords:	AutoVerified, Patch
Target Release:	8.0
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	selinux-policy-3.14.3-22.el8	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2020-04-28 16:41:25 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Renaud Métrich 2019-09-26 15:01:53 UTC

This bug was initially created as a copy of Bug #1756005

Description of problem:

When trying to execute dracut as a service, we can see ldconfig fails due to not being able to read/write files from dracut's temporary directory used as its chroot.
This happens while "ldconfig -r /var/tmp/dracut..." is executed:

/usr/sbin/dracut:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
1628     if ! ldconfig -r "$initdir"; then
1629         if [[ $EUID = 0 ]]; then
1630             derror "ldconfig exited ungracefully"
1631         else
1632             derror "ldconfig might need uid=0 (root) for chroot()"
1633         fi
1634     fi
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

It appears that the policy is missing many rules to allow this (and IMHO this should be allowed, it's perfectly legit to rebuild automatically the initramfs based on some custom trigger):

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
module my-ldconfig 1.0;

require {
	type initrc_tmp_t;
	type netutils_t;
	type ldconfig_t;
	class fifo_file write;
	class dir { add_name read remove_name write };
	class file { create map rename setattr };
}

#============= ldconfig_t ==============
allow ldconfig_t initrc_tmp_t:dir { add_name read remove_name write };
allow ldconfig_t initrc_tmp_t:fifo_file write;

#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow ldconfig_t initrc_tmp_t:file map;
allow ldconfig_t initrc_tmp_t:file { create rename setattr };

#============= netutils_t ==============
allow netutils_t initrc_tmp_t:fifo_file write;
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Note that the "netutils_t" rule is needed for giving back the hostname to ldconfig:
well, not so sure, on RHEL7 it was "hostname_t", but now it seems it's arping which is called for that task.


Version-Release number of selected component (if applicable):

selinux-policy-3.14.1-61.el8_0.2.noarch


How reproducible:

Always


Steps to Reproduce:
1. Create a service calling dracut

# cat > /etc/systemd/system/dracut.service << EOF
[Service]
Type=oneshot
ExecStart=/bin/bash -c "dracut -f /boot/initramfs-$(uname -r).img $(uname -r)"
EOF

# systemctl daemon-reload

2. Execute the service

# systemctl start dracut


Actual results:

AVCs


Expected results:

No AVC

Comment 17 errata-xmlrpc 2020-04-28 16:41:25 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1773