Bug 1769221

Summary: the rdisc service uses NoNewPrivileges=yes and triggers SELinux denials
Product: [Fedora] Fedora Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Richard Fiľo <rfilo>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 31CC: dwalsh, lvrabec, mgrepl, plautrba, rfilo, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.4-44.fc31 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-01-21 01:38:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Milos Malik 2019-11-06 08:09:04 UTC
Description of problem:
# grep NoNew /usr/lib/systemd/system/rdisc.service 
NoNewPrivileges=yes
# sesearch -t rdisc_t -c process2 -p nnp_transition -A
#

Version-Release number of selected component (if applicable):
iputils-20190515-3.fc31.x86_64
selinux-policy-3.14.4-40.fc31.noarch
selinux-policy-devel-3.14.4-40.fc31.noarch
selinux-policy-targeted-3.14.4-40.fc31.noarch

How reproducible:
 * always

Steps to Reproduce:
1. get a Fedora 31 machine (targeted policy is active)
2. start the rdisc service
3. search for SELinux denials

Actual results:
----
type=PROCTITLE msg=audit(11/06/2019 02:49:59.826:341) : proctitle=/usr/sbin/rdisc -f -t 
type=PATH msg=audit(11/06/2019 02:49:59.826:341) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=136860 dev=fc:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(11/06/2019 02:49:59.826:341) : item=0 name=/usr/sbin/rdisc inode=146819 dev=fc:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:rdisc_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(11/06/2019 02:49:59.826:341) : cwd=/ 
type=EXECVE msg=audit(11/06/2019 02:49:59.826:341) : argc=3 a0=/usr/sbin/rdisc a1=-f a2=-t 
type=BPRM_FCAPS msg=audit(11/06/2019 02:49:59.826:341) : fver=0 fp=none fi=none fe=0 old_pp=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read old_pi=net_raw old_pe=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read old_pa=net_raw pp=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read pi=net_raw pe=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read pa=net_raw frootid=0 
type=SYSCALL msg=audit(11/06/2019 02:49:59.826:341) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x555d92d279b0 a1=0x555d92e6eed0 a2=0x555d92dc5060 a3=0x7 items=2 ppid=1 pid=22728 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rdisc exe=/usr/sbin/rdisc subj=system_u:system_r:init_t:s0 key=(null) 
type=SELINUX_ERR msg=audit(11/06/2019 02:49:59.826:341) : op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:rdisc_t:s0 
type=AVC msg=audit(11/06/2019 02:49:59.826:341) : avc:  denied  { nnp_transition } for  pid=22728 comm=(rdisc) scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:rdisc_t:s0 tclass=process2 permissive=0 
----
type=PROCTITLE msg=audit(11/06/2019 02:49:59.830:342) : proctitle=/usr/sbin/rdisc -f -t 
type=SYSCALL msg=audit(11/06/2019 02:49:59.830:342) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=inet a1=SOCK_RAW a2=icmp a3=0x7fc20cb84ac0 items=0 ppid=1 pid=22728 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rdisc exe=/usr/sbin/rdisc subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(11/06/2019 02:49:59.830:342) : avc:  denied  { create } for  pid=22728 comm=rdisc scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=rawip_socket permissive=0
----

Expected results:
 * the scenario does not trigger SELinux denials
 * the rdisc service runs successfully in enforcing mode

Comment 2 Richard Fiľo 2019-11-28 17:00:28 UTC
Link to scratch build with fix: https://copr-be.cloud.fedoraproject.org/results/rfilo/Selinux-policy-f31/fedora-31-x86_64/01120048-selinux-policy/

It should be fixed in the selinux-policy packages.

RP: https://github.com/fedora-selinux/selinux-policy-contrib/pull/171

Comment 4 Fedora Update System 2020-01-14 01:43:30 UTC
selinux-policy-3.14.4-44.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-397eea28b7

Comment 6 Fedora Update System 2020-01-21 01:38:41 UTC
selinux-policy-3.14.4-44.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.