Bug 1770221

Summary: Allow cockpit-session to glob /run/cockpit/tls/
Product: [Fedora] Fedora Reporter: Martin Pitt <mpitt>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 31CC: dwalsh, lvrabec, mgrepl, plautrba, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.14.4-43.fc31 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-12-11 02:05:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Pitt 2019-11-08 14:18:44 UTC 
As part of teaching Cockpit about client-cert authentication I had to make some SELinux policy modifications, [1], [2], and for this bug report,

  https://github.com/fedora-selinux/selinux-policy-contrib/pull/130

This is contained in F30 and F31. With that, cockpit-session can (or at least used to be able to) read a particular file in /run/cockpit/tls/some.cert.

But because reasons I now also need cockpit-session to read that directory, in particular running glob(3) on /run/cockpit/tls/%s-*.cert.

But glob fails with GLOB_ABORTED, and I get this:

AVC avc:  denied  { read } for  pid=10855 comm="cockpit-session" name="tls" dev="tmpfs" ino=53185 scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:cockpit_var_run_t:s0 tclass=dir permissive=0

So apparently that gets as far as opening /run/cockpit and reading the "tls" directory entry in it. But I don't quite understand this -- the rule in PR #130 says

   read_files_pattern(cockpit_session_t, cockpit_var_run_t, cockpit_var_run_t)

which at least matches the the source context (cockpit_session_t) and target context (cockpit_var_run_t)? Does read_files_pattern() perhaps need an additional operation, even though the message says { read }?

I also tried with my old local workaround, which is more direct and doesn't use the macros:

    allow cockpit_session_t cockpit_var_run_t:file { open read map getattr };

and it has the same problem.

The files and dirs have the right context, AFAICS:

/run/cockpit/:
drwxr-xr-x. 2 cockpit-ws cockpit-ws system_u:object_r:cockpit_var_run_t:s0  40 Nov  8 09:09 tls

/run/cockpit/tls:
total 4
-rw-r--r--. 1 cockpit-ws cockpit-ws system_u:object_r:cockpit_var_run_t:s0 1099 Nov  8 09:09 b7bc12ed3b825d0ace739b2b76f99747f84cb8caafa6397769aff5bcb5a2781a-6.cert


[1] https://github.com/fedora-selinux/selinux-policy-contrib/pull/114
[2] https://github.com/fedora-selinux/selinux-policy-contrib/pull/161
Comment 1 Lukas Vrabec 2019-11-08 15:49:06 UTC 
Hi Martin, 

You need to allow also listing directories labeled cockpit_var_run_t (see tclass=dir in your SELinux denial) you can easily fix it using this macro: 

 list_dirs_pattern(cockpit_session_t, cockpit_var_run_t, cockpit_var_run_t)

Could you please create new PR? :) 

Thanks,
Lukas.
Comment 2 Martin Pitt 2019-11-09 11:47:45 UTC 
Thanks Lukas! That was it. I tested this locally with

    allow cockpit_session_t cockpit_var_run_t:dir { getattr search open read };

(the expansion of search_dir_perms and list_dir_perms) and that worked fine. I sent https://github.com/fedora-selinux/selinux-policy-contrib/pull/162
Comment 3 Lukas Vrabec 2019-11-11 08:04:41 UTC 
PR merged to Fedora Rawhide, F31 and F30
Comment 4 Fedora Update System 2019-11-22 16:17:20 UTC 
FEDORA-2019-fefda9dd5e has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-fefda9dd5e
Comment 5 Fedora Update System 2019-11-23 02:39:09 UTC 
selinux-policy-3.14.4-42.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-fefda9dd5e
Comment 6 Fedora Update System 2019-12-06 18:02:25 UTC 
FEDORA-2019-fefda9dd5e has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-fefda9dd5e
Comment 7 Fedora Update System 2019-12-07 03:38:17 UTC 
container-selinux-2.123.0-2.fc31, selinux-policy-3.14.4-43.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-fefda9dd5e
Comment 8 Fedora Update System 2019-12-11 02:05:46 UTC 
container-selinux-2.123.0-2.fc31, selinux-policy-3.14.4-43.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.