Bug 1860924
| Summary: | SELinux prevents dbus-daemon from reading symlinks in /run/systemd/dynamic-uid directory | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Milos Malik <mmalik> | ||||||
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | ||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | medium | ||||||||
| Version: | --- | CC: | aegorenk, jfrieben, lvrabec, mmalik, msekleta, plautrba, ssekidde, tis | ||||||
| Target Milestone: | rc | Keywords: | AutoVerified, Triaged | ||||||
| Target Release: | 8.5 | ||||||||
| Hardware: | x86_64 | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | selinux-policy-3.14.3-69.el8 | Doc Type: | No Doc Update | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2021-11-09 19:42:28 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | |||||||||
| Bug Blocks: | 1925828 | ||||||||
| Attachments: |
|
||||||||
Here is the only SELinux denial which appeared in permissive mode:
----
type=PROCTITLE msg=audit(07/27/2020 09:08:35.060:339) : proctitle=/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
type=PATH msg=audit(07/27/2020 09:08:35.060:339) : item=0 name=/run/systemd/dynamic-uid/direct:62803 inode=38687 dev=00:18 mode=link,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(07/27/2020 09:08:35.060:339) : cwd=/
type=SYSCALL msg=audit(07/27/2020 09:08:35.060:339) : arch=x86_64 syscall=readlinkat success=yes exit=13 a0=0xffffff9c a1=0x7ffe508dcb30 a2=0x55974a9ca6f0 a3=0x63 items=1 ppid=1 pid=673 auid=unset uid=dbus gid=dbus euid=dbus suid=dbus fsuid=dbus egid=dbus sgid=dbus fsgid=dbus tty=(none) ses=unset comm=dbus-daemon exe=/usr/bin/dbus-daemon subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(07/27/2020 09:08:35.060:339) : avc: denied { read } for pid=673 comm=dbus-daemon name=direct:62803 dev="tmpfs" ino=38687 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_var_run_t:s0 tclass=lnk_file permissive=1
----
# grep -R DynamicUser=yes /usr/lib/systemd/system/ /usr/lib/systemd/system/fwupd-refresh.service:DynamicUser=yes # I'm looking for other services which may trigger similar SELinux denials. # pwd
/usr/lib/systemd/system
# grep -Ri dynamicuser *
fwupd-refresh.service:DynamicUser=yes
systemd-journal-gatewayd.service:DynamicUser=yes
systemd-journal-upload.service:DynamicUser=yes
#
Above-mentioned services trigger the following SELinux denial either during their start or during their stop:
----
type=PROCTITLE msg=audit(07/27/2020 09:42:35.948:1808) : proctitle=/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
type=PATH msg=audit(07/27/2020 09:42:35.948:1808) : item=0 name=/run/systemd/dynamic-uid/direct:63112 inode=137151 dev=00:18 mode=link,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(07/27/2020 09:42:35.948:1808) : cwd=/
type=SYSCALL msg=audit(07/27/2020 09:42:35.948:1808) : arch=x86_64 syscall=readlinkat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7ffe508dbf80 a2=0x55974a9ca6f0 a3=0x63 items=1 ppid=1 pid=673 auid=unset uid=dbus gid=dbus euid=dbus suid=dbus fsuid=dbus egid=dbus sgid=dbus fsgid=dbus tty=(none) ses=unset comm=dbus-daemon exe=/usr/bin/dbus-daemon subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(07/27/2020 09:42:35.948:1808) : avc: denied { read } for pid=673 comm=dbus-daemon name=direct:63112 dev="tmpfs" ino=137151 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_var_run_t:s0 tclass=lnk_file permissive=0
----
AVC occurs because dbus-daemon tries to resolve information (user record) about systemd-journal-gateway user via systemd nss module and that in turn tries to dereference the symlink. I think allowing this in policy is OK. However, the challenge is how to make this scaleable because in theory any application running in some SELinux domain could start resolving such user records and hence generate similar AVCs. *** Bug 1892547 has been marked as a duplicate of this bug. *** Created attachment 1773644 [details]
Add interface to init policy for reading init_var_run_t lnk_file
Created attachment 1773645 [details]
Use new interface to allow reading lnk_file
I propose these patches to fix this issue.
Needs to be backported:
commit f561c3f817eb9da478a337a7633c8ded9dd76bec (HEAD -> rawhide, upstream/rawhide)
Author: Zdenek Pytela <zpytela>
Date: Wed May 26 15:31:03 2021 +0200
Allow nsswitch_domain read init pid lnk_files
(In reply to Tuomo Soini from comment #15) > Created attachment 1773645 [details] > Use new interface to allow reading lnk_file > > I propose these patches to fix this issue. Tuomo, Thank you for the patches. I decided to allow the permission for nsswitch_domain and use a different interface name. Please continue in your effort, preferably use a github pull request: https://github.com/fedora-selinux/selinux-policy/pulls Needs backporting:
commit f561c3f817eb9da478a337a7633c8ded9dd76bec
Author: Zdenek Pytela <zpytela>
Date: Wed May 26 15:31:03 2021 +0200
Allow nsswitch_domain read init pid lnk_files
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:4420 |
Description of problem: Version-Release number of selected component (if applicable): fwupd-1.4.1-1.el8.x86_64 selinux-policy-3.14.3-48.el8.noarch selinux-policy-targeted-3.14.3-48.el8.noarch How reproducible: * always Steps to Reproduce: 1. get a RHEL-8.3 machine (targeted policy is active) 2. start the fwupd-refresh service 3. search for SELinux denials Actual results (enforcing mode): ---- type=PROCTITLE msg=audit(07/27/2020 09:06:58.618:335) : proctitle=/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only type=PATH msg=audit(07/27/2020 09:06:58.618:335) : item=0 name=/run/systemd/dynamic-uid/direct:62803 inode=38503 dev=00:18 mode=link,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(07/27/2020 09:06:58.618:335) : cwd=/ type=SYSCALL msg=audit(07/27/2020 09:06:58.618:335) : arch=x86_64 syscall=readlinkat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7ffe508dcb30 a2=0x55974a9ca6f0 a3=0x63 items=1 ppid=1 pid=673 auid=unset uid=dbus gid=dbus euid=dbus suid=dbus fsuid=dbus egid=dbus sgid=dbus fsgid=dbus tty=(none) ses=unset comm=dbus-daemon exe=/usr/bin/dbus-daemon subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(07/27/2020 09:06:58.618:335) : avc: denied { read } for pid=673 comm=dbus-daemon name=direct:62803 dev="tmpfs" ino=38503 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_var_run_t:s0 tclass=lnk_file permissive=0 ---- Expected results: * no SELinux denials