Bug 1868657

Summary: Fix SELinux policy to allow nnp and nosuid transitions
Product: Red Hat Enterprise Linux 8 Reporter: Christian Kellner <ckellner>
Component: osbuildAssignee: Christian Kellner <ckellner>
Status: CLOSED ERRATA QA Contact: Release Test Team <release-test-team-automation>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.3CC: atodorov, tgunders
Target Milestone: rcFlags: pm-rhel: mirror+
Target Release: 8.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: osbuild-18-3.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 02:52:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Christian Kellner 2020-08-13 12:21:33 UTC 
osbuild ships with a special SELinux policy to allow it set SELinux labels inside a container that are unknown to the host. For this we have domain transition rules that allow the setfiles binary, that is used for the actual labelling, to transition into the setfiles_mac_t domain.
For binaries that have the no-new-privs (nnp) set or where the underlying file-system was mounted with the nosuid flag, different transition rules are required that are missing in osbuild-18.

The missing rules have been added upstream:
https://github.com/osbuild/osbuild/pull/495
Comment 1 Tom Gundersen 2020-08-13 12:37:50 UTC 
This may be triggered in production when osbuild is used by osbuild-composer if the admin has mounted a custom filesystem on /var/cache/osbuild-composer, which has the nosuid flag set. This is not the default setup, but it is not unreasonable. I have not verified that this actually triggers the bug.
Comment 4 Christian Kellner 2020-09-04 09:55:30 UTC 
I forgot to put this into MODIFIED when I pushed osbuild-18-3.el8 to fix this. Sorry for the delay!
Comment 10 errata-xmlrpc 2020-11-04 02:52:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (osbuild, cockpit-composer and osbuild composer bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:4674