Bug 1874491

Summary:	SELinux prevents the fapolicyd process from writing to /run/dbus/system_bus_socket
Product:	[Fedora] Fedora	Reporter:	Milos Malik <mmalik>
Component:	fapolicyd	Assignee:	Radovan Sroka <rsroka>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	33	CC:	rsroka, sgrubb
Target Milestone:	---
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:	fapolicyd-1.0.1-1.fc34 fapolicyd-1.0.1-1.eln105 fapolicyd-1.0.1-1.fc32 fapolicyd-1.0.1-1.fc33	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2020-11-17 08:51:49 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Milos Malik 2020-09-01 13:39:29 UTC

Description of problem:
 * the fapolicyd service runs OK but 1 SELinux denial is triggered

Version-Release number of selected component (if applicable):
fapolicyd-1.0-4.fc33.x86_64
fapolicyd-selinux-1.0-4.fc33.noarch

How reproducible:
 * always

Steps to Reproduce:
1. get a Fedora 33 machine (targeted policy is active)
2. start the fapolicyd service
3. search for SELinux denials

Actual results:
----
type=PROCTITLE msg=audit(09/01/2020 15:29:52.119:2483) : proctitle=/usr/sbin/fapolicyd 
type=PATH msg=audit(09/01/2020 15:29:52.119:2483) : item=0 name=/run/dbus/system_bus_socket inode=24817 dev=00:19 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:system_dbusd_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/01/2020 15:29:52.119:2483) : cwd=/ 
type=SOCKADDR msg=audit(09/01/2020 15:29:52.119:2483) : saddr={ saddr_fam=local path=/run/dbus/system_bus_socket } 
type=SYSCALL msg=audit(09/01/2020 15:29:52.119:2483) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0xa a1=0x56167d4f46f0 a2=0x1e a3=0x7ffc9ce8ec04 items=1 ppid=1 pid=21181 auid=unset uid=fapolicyd gid=fapolicyd euid=fapolicyd suid=fapolicyd fsuid=fapolicyd egid=fapolicyd sgid=fapolicyd fsgid=fapolicyd tty=(none) ses=unset comm=fapolicyd exe=/usr/sbin/fapolicyd subj=system_u:system_r:fapolicyd_t:s0 key=(null) 
type=AVC msg=audit(09/01/2020 15:29:52.119:2483) : avc:  denied  { write } for  pid=21181 comm=fapolicyd name=system_bus_socket dev="tmpfs" ino=24817 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=0 
----

Expected results:
 * no SELinux denials

Comment 1 Milos Malik 2020-09-01 13:41:17 UTC

Following SELinux denials appeared in permissive mode:
----
type=PROCTITLE msg=audit(09/01/2020 15:40:12.676:2532) : proctitle=/usr/sbin/fapolicyd 
type=PATH msg=audit(09/01/2020 15:40:12.676:2532) : item=0 name=/run/dbus/system_bus_socket inode=24817 dev=00:19 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:system_dbusd_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/01/2020 15:40:12.676:2532) : cwd=/ 
type=SOCKADDR msg=audit(09/01/2020 15:40:12.676:2532) : saddr={ saddr_fam=local path=/run/dbus/system_bus_socket } 
type=SYSCALL msg=audit(09/01/2020 15:40:12.676:2532) : arch=x86_64 syscall=connect success=yes exit=0 a0=0xa a1=0x5621e70666f0 a2=0x1e a3=0x7ffc37010fe4 items=1 ppid=1 pid=21273 auid=unset uid=fapolicyd gid=fapolicyd euid=fapolicyd suid=fapolicyd fsuid=fapolicyd egid=fapolicyd sgid=fapolicyd fsgid=fapolicyd tty=(none) ses=unset comm=fapolicyd exe=/usr/sbin/fapolicyd subj=system_u:system_r:fapolicyd_t:s0 key=(null) 
type=AVC msg=audit(09/01/2020 15:40:12.676:2532) : avc:  denied  { connectto } for  pid=21273 comm=fapolicyd path=/run/dbus/system_bus_socket scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 
type=AVC msg=audit(09/01/2020 15:40:12.676:2532) : avc:  denied  { write } for  pid=21273 comm=fapolicyd name=system_bus_socket dev="tmpfs" ino=24817 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1 
----
type=USER_AVC msg=audit(09/01/2020 15:40:12.677:2533) : pid=611 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=1  exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?' 
----

Comment 2 Milos Malik 2020-10-08 15:36:55 UTC

Test coverage for this bug exists in a form of PR:
 * https://src.fedoraproject.org/tests/selinux/pull-request/117

The PR waits for review.

Comment 3 Fedora Update System 2020-11-17 08:51:49 UTC

FEDORA-2020-580dc8d3ba has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 4 Fedora Update System 2020-11-17 08:55:40 UTC

FEDORA-2020-e2dc088972 has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2020-e2dc088972

Comment 5 Fedora Update System 2020-11-17 08:57:48 UTC

FEDORA-2020-165e765d4e has been pushed to the Fedora ELN stable repository.
If problem still persists, please make note of it in this bug report.

Comment 6 Fedora Update System 2020-11-17 09:03:07 UTC

FEDORA-2020-daefd8b8f6 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-daefd8b8f6

Comment 7 Fedora Update System 2020-11-17 09:10:21 UTC

FEDORA-2020-6323ce5fcf has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-6323ce5fcf

Comment 8 Fedora Update System 2020-11-18 01:08:33 UTC

FEDORA-2020-e2dc088972 has been pushed to the Fedora 33 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-e2dc088972`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-e2dc088972

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 9 Fedora Update System 2020-11-18 01:25:46 UTC

FEDORA-2020-daefd8b8f6 has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-daefd8b8f6`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-daefd8b8f6

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 10 Fedora Update System 2020-11-18 01:48:27 UTC

FEDORA-2020-6323ce5fcf has been pushed to the Fedora 31 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-6323ce5fcf`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-6323ce5fcf

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 11 Fedora Update System 2020-11-27 01:11:31 UTC

FEDORA-2020-daefd8b8f6 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 12 Fedora Update System 2020-11-27 01:21:19 UTC

FEDORA-2020-e2dc088972 has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.