Bug 1898694

Summary: Add setgid capability into policy for tcsd
Product: Red Hat Enterprise Linux 8 Reporter: Jerry Snitselaar <jsnitsel>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.4CC: ksrot, lvrabec, mmalik, plautrba, ssekidde
Target Milestone: rcKeywords: Triaged
Target Release: 8.4   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-18 14:58:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1882414    

Description Jerry Snitselaar 2020-11-17 20:43:06 UTC 
Description of problem: A fix for the tcsd daemon in the trousers package makes
use of setgid. While fixing a coverity scan complaint about checking the return value of setgid, I noticed that selinux didn't like tcsd trying to setgid.

Zdenek Pytela suggests that a setgid capability should be added after:

allow tcsd_t self:capability { dac_read_search dac_override setuid };

in contrib/tcsd.te

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Milos Malik 2020-11-20 16:13:02 UTC 
Something is wrong on my RHEL-8.3 VM. The tcsd service won't start:

# ls -l /dev/tpm*
crw-rw----. 1 tss root  10,   224 Nov 20 17:07 /dev/tpm0
crw-rw----. 1 tss tss  253, 65536 Nov 20 17:07 /dev/tpmrm0
# ls -1Z /dev/tpm*
system_u:object_r:tpm_device_t:s0 /dev/tpm0
system_u:object_r:tpm_device_t:s0 /dev/tpmrm0
# service tcsd start
Redirecting to /bin/systemctl start tcsd.service
Job for tcsd.service failed because the control process exited with error code.
See "systemctl status tcsd.service" and "journalctl -xe" for details.
# service tcsd status
Redirecting to /bin/systemctl status tcsd.service
● tcsd.service - TCG Core Services Daemon
   Loaded: loaded (/usr/lib/systemd/system/tcsd.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Fri 2020-11-20 17:09:39 CET; 2s ago
  Process: 3656 ExecStart=/sbin/tcsd (code=exited, status=30)

Nov 20 17:09:39 localhost.localdomain systemd[1]: Starting TCG Core Services Daemon...
Nov 20 17:09:39 localhost.localdomain tcsd[3656]: TCSD TDDL[3656]: TrouSerS ioctl: (25) Inappropriate ioctl for device
Nov 20 17:09:39 localhost.localdomain tcsd[3656]: TCSD TDDL[3656]: TrouSerS Falling back to Read/Write device support.
Nov 20 17:09:39 localhost.localdomain tcsd[3656]: TCSD TCS[3656]: TrouSerS ERROR: TCS GetCapability failed with result = 0x1e
Nov 20 17:09:39 localhost.localdomain systemd[1]: tcsd.service: Control process exited, code=exited status=30
Nov 20 17:09:39 localhost.localdomain systemd[1]: tcsd.service: Failed with result 'exit-code'.
Nov 20 17:09:39 localhost.localdomain systemd[1]: Failed to start TCG Core Services Daemon.
# 

No matter if SELinux is enforcing or permissive.
Comment 2 Jerry Snitselaar 2020-11-23 19:56:17 UTC 
Hi Milos,

Can you verify that the VM has a TPM1.2 device and not a TPM2.0?
Comment 3 Jerry Snitselaar 2020-11-23 19:57:15 UTC 
It should also be TIS and not CRB, which is only TPM2.0.
Comment 5 Zdenek Pytela 2020-11-30 20:14:03 UTC 
*** Bug 1901984 has been marked as a duplicate of this bug. ***
Comment 9 Zdenek Pytela 2020-12-07 22:17:05 UTC 
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/498
Comment 11 Zdenek Pytela 2020-12-09 23:37:03 UTC 
This is the rawhide commit to backport:
commit 81c95e0d84bc442879302d905ac198f69732725a
Author: Zdenek Pytela <zpytela>
Date:   Mon Dec 7 23:15:06 2020 +0100

    Allow tcsd the setgid capability

    Resolves: rhbz#1898694

diff --git a/policy/modules/contrib/tcsd.te b/policy/modules/contrib/tcsd.te
index 285ef0874..d541406dc 100644
--- a/policy/modules/contrib/tcsd.te
+++ b/policy/modules/contrib/tcsd.te
@@ -20,7 +20,7 @@ files_type(tcsd_var_lib_t)
 # Local policy
 #

-allow tcsd_t self:capability { dac_read_search dac_override setuid };
+allow tcsd_t self:capability { dac_read_search dac_override setgid setuid };
 allow tcsd_t self:process { signal sigkill };
 allow tcsd_t self:tcp_socket { accept listen };
Comment 15 Zdenek Pytela 2021-01-07 07:38:30 UTC 
The test fails as the service cannot start:

Jan  7 02:33:12 prereserve-1mt-rhel-8 systemd[1]: Starting TCG Core Services Daemon...
Jan  7 02:33:12 prereserve-1mt-rhel-8 journal[33623]: TCSD TDDL[33623]: TrouSerS ERROR: Could not find a device to open!
Jan  7 02:33:12 prereserve-1mt-rhel-8 systemd[1]: tcsd.service: Control process exited, code=exited status=137
Jan  7 02:33:12 prereserve-1mt-rhel-8 systemd[1]: tcsd.service: Failed with result 'exit-code'.
Jan  7 02:33:12 prereserve-1mt-rhel-8 systemd[1]: Failed to start TCG Core Services Daemon.

# rpm -q trousers selinux-policy
trousers-0.3.15-1.el8.x86_64
selinux-policy-3.14.3-59.el8.noarch
Comment 16 Milos Malik 2021-01-07 07:58:38 UTC 
The tcsd service requires a special piece of HW, which was not available on the Beaker machines.
Comment 22 errata-xmlrpc 2021-05-18 14:58:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1639