Bug 1899548

Summary:	the rpmdb program triggers SELinux denials
Product:	[Fedora] Fedora	Reporter:	Milos Malik <mmalik>
Component:	selinux-policy	Assignee:	Zdenek Pytela <zpytela>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	33	CC:	dwalsh, grepl.miroslav, lvrabec, mmalik, omosnace, plautrba, vmojzis, zpytela
Target Milestone:	---	Keywords:	Triaged
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:	selinux-policy-3.14.6-31.fc33	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2020-12-12 01:05:04 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Milos Malik 2020-11-19 14:12:33 UTC

Description of problem:
 * if SELinux is enforcing then 'rpmdb --help' does not produce any output
 * if SELinux is permissive then 'rpmdb --help' prints its help message

Version-Release number of selected component (if applicable):
rpm-4.16.0-1.fc33.x86_64
selinux-policy-3.14.6-30.fc33.noarch
selinux-policy-targeted-3.14.6-30.fc33.noarch

How reproducible:
 * always

Steps to Reproduce:
1. get a Fedora 33 machine (targeted policy is active)
2. log in as root
3. # rpmdb --help
4. # rpmdb --exportdb >& /tmp/output

Actual results (enforcing mode):
 * no output
 * many SELinux denials

Expected results:
 * help message is printed
 * no SELinux denials appear

Comment 1 Milos Malik 2020-11-19 14:13:50 UTC

Following SELinux denials appear after removal of dontaudit rules:
----
type=PROCTITLE msg=audit(11/19/2020 15:10:54.932:1569) : proctitle=rpmdb --help 
type=PATH msg=audit(11/19/2020 15:10:54.932:1569) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=5621 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(11/19/2020 15:10:54.932:1569) : item=0 name=/usr/bin/rpmdb inode=9863 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:rpmdb_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(11/19/2020 15:10:54.932:1569) : cwd=/root 
type=EXECVE msg=audit(11/19/2020 15:10:54.932:1569) : argc=2 a0=rpmdb a1=--help 
type=SYSCALL msg=audit(11/19/2020 15:10:54.932:1569) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x557facb52890 a1=0x557faccfb2b0 a2=0x557faccf9420 a3=0x8 items=2 ppid=25604 pid=26021 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=3 comm=rpmdb exe=/usr/bin/rpmdb subj=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/19/2020 15:10:54.932:1569) : avc:  denied  { read write } for  pid=26021 comm=rpmdb path=/dev/pts/0 dev="devpts" ino=3 scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file permissive=0 
type=AVC msg=audit(11/19/2020 15:10:54.932:1569) : avc:  denied  { read write } for  pid=26021 comm=rpmdb path=/dev/pts/0 dev="devpts" ino=3 scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file permissive=0 
type=AVC msg=audit(11/19/2020 15:10:54.932:1569) : avc:  denied  { read write } for  pid=26021 comm=rpmdb path=/dev/pts/0 dev="devpts" ino=3 scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file permissive=0 
type=AVC msg=audit(11/19/2020 15:10:54.932:1569) : avc:  denied  { read write } for  pid=26021 comm=rpmdb path=/dev/pts/0 dev="devpts" ino=3 scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file permissive=0 
----

Comment 2 Milos Malik 2020-11-19 14:28:13 UTC

Following SELinux denials appear after running the 'rpmdb --exportdb >& /tmp/output' command in permissive mode:
----
type=PROCTITLE msg=audit(11/19/2020 15:23:23.377:1664) : proctitle=rpmdb --exportdb 
type=PATH msg=audit(11/19/2020 15:23:23.377:1664) : item=0 name=/var/lib/sss/mc/passwd inode=265511 dev=fc:02 mode=file,664 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sssd_public_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(11/19/2020 15:23:23.377:1664) : cwd=/root 
type=SYSCALL msg=audit(11/19/2020 15:23:23.377:1664) : arch=x86_64 syscall=openat success=yes exit=3 a0=0xffffff9c a1=0x55ddf588e6f0 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=25604 pid=26733 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=rpmdb exe=/usr/bin/rpmdb subj=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/19/2020 15:23:23.377:1664) : avc:  denied  { open } for  pid=26733 comm=rpmdb path=/var/lib/sss/mc/passwd dev="vda2" ino=265511 scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(11/19/2020 15:23:23.378:1665) : proctitle=rpmdb --exportdb 
type=SYSCALL msg=audit(11/19/2020 15:23:23.378:1665) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x3 a1=0x7ffccc823990 a2=0x7ffccc823990 a3=0x0 items=0 ppid=25604 pid=26733 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=rpmdb exe=/usr/bin/rpmdb subj=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/19/2020 15:23:23.378:1665) : avc:  denied  { getattr } for  pid=26733 comm=rpmdb path=/var/lib/sss/mc/passwd dev="vda2" ino=265511 scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(11/19/2020 15:23:23.378:1666) : proctitle=rpmdb --exportdb 
type=MMAP msg=audit(11/19/2020 15:23:23.378:1666) : fd=3 flags=MAP_SHARED 
type=SYSCALL msg=audit(11/19/2020 15:23:23.378:1666) : arch=x86_64 syscall=mmap success=yes exit=139980478590976 a0=0x0 a1=0x8d32e0 a2=PROT_READ a3=MAP_SHARED items=0 ppid=25604 pid=26733 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=rpmdb exe=/usr/bin/rpmdb subj=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/19/2020 15:23:23.378:1666) : avc:  denied  { map } for  pid=26733 comm=rpmdb path=/var/lib/sss/mc/passwd dev="vda2" ino=265511 scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(11/19/2020 15:23:23.379:1667) : proctitle=rpmdb --exportdb 
type=PATH msg=audit(11/19/2020 15:23:23.379:1667) : item=0 name=/var/lib/sss/pipes/nss inode=262651 dev=fc:02 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sssd_var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(11/19/2020 15:23:23.379:1667) : cwd=/root 
type=SOCKADDR msg=audit(11/19/2020 15:23:23.379:1667) : saddr={ saddr_fam=local path=/var/lib/sss/pipes/nss } 
type=SYSCALL msg=audit(11/19/2020 15:23:23.379:1667) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x4 a1=0x7ffccc823930 a2=0x6e a3=0x1 items=1 ppid=25604 pid=26733 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=rpmdb exe=/usr/bin/rpmdb subj=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/19/2020 15:23:23.379:1667) : avc:  denied  { connectto } for  pid=26733 comm=rpmdb path=/var/lib/sss/pipes/nss scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1 
type=AVC msg=audit(11/19/2020 15:23:23.379:1667) : avc:  denied  { write } for  pid=26733 comm=rpmdb name=nss dev="vda2" ino=262651 scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1 
----
type=PROCTITLE msg=audit(11/19/2020 15:23:23.381:1668) : proctitle=rpmdb --exportdb 
type=PATH msg=audit(11/19/2020 15:23:23.381:1668) : item=0 name=/run/dbus/system_bus_socket inode=45342 dev=00:19 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:system_dbusd_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(11/19/2020 15:23:23.381:1668) : cwd=/root 
type=SOCKADDR msg=audit(11/19/2020 15:23:23.381:1668) : saddr={ saddr_fam=local path=/run/dbus/system_bus_socket } 
type=SYSCALL msg=audit(11/19/2020 15:23:23.381:1668) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x6 a1=0x55ddf5890da0 a2=0x1e a3=0x7ffccc823574 items=1 ppid=25604 pid=26733 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=rpmdb exe=/usr/bin/rpmdb subj=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/19/2020 15:23:23.381:1668) : avc:  denied  { connectto } for  pid=26733 comm=rpmdb path=/run/dbus/system_bus_socket scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 
type=AVC msg=audit(11/19/2020 15:23:23.381:1668) : avc:  denied  { write } for  pid=26733 comm=rpmdb name=system_bus_socket dev="tmpfs" ino=45342 scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1 
----

Comment 3 Milos Malik 2020-11-19 14:58:13 UTC

Forgotten in the logs:
----
type=USER_AVC msg=audit(11/19/2020 15:23:23.383:1669) : pid=670 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=1  exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?' 
----

Comment 4 Zdenek Pytela 2020-11-19 15:49:31 UTC

I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy-contrib/pull/368

Given the https://bugzilla.redhat.com/show_bug.cgi?id=1461313#c73 comment, rpmdb does not need the access.
In case resolv.conf is a file, the access is dontaudited.
If it is a symlink, read access is allowed to the symlink, but the link target is dontaudited again.

Comment 5 Zdenek Pytela 2020-11-20 20:57:59 UTC

After merging the PR, rpmdb --help can write to the terminal. I can't see other denials either.

Comment 6 Milos Malik 2020-11-23 14:44:28 UTC

The other SELinux denials appear when the sssd service is running and when /etc/nsswitch.conf file contains line like these:

# grep -v ^# /etc/nsswitch.conf | grep sss
passwd:     sss files systemd
group:      sss files systemd
netgroup:   sss files
automount:  sss files
services:   sss files
shadow:     sss files
protocols:  sss files
rpc:        sss files
hosts:      sss files dns myhostname
aliases:    sss files nisplus
#

Comment 7 Milos Malik 2020-11-25 10:00:18 UTC

Test coverage for this bug exists in a form of PR:
 * https://src.fedoraproject.org/tests/selinux/pull-request/140

The PR waits for review.

Comment 8 Fedora Update System 2020-12-09 14:37:19 UTC

FEDORA-2020-aff0be81b3 has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2020-aff0be81b3

Comment 9 Fedora Update System 2020-12-11 00:04:27 UTC

FEDORA-2020-aff0be81b3 has been pushed to the Fedora 33 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-aff0be81b3`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-aff0be81b3

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 10 Fedora Update System 2020-12-12 01:05:04 UTC

FEDORA-2020-aff0be81b3 has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.