Bug 1926699
| Summary: | avc denial for gpg-agent with systemd-run | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Kaleem <ksiddiqu> |
| Component: | ipa | Assignee: | Thomas Woerner <twoerner> |
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.4 | CC: | abokovoy, amore, frenaud, lvrabec, mmalik, pasik, plautrba, rcritten, ssekidde, ssidhaye, tscherf, zpytela |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | 8.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-4.9.2-1 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-05-18 15:48:53 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
# sesearch -s init_t -t gpg_agent_exec_t -A
allow domain file_type:blk_file map; [ domain_can_mmap_files ]:True
allow domain file_type:chr_file map; [ domain_can_mmap_files ]:True
allow domain file_type:file map; [ domain_can_mmap_files ]:True
allow domain file_type:lnk_file map; [ domain_can_mmap_files ]:True
allow init_t file_type:blk_file { getattr relabelfrom relabelto };
allow init_t file_type:chr_file { getattr relabelfrom relabelto };
allow init_t file_type:dir { getattr ioctl lock open read relabelfrom relabelto search };
allow init_t file_type:fifo_file { getattr relabelfrom relabelto };
allow init_t file_type:file { getattr relabelfrom relabelto };
allow init_t file_type:filesystem { getattr unmount };
allow init_t file_type:lnk_file { getattr relabelfrom relabelto };
allow init_t file_type:sock_file { getattr relabelfrom relabelto };
allow init_t non_security_file_type:dir { create getattr }; [ init_create_dirs ]:True
allow init_t non_security_file_type:dir { mounton setattr write }; [ init_create_dirs ]:True
allow init_t non_security_file_type:dir { read setattr }; [ init_create_dirs ]:True
allow init_t non_security_file_type:file mounton; [ init_create_dirs ]:True
Prior to https://pagure.io/freeipa/c/6fe573b3d953913bc94fd06c230703dac70f0e8d we ran this unconfined:
# sesearch -s unconfined_t -t gpg_agent_exec_t -A
allow domain file_type:blk_file map; [ domain_can_mmap_files ]:True
allow domain file_type:chr_file map; [ domain_can_mmap_files ]:True
allow domain file_type:file map; [ domain_can_mmap_files ]:True
allow domain file_type:lnk_file map; [ domain_can_mmap_files ]:True
allow files_unconfined_type file_type:blk_file { append audit_access create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr swapon unlink write };
allow files_unconfined_type file_type:chr_file { append audit_access create execute execute_no_trans getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr swapon unlink write };
allow files_unconfined_type file_type:dir { add_name append audit_access create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto remove_name rename reparent rmdir search setattr swapon unlink write };
allow files_unconfined_type file_type:fifo_file { append audit_access create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr swapon unlink write };
allow files_unconfined_type file_type:file execmod; [ selinuxuser_execmod ]:True
allow files_unconfined_type file_type:file { append audit_access create execute execute_no_trans getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr swapon unlink write };
allow files_unconfined_type file_type:filesystem { associate getattr mount quotaget quotamod relabelfrom relabelto remount transition unmount };
allow files_unconfined_type file_type:lnk_file { append audit_access create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr swapon unlink write };
allow files_unconfined_type file_type:service { disable enable reload start status stop };
allow files_unconfined_type file_type:sock_file { append audit_access create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr swapon unlink write };
allow unconfined_domain_type file_type:service { disable enable reload start status stop };
allow unconfined_t file_type:system module_load;
allow unconfined_usertype application_exec_type:file { execute execute_no_trans getattr ioctl lock map open read };
Zdenek, what would you suggest?
We can add SELinuxContext property to systemd-run command line to set a specific context but which to use here? Or may be we should allow to add the execute to init_t?
From IRC discussion: we can set SELinux context explicitly to system_u:system_r:initrc_t:s0: /bin/systemd-run --service-type=forking --property SELinuxContext=system_u:system_r:initrc_t:s0 --setenv=GNUPGHOME=/path/to/gnupg --setenv=LC_ALL=C.UTF-8 --setenv=LANGUAGE=C --unit=gpg-agent /usr/bin/gpg-agent --daemon --batch Upstream issue: https://pagure.io/freeipa/issue/8699 Fixed upstream master: https://pagure.io/freeipa/c/46b0746fe9b043edb55649f7993cdc5b20b70c12 Fixed upstream ipa-4-9: https://pagure.io/freeipa/c/7ca2797eaca963fe94f7396353569f7f8ed6d09d Pre-verified using : ipa-server-4.9.2-1.module+el8.4.0+9973+3d202164.x86_64 Using compose : rhel-8.4.0-mbs/9973-1386-idm/ Test logs : test_ipaserver/test_install/test_installutils.py::test_bare_insufficient_ram_with_ca PASSED [ 98%] test_ipaserver/test_install/test_installutils.py::test_bare_ram_ok PASSED [ 99%] test_ipaserver/test_install/test_service.py::test_format_seconds PASSED [100%] ----------- generated html file: file:///home/cloud-user/report.html ----------- ============== 160 passed, 4 skipped, 6 warnings in 30.85 seconds ============== No AVC logged. Verified using nightly compose:
ipa-server-4.9.2-1.module+el8.4.0+9973+3d202164.x86_64
============================= test session starts ==============================
platform linux -- Python 3.6.8, pytest-3.10.1, py-1.10.0, pluggy-0.13.1 -- /usr/libexec/platform-python
cachedir: /home/cloud-user/.pytest_cache
metadata: {'Python': '3.6.8', 'Platform': 'Linux-4.18.0-287.el8.x86_64-x86_64-with-redhat-8.4-Ootpa', 'Packages': {'pytest': '3.10.1', 'py': '1.10.0', 'pluggy': '0.13.1'}, 'Plugins': {'metadata': '1.11.0', 'html': '1.22.1', 'multihost': '3.0', 'sourceorder': '0.5'}}
rootdir: /usr/lib/python3.6/site-packages/ipatests, inifile:
plugins: metadata-1.11.0, html-1.22.1, multihost-3.0, sourceorder-0.5
collecting ... collected 164 items
test_ipaserver/test_adtrust_mockup.py::TestNetbiosName::test_NetbiosName PASSED [ 0%]
test_ipaserver/test_changepw.py::test_changepw::test_bad_options PASSED [ 1%]
test_ipaserver/test_changepw.py::test_changepw::test_invalid_auth PASSED [ 1%]
test_ipaserver/test_changepw.py::test_changepw::test_pwpolicy_error PASSED [ 2%]
test_ipaserver/test_changepw.py::test_changepw::test_pwpolicy_success PASSED [ 3%]
...
...
test_ipaserver/test_install/test_installutils.py::test_gpg_encrypt PASSED [ 88%]
test_ipaserver/test_install/test_installutils.py::test_gpg_asymmetric PASSED [ 89%]
...
...
test_ipaserver/test_install/test_installutils.py::test_bare_insufficient_ram_with_ca PASSED [ 98%]
test_ipaserver/test_install/test_installutils.py::test_bare_ram_ok PASSED [ 99%]
test_ipaserver/test_install/test_service.py::test_format_seconds PASSED [100%]
---------------- generated xml file: /home/cloud-user/junit.xml ----------------
----------- generated html file: file:///home/cloud-user/report.html -----------
============== 160 passed, 4 skipped, 6 warnings in 31.25 seconds ==============
No AVC logged.
Based on this marking bug as verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:1846 |
Description of problem: One of our tests sets up the gpg-agent with systemd-run and following avc denial is seen during this. [root@master ~]# ausearch -c '(pg-agent)' --raw type=AVC msg=audit(1612858362.119:3279): avc: denied { execute } for pid=36606 comm="(pg-agent)" name="gpg-agent" dev="vda3" ino=25171838 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:gpg_agent_exec_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1612858362.119:3279): arch=c000003e syscall=59 success=no exit=-13 a0=55c863542480 a1=55c8634443f0 a2=55c863649050 a3=7f31ae994bc0 items=0 ppid=1 pid=36606 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(pg-agent)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)ARCH=x86_64 SYSCALL=execve AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=PROCTITLE msg=audit(1612858362.119:3279): proctitle="(pg-agent)" type=AVC msg=audit(1612863124.959:3500): avc: denied { execute } for pid=37433 comm="(pg-agent)" name="gpg-agent" dev="vda3" ino=25171838 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:gpg_agent_exec_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1612863124.959:3500): arch=c000003e syscall=59 success=no exit=-13 a0=55c863542480 a1=55c8635008a0 a2=55c863696200 a3=7f31ae994bc0 items=0 ppid=1 pid=37433 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(pg-agent)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)ARCH=x86_64 SYSCALL=execve AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=PROCTITLE msg=audit(1612863124.959:3500): proctitle="(pg-agent)" [root@master ~]# Version-Release number of selected component (if applicable): [root@master ~]# rpm -q selinux-policy gnupg2 selinux-policy-3.14.3-62.el8.noarch gnupg2-2.2.20-2.el8.x86_64 [root@master ~]# How reproducible: Alaways Steps to Reproduce: 1. Execute following step /bin/systemd-run --service-type=forking --setenv=GNUPGHOME=/tmp/tmpraace7xx/gnupg --setenv=LC_ALL=C.UTF-8 --setenv=LANGUAGE=C --unit=gpg-agent /usr/bin/gpg-agent --daemon --batch 2. 3. Actual results: setup of gpg-agent as service failed and AVC denial seen Expected results: NO avc denial should be seen and setup of gpg-agent as service should be successful Additional info: