Bug 1955547

Summary: Allow nnp_transition for init_t -> install_t
Product: Red Hat Enterprise Linux 8 Reporter: Timothée Ravier <travier>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.5CC: dwalsh, extras-qa, grepl.miroslav, lvrabec, mmalik, omosnace, plautrba, ssekidde, travier, vmojzis, walters, zpytela
Target Milestone: betaKeywords: AutoVerified, Triaged
Target Release: 8.5Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-70.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: 1937404 Environment:
Last Closed: 2021-11-09 19:43:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1937404    
Bug Blocks:    

Description Timothée Ravier 2021-04-30 11:07:14 UTC 
+++ This bug was initially created as a clone of Bug #1937404 +++

In rpm-ostree we're trying to do more privilege separation; we added a new systemd unit rpm-ostree-countme.service that uses `DynamicUser=yes`.

However, it turns out that this breaks because we added a special `install_t` label:

```
-rwxr-xr-x. 3 root root system_u:object_r:install_exec_t:s0 127267552 Jan  1  1970 /usr/bin/rpm-ostree
```

Now, this works fine for a regular (privileged) domain transition for our service that starts as root.

But when trying with `DynamicUser=yes` but executing the same binary:

```
Mar 10 14:11:34 cosa-devsh audit[1276]: AVC avc:  denied  { nnp_transition } for  pid=1276 comm="(m-ostree)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:install_t:s0 tclass=process2 permissive=0
```

This then leaves the process running as `init_t`, which means we get denied trying to do HTTP:

```
Mar 10 14:11:34 cosa-devsh audit[1276]: AVC avc:  denied  { name_connect } for  pid=1276 comm="rpm-ostree" dest=443 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0
```

I think the immediate fix is to allow the nnp_transition so that this unprivileged process runs as `install_t`, the same as the main one.

But it'd be even better to not do any transition at all, i.e. in the `DynamicUser=yes` case we stay in `unconfined_service_t` to start (the systemd default).  I'm not quite sure how to do that without basically hacking up systemd to do a `setexeccon()` (something declarative like `SELinuxTransition=no` in a systemd unit file?)

--- Additional comment from Colin Walters on 2021-03-10 15:15:30 UTC ---

In the short term, we are probably going to work around this by shipping two binaries, like `/usr/bin/rpm-ostree` and `/usr/libexec/rpmostree-unprivileged-backend` or something, then the systemd unit execs the latter.

But having two labels means duplicating the binary on disk which is quite unfortunate.  (OSTree could use reflinks for this, but we can't hard require reflinks)

--- Additional comment from Timothée Ravier on 2021-03-11 15:14:49 UTC ---

We can set SELinuxContext=system_u:system_r:unconfined_service_t:s0 in the systemd unit but this gives us:

```
Mar 11 11:40:03 cosa-devsh audit[3454]: AVC avc:  denied  { entrypoint } for  pid=3454 comm="(m-ostree)" path="/usr/bin/rpm-ostree" dev="vda4" ino=2838494 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:object_r:install_exec_t:s0 tclass=file permissive=0
```

And I don't think we want to enable that.

Adding nnp_transition to scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:install_t:s0 sounds OK from a security perspective (I do not see how this could be exploited) so I will make a PR for that.

--- Additional comment from Zdenek Pytela on 2021-03-16 15:39:33 UTC ---

commit 3d3b616790d5826f73b259fc2a940a8e1efe98c1 (HEAD -> rawhide, upstream/rawhide)
Author: Timothée Ravier <travier>
Date:   Thu Mar 11 16:53:29 2021 +0100

    install_t: Allow NoNewPriv transition from systemd

    Enable a subset of rpm-ostree commands to run as part of a systemd
    service directly under an unprivilged user with DynamicUser.

    This will be used for the rpm-ostree-countme service.

    Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1937404

--- Additional comment from Fedora Update System on 2021-03-21 16:15:45 UTC ---

FEDORA-2021-9e2cb00123 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-9e2cb00123

--- Additional comment from Fedora Update System on 2021-03-22 01:17:29 UTC ---

FEDORA-2021-9e2cb00123 has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-9e2cb00123`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-9e2cb00123

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

--- Additional comment from Fedora Update System on 2021-03-25 01:24:31 UTC ---

FEDORA-2021-68c09eb43f has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-68c09eb43f`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-68c09eb43f

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

--- Additional comment from Fedora Update System on 2021-03-27 02:01:12 UTC ---

FEDORA-2021-15b81d905c has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-15b81d905c`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-15b81d905c

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

--- Additional comment from Fedora Update System on 2021-03-29 00:17:03 UTC ---

FEDORA-2021-15b81d905c has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 1 Timothée Ravier 2021-04-30 11:09:44 UTC 
This is a request to backport or make sure that the policy already includes the following change in 8.5: https://github.com/fedora-selinux/selinux-policy/pull/642

Thanks!
Comment 2 Zdenek Pytela 2021-06-04 20:19:55 UTC 
Needs to be backported:
Author: Timothée Ravier <travier>
Date:   Thu Mar 11 16:53:29 2021 +0100

    install_t: Allow NoNewPriv transition from systemd
Comment 4 Milos Malik 2021-06-10 17:49:23 UTC 
When old selinux-policy is installed, following SELinux denials appear in enforcing mode:
----
type=PROCTITLE msg=audit(06/10/2021 11:53:31.621:320) : proctitle=/usr/bin/rpm-ostree countme 
type=PATH msg=audit(06/10/2021 11:53:31.621:320) : item=0 name=/lib64/ld-linux-x86-64.so.2 inode=9890 dev=fd:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(06/10/2021 11:53:31.621:320) : cwd=/ 
type=EXECVE msg=audit(06/10/2021 11:53:31.621:320) : argc=2 a0=/usr/bin/rpm-ostree a1=countme 
type=SYSCALL msg=audit(06/10/2021 11:53:31.621:320) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x55aa84bfea20 a1=0x55aa84bfea00 a2=0x55aa84c6bde0 a3=0x0 items=1 ppid=1 pid=6525 auid=unset uid=rpm-ostree gid=rpm-ostree euid=rpm-ostree suid=rpm-ostree fsuid=rpm-ostree egid=rpm-ostree sgid=rpm-ostree fsgid=rpm-ostree tty=(none) ses=unset comm=rpm-ostree exe=/usr/bin/rpm-ostree subj=system_u:system_r:init_t:s0 key=(null) 
type=SELINUX_ERR msg=audit(06/10/2021 11:53:31.621:320) : op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:install_t:s0 
type=AVC msg=audit(06/10/2021 11:53:31.621:320) : avc:  denied  { nnp_transition } for  pid=6525 comm=(m-ostree) scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:install_t:s0 tclass=process2 permissive=0 
----
type=PROCTITLE msg=audit(06/10/2021 11:53:31.660:321) : proctitle=/usr/bin/rpm-ostree countme 
type=SYSCALL msg=audit(06/10/2021 11:53:31.660:321) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x5645b8ef03d0 a2=O_RDONLY|O_CLOEXEC|O_PATH a3=0x0 items=0 ppid=1 pid=6525 auid=unset uid=rpm-ostree gid=rpm-ostree euid=rpm-ostree suid=rpm-ostree fsuid=rpm-ostree egid=rpm-ostree sgid=rpm-ostree fsgid=rpm-ostree tty=(none) ses=unset comm=rpm-ostree exe=/usr/bin/rpm-ostree subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(06/10/2021 11:53:31.660:321) : avc:  denied  { read } for  pid=6525 comm=rpm-ostree name=rpm-ostree-countme dev="vda1" ino=6970988 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0 
----

Tested in 1minutetip with selinux-policy = 3.14.3-68.el8.
Comment 5 Milos Malik 2021-06-10 17:50:58 UTC 
When old selinux-policy is installed, the same SELinux denials appear in permissive mode:
----
type=PROCTITLE msg=audit(06/10/2021 13:46:35.690:329) : proctitle=(m-ostree) 
type=SYSCALL msg=audit(06/10/2021 13:46:35.690:329) : arch=x86_64 syscall=readlinkat success=yes exit=26 a0=0xffffff9c a1=0x55aa84b5d220 a2=0x55aa84be2930 a3=0x63 items=0 ppid=1 pid=6931 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(m-ostree) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(06/10/2021 13:46:35.690:329) : avc:  denied  { read } for  pid=6931 comm=(m-ostree) name=rpm-ostree-countme dev="vda1" ino=6970988 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=1 
----
type=PROCTITLE msg=audit(06/10/2021 13:46:35.913:330) : proctitle=(m-ostree) 
type=PATH msg=audit(06/10/2021 13:46:35.913:330) : item=0 name=/lib64/ld-linux-x86-64.so.2 inode=9890 dev=fd:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(06/10/2021 13:46:35.913:330) : cwd=/ 
type=EXECVE msg=audit(06/10/2021 13:46:35.913:330) : argc=2 a0=/usr/bin/rpm-ostree a1=countme 
type=SYSCALL msg=audit(06/10/2021 13:46:35.913:330) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x55aa84bfea20 a1=0x55aa84be2930 a2=0x55aa84b35c20 a3=0x0 items=1 ppid=1 pid=6931 auid=unset uid=rpm-ostree gid=rpm-ostree euid=rpm-ostree suid=rpm-ostree fsuid=rpm-ostree egid=rpm-ostree sgid=rpm-ostree fsgid=rpm-ostree tty=(none) ses=unset comm=rpm-ostree exe=/usr/bin/rpm-ostree subj=system_u:system_r:install_t:s0 key=(null) 
type=AVC msg=audit(06/10/2021 13:46:35.913:330) : avc:  denied  { nnp_transition } for  pid=6931 comm=(m-ostree) scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:install_t:s0 tclass=process2 permissive=1 
----

# ls -lZ /var/lib/rpm-ostree-countme
lrwxrwxrwx. 1 root root system_u:object_r:var_lib_t:s0 26 Jun 10 11:53 /var/lib/rpm-ostree-countme -> private/rpm-ostree-countme
#
Comment 13 errata-xmlrpc 2021-11-09 19:43:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4420