Bug 1980560

Summary: If init_t can read all file_type directories, it should be able to watch them as well
Product: [Fedora] Fedora Reporter: Dusty Mabe <dustymabe>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: high    
Version: 34CC: dwalsh, grepl.miroslav, lvrabec, mmalik, omosnace, vmojzis, zpytela
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-34.14-1.fc34 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-07-18 01:24:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dusty Mabe 2021-07-08 20:56:28 UTC 
Description of problem:

We are seeing issues where init_t (systemd) is not able to watch directories. This makes path units pretty useless.

According to Dan Walsh: "If init_t can read all file_type directories, it should be able to watch them as well." https://github.com/containers/container-selinux/issues/135#issuecomment-867961079



Can we get selinux updated to allow systemd to watch directories so our path units will work again.

More context in:

https://github.com/coreos/fedora-coreos-tracker/issues/861
https://github.com/containers/container-selinux/issues/135



Version-Release number of selected component (if applicable):

```
[core@localhost ~]$ rpm -q selinux-policy container-selinux
selinux-policy-34.11-1.fc34.noarch
container-selinux-2.163.0-1.fc34.noarch
```


How reproducible:
Always

Steps to Reproduce:

spin up an FCOS machine with this butane config:


```
variant: fcos
version: 1.3.0
systemd:
  units:
    - name: tester.path
      enabled: true
      contents: |
        [Unit]
        Description=Watch for kube config
        [Path]
        PathExists=/etc/kubernetes/kubeconfig
        [Install]
        WantedBy=multi-user.target
    - name: tester.service
      enabled: false
      contents: |
        [Unit]
        Description=Watch for test config
        [Service]
        Type=oneshot
        RemainAfterExit=yes
        ExecStart=bash -c "echo tester: $(date)"
storage:
  directories:
    - path: /etc/kubernetes
passwd:
  users:
    - name: core
      ssh_authorized_keys:
		- "MY-PUBKEY"
```

Notice that after you log in you can't activate the path unit by creating /etc/kubernetes/kubeconfig and you'll see the following in the journal:

```
$ journalctl | grep -i avc | grep denied
Jul 08 20:50:34 localhost audit[1]: AVC avc:  denied  { watch } for  pid=1 comm="systemd" path="/etc/kubernetes" dev="sda4" ino=18874496 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kubernetes_file_t:s0 tclass=dir permissive=0
```

We don't have the same problem if we use some randomly directory  (i.e. `/etc/foobar/kubeconfig`).


Actual results:

Denied


Expected results:

Not denied


Additional info:
Comment 1 Zdenek Pytela 2021-07-09 06:57:38 UTC 
I've opened a PR:
https://github.com/fedora-selinux/selinux-policy/pull/799

If there is no negative feedback, I'll merge it soon. I expect one objection it is not complete enough.
Comment 2 Dusty Mabe 2021-07-09 13:41:44 UTC 
Thanks @zpytela. If there is a scratch build available somewhere I can try to test with it.
Comment 3 Zdenek Pytela 2021-07-09 14:14:37 UTC 
PR
Show all checks -> build-rpm -> Details -> Artifacts -> rpms
Comment 4 Dusty Mabe 2021-07-09 14:31:07 UTC 
Thanks.. Looks like it works great!

```
[core@localhost ~]$ journalctl | grep -i avc
[core@localhost ~]$ 
[core@localhost ~]$ systemctl status tester.service
○ tester.service - Watch for test config
     Loaded: loaded (/etc/systemd/system/tester.service; static)
     Active: inactive (dead)
TriggeredBy: ● tester.path
[core@localhost ~]$ 
[core@localhost ~]$ sudo journalctl -u tester.service -u tester.path -f & 
[1] 1200
[core@localhost ~]$ -- Journal begins at Fri 2021-07-09 14:28:17 UTC. --
Jul 09 14:28:26 localhost systemd[1]: Started Watch for kube config.

[core@localhost ~]$ 
[core@localhost ~]$ 
[core@localhost ~]$ sudo touch /etc/kubernetes/kubeconfig
[core@localhost ~]$ Jul 09 14:29:35 localhost.localdomain systemd[1]: Starting Watch for test config...
Jul 09 14:29:35 localhost.localdomain bash[1211]: tester: Fri Jul 9 14:29:35 UTC 2021
Jul 09 14:29:35 localhost.localdomain systemd[1]: Finished Watch for test config.

[core@localhost ~]$ journalctl | grep -i avc
[core@localhost ~]$ 
[core@localhost ~]$ rpm -q selinux-policy selinux-policy-targeted
selinux-policy-34.13-1.20210707_172609.3600bd4.fc35.noarch
selinux-policy-targeted-34.13-1.20210707_172609.3600bd4.fc35.noarch
```
Comment 5 Zdenek Pytela 2021-07-13 16:29:47 UTC 
Merged.
Comment 6 Fedora Update System 2021-07-14 19:45:21 UTC 
FEDORA-2021-119c2c9b63 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-119c2c9b63
Comment 7 Fedora Update System 2021-07-15 01:40:57 UTC 
FEDORA-2021-119c2c9b63 has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-119c2c9b63`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-119c2c9b63

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 8 Dusty Mabe 2021-07-15 18:27:20 UTC 
Looks good in my local tests. 👍
Comment 9 Fedora Update System 2021-07-18 01:24:14 UTC 
FEDORA-2021-119c2c9b63 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.