Bug 1999152

Summary: selinux-policy needs to allow CAP_SYS_MODULE for firewalld
Product: Red Hat Enterprise Linux 9 Reporter: Eric Garver <egarver>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: egarver, lvrabec, mmalik, qe-baseos-daemons, ssekidde, todoleza
Target Milestone: rcKeywords: Triaged
Target Release: 9.0   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-34.1.16-1.el9 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: 1999102 Environment:
Last Closed: 2022-05-17 15:49:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1999102    

Description Eric Garver 2021-08-30 14:17:53 UTC 
+++ This bug was initially created as a clone of Bug #1999102 +++

Description of problem:
With default capabilities (NET_ADMIN, NET_RAW), firewalld
is unable to insert nf_nat_ftp module when activating the ftp service.

Version-Release number of selected component (if applicable):
firewalld-1.0.0-2.el9

How reproducible:
Always.

Steps to Reproduce:
1. start firewalld with --debug
2. firewall-cmd --add-service ftp
3. /var/log/firewalld contains "modprobe: ERROR: could not insert 'nf_nat_ftp': Operation not permitted"

Actual results:
[root@ci-vm-10-0-137-226 ~]# rpm -q selinux-policy firewalld
selinux-policy-34.1.14-1.el9.noarch
firewalld-1.0.0-2.el9.noarch
[root@ci-vm-10-0-137-226 ~]# sed -i -e 's/^\(FIREWALLD_ARGS=\).*$/\1--debug/' /etc/sysconfig/firewalld
[root@ci-vm-10-0-137-226 ~]# cat /etc/sysconfig/firewalld
# firewalld command line args
# possible values: --debug
FIREWALLD_ARGS=--debug
[root@ci-vm-10-0-137-226 ~]# systemctl start firewalld
[root@ci-vm-10-0-137-226 ~]# firewall-cmd --add-service ftp
success
[root@ci-vm-10-0-137-226 ~]# grep ERROR /var/log/firewalld
2021-08-30 07:41:53 DEBUG1: modprobe: ERROR: could not insert 'nf_nat_ftp': Operation not permitted


Expected results:
The module insertion succeeds.

Additional info:
When firewalld runs with full capabilities the problem does not occur (the module is inserted successfully).

--- Additional comment from Eric Garver on 2021-08-30 14:07:47 UTC ---

So we do need CAP_SYS_MODULE in RHEL-9. I'm passing this to selinux-policy so they can update the firewalld policy.

--- Additional comment from Eric Garver on 2021-08-30 14:13:12 UTC ---

(In reply to Eric Garver from comment #1)
> So we do need CAP_SYS_MODULE in RHEL-9. I'm passing this to selinux-policy
> so they can update the firewalld policy.

My bad. We still nede the firewalld bug to backport:

  13801962073f ("fix(firewalld): keep linux capability CAP_SYS_MODULE")
Comment 1 Tomas Dolezal 2021-08-31 12:27:20 UTC 
I have patched firewalld to use CAP_SYS_MODULE policy and it currently works, although it should not. ref. bz1999102#c4

selinux-policy-34.1.14-1.el9.noarch

sesearch -A -s firewalld_t -c capability
allow firewalld_t firewalld_t:capability { net_admin net_raw setpcap };

pscap | grep firewalld
1     1751  root        firewalld           net_admin, net_raw, sys_module +
Comment 2 Zdenek Pytela 2021-09-08 13:37:20 UTC 
Tomas/Eric,

Can I get the firewalld package version which reproduces the missing permission problem in selinux-policy? The latest one available does not seem so.

beaker-rhel9# rpm -q firewalld
firewalld-1.0.0-2.el9.noarch
beaker-rhel9# pscap | grep firewalld
1     26173 root        firewalld           net_admin, net_raw +
beaker-rhel9# firewall-cmd --add-service ftp
success
beaker-rhel9# grep ERROR /var/log/firewalld
2021-09-08 09:26:45 DEBUG1: modprobe: ERROR: could not insert 'nf_nat_ftp': Operation not permitted
beaker-rhel9# lsmod |grep nf_nat_ftp
<>
beaker-rhel9# ausearch -i -m avc,user_avc -ts recent
<no matches>
beaker-rhel9# getenforce
Permissive
Comment 6 Zdenek Pytela 2021-09-09 14:06:38 UTC 
The -3 package version looks as expected and this workaround makes the scenario working:

beaker-rhel9# cat local_firewalld.cil
(allow firewalld_t firewalld_t (capability (sys_module)))
beaker-rhel9# semodule -i local_firewalld.cil

I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/866
Comment 7 Zdenek Pytela 2021-09-09 19:24:38 UTC 
Commit to backport:
commit dabb900c7b0e96b575edcbb7e032e603be83c716
Author: Zdenek Pytela <zpytela>
Date:   Thu Sep 9 16:02:27 2021 +0200

    Allow firewalld load kernel modules
Comment 16 errata-xmlrpc 2022-05-17 15:49:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: selinux-policy), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:3918