Bug 2001599

Please, switch to selinux-policy if this is not relevant to the policy shipped with IPA.

This is not relevant to IPA policy as the error happens from any application using softhsm tokens.

See, for example, RHEL 9 bug: https://bugzilla.redhat.com/show_bug.cgi?id=1977915 -- I think this one would be exactly as RHEL 9 bug.

Hi Karel, what is output of these two commands?

#ls -Z /dev/shm/var.lib.opencryptoki.swtok

# sesearch -A -s certmonger_t -t pkcs_slotd_tmpfs_t -c file -p map

Thank you,
Patrik

Hi Patrik
as indicated by the AVC denial the file has context user_tmp_t.
I have identified that this context is being assigned when the token is being initialized by a user.
OTOH, when I restart a service (e.g. ipsec or certmonger as it is happening in /CoreOS/selinux-policy/Regression/pkcsslotd-and-similar) the file context is pkcs_slotd_tmpfs_t.
According to the policy, there is no default context assigned

I have originally reported that the problem can be reproduced using the test mentioned above. This is not entirely true, the token has to be initiated by a user in order to get user_tmpfs_t context.
Please see the console log below.

selinux-policy-3.14.3-79.el8.noarch
# matchpathcon /dev/shm/var.lib.opencryptoki.swtok
/dev/shm/var.lib.opencryptoki.swtok	<<none>>

# rm /dev/shm/var.lib.opencryptoki.swtok
rm: remove regular file '/dev/shm/var.lib.opencryptoki.swtok'? y
# systemctl restart ipsec
# ls -Z /dev/shm/var.lib.opencryptoki.swtok
system_u:object_r:pkcs_slotd_tmpfs_t:s0 /dev/shm/var.lib.opencryptoki.swtok


### clear the file and reset token
# rm /dev/shm/var.lib.opencryptoki.swtok
rm: remove regular file '/dev/shm/var.lib.opencryptoki.swtok'? y
# find /var/lib/opencryptoki/ -type f -exec rm {} \;
### configure a new token
# /usr/sbin/pkcsconf -c 3 -u
Enter the SO PIN:           (enter 87654321)
Enter the new user PIN:     (enter e.g. 76543210)
Re-enter the new user PIN:  (enter e.g. 76543210)
# ls -Z /dev/shm/var.lib.opencryptoki.swtok
unconfined_u:object_r:user_tmp_t:s0 /dev/shm/var.lib.opencryptoki.swtok

### now reproduce the denial
# > /var/log/audit/audit.log 
# service certmonger restart
Redirecting to /bin/systemctl restart certmonger.service
# ausearch -m avc
----
time->Thu Sep  9 09:49:45 2021
type=PROCTITLE msg=audit(1631173785.780:775): proctitle="/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit"
type=MMAP msg=audit(1631173785.780:775): fd=13 flags=0x1
type=SYSCALL msg=audit(1631173785.780:775): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=14368 a2=3 a3=1 items=0 ppid=97613 pid=97633 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dogtag-ipa-rene" exe="/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1631173785.780:775): avc:  denied  { map } for  pid=97633 comm="dogtag-ipa-rene" path="/dev/shm/var.lib.opencryptoki.swtok" dev="tmpfs" ino=316231 scontext=system_u:system_r:certmonger_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0

PR: https://github.com/fedora-selinux/selinux-policy/pull/870

Commits to backport:
commit 00615a1f6dcc6cceae7754d354be900ce8e5d351 (HEAD -> rawhide, upstream/rawhide)
Author: Patrik Koncity <pkoncity>
Date:   Wed Sep 15 13:46:03 2021 +0200

    Removing pkcs_tmpfs_filetrans interface and edit pkcs policy files

commit 8d59262f30201769e013488acca91e12950d62b0
Author: Patrik Koncity <pkoncity>
Date:   Mon Sep 13 14:14:22 2021 +0200

    Allow login_userdomain named filetrans to pkcs_slotd_tmpfs_t domain

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1995