Bug 2026795
| Summary: | SELinux policy (daemons) changes required for package: fido-device-onboard in RHEL 9.0 | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Patrik Koncity <pkoncity> |
| Component: | selinux-policy | Assignee: | Nobody <nobody> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 9.0 | CC: | elpereir, idiez, lvrabec, miabbott, mmalik, perobins, qe-baseos-security, rhel-process-autobot, xiaofwan, yih, zpytela |
| Target Milestone: | rc | Keywords: | Reopened, Triaged |
| Target Release: | 9.3 | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-38.1.17-1.el9 | Doc Type: | Enhancement |
| Doc Text: |
Feature: fido-device-onboard
Reason: Package fido-device-onboard has been added to RHEL 8.5.0
Result: SELinux policy confines additional services
The selinux-policy packages have been updated, and therefore fido-device-onboard service is now confined by SELinux
|
Story Points: | --- |
| Clone Of: | 2025978 | Environment: | |
| Last Closed: | 2023-11-07 08:52:15 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2025978 | ||
| Bug Blocks: | 1989923, 1989930, 2014410 | ||
|
Description
Patrik Koncity
2021-11-25 20:26:27 UTC
Hi Yi He, I created initial SELinux policy for Fido-device-onboard, but we are not able to test it properly. Can you please test it and attach AVC messages? New SELinux policy with fdo module is available on copr: # dnf copr enable nknazeko/fdo-selinux # dnf update selinux-policy You can check if fdo module is installed with semodule command: # semodule -l | grep fdo fdo Also before testing is useful to have enabled full auditing: Open /etc/audit/rules.d/audit.rules file in an editor. 1. Remove following line if it exists: -a task,never 2. Add following line at the end of the file: -w /etc/shadow -p w 3. Restart the audit daemon: # service auditd restart Thank you Nikola Verified on RHEL9.2, the FDO functions works as expected. RPM installed: [root@yih-92 rhel-edge]# rpm -qa fdo\* selinux\* | sort fdo-admin-cli-0.4.7-3.el9.x86_64 fdo-client-0.4.7-3.el9.x86_64 fdo-init-0.4.7-3.el9.x86_64 fdo-manufacturing-server-0.4.7-3.el9.x86_64 fdo-owner-cli-0.4.7-3.el9.x86_64 fdo-owner-onboarding-server-0.4.7-3.el9.x86_64 fdo-rendezvous-server-0.4.7-3.el9.x86_64 selinux-policy-38.9-1.el9.471.noarch selinux-policy-targeted-38.9-1.el9.471.noarch [root@yih-92 rhel-edge]# semodule -l | grep fdo fdo Can you please check AVC messages? # ausearch -m avc -m user_avc -m selinux_err -i Hi Yi He, thank you for the AVC logs. I have fixed the policy and created another copr build (version 38.11-1.fc39.57X). Can you please test it again and attach AVC messages? Thank you, Nikola Tested it on rhel9.2, fdo features works as expected. [root@yih-rhel92 rhel-edge]# rpm -qa fdo\* selinux\* | sort fdo-admin-cli-0.4.7-3.el9.x86_64 fdo-client-0.4.7-3.el9.x86_64 fdo-init-0.4.7-3.el9.x86_64 fdo-manufacturing-server-0.4.7-3.el9.x86_64 fdo-owner-cli-0.4.7-3.el9.x86_64 fdo-owner-onboarding-server-0.4.7-3.el9.x86_64 fdo-rendezvous-server-0.4.7-3.el9.x86_64 selinux-policy-38.11-1.el9.570.noarch selinux-policy-targeted-38.11-1.el9.570.noarch AVC log has been attached. Hello! Thank you for the attachment, I fixed it and created another copr build: selinux-poicy-38.13-1.el9.67x. Can you please test it? Nikola Verified with new build, fdo function works as expected. And with this build, the avc log is much shorter.
[root@yih-92 rhel-edge]# rpm -qa fdo\* selinux\* | sort
fdo-admin-cli-0.4.7-3.el9.x86_64
fdo-client-0.4.7-3.el9.x86_64
fdo-init-0.4.7-3.el9.x86_64
fdo-manufacturing-server-0.4.7-3.el9.x86_64
fdo-owner-cli-0.4.7-3.el9.x86_64
fdo-owner-onboarding-server-0.4.7-3.el9.x86_64
fdo-rendezvous-server-0.4.7-3.el9.x86_64
selinux-policy-38.13-1.el9.670.noarch
selinux-policy-targeted-38.13-1.el9.670.noarch
[root@yih-92 rhel-edge]# ausearch -m avc -m user_avc -m selinux_err -i
----
type=PROCTITLE msg=audit(04/27/2023 22:15:26.737:15028) : proctitle=/usr/libexec/fdo/fdo-serviceinfo-api-server
type=PATH msg=audit(04/27/2023 22:15:26.737:15028) : item=0 name=/tmp/fdouser inode=17843235 dev=fc:04 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(04/27/2023 22:15:26.737:15028) : cwd=/etc/fdo/aio/work
type=SYSCALL msg=audit(04/27/2023 22:15:26.737:15028) : arch=x86_64 syscall=openat success=yes exit=9 a0=AT_FDCWD a1=0x7ffc27084880 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=391967 pid=391981 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=fdo-serviceinfo exe=/usr/libexec/fdo/fdo-serviceinfo-api-server subj=system_u:system_r:fdo_t:s0 key=(null)
type=AVC msg=audit(04/27/2023 22:15:26.737:15028) : avc: denied { open } for pid=391981 comm=fdo-serviceinfo path=/tmp/fdouser dev="vda4" ino=17843235 scontext=system_u:system_r:fdo_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=1
Hi, nice, can you please retest it with version 38.14-1.fc39.671 ? Verified with new build, fdo function works as expected.
[root@yih-92 rhel-edge]# rpm -qa fdo\* selinux\* | sort
fdo-admin-cli-0.4.7-3.el9.x86_64
fdo-client-0.4.7-3.el9.x86_64
fdo-init-0.4.7-3.el9.x86_64
fdo-manufacturing-server-0.4.7-3.el9.x86_64
fdo-owner-cli-0.4.7-3.el9.x86_64
fdo-owner-onboarding-server-0.4.7-3.el9.x86_64
fdo-rendezvous-server-0.4.7-3.el9.x86_64
selinux-policy-38.14-1.el9.671.noarch
selinux-policy-targeted-38.14-1.el9.671.noarch
[root@yih-92 rhel-edge]# ausearch -m avc -m user_avc -m selinux_err -i
----
type=PROCTITLE msg=audit(05/03/2023 22:53:56.077:20914) : proctitle=/usr/libexec/fdo/fdo-serviceinfo-api-server
type=PATH msg=audit(05/03/2023 22:53:56.077:20914) : item=0 name=/tmp/fdouser inode=17843235 dev=fc:04 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(05/03/2023 22:53:56.077:20914) : cwd=/etc/fdo/aio/work
type=SYSCALL msg=audit(05/03/2023 22:53:56.077:20914) : arch=x86_64 syscall=openat success=yes exit=9 a0=AT_FDCWD a1=0x7ffc709806b0 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=566949 pid=566966 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=fdo-serviceinfo exe=/usr/libexec/fdo/fdo-serviceinfo-api-server subj=system_u:system_r:fdo_t:s0 key=(null)
type=AVC msg=audit(05/03/2023 22:53:56.077:20914) : avc: denied { open } for pid=566966 comm=fdo-serviceinfo path=/tmp/fdouser dev="vda4" ino=17843235 scontext=system_u:system_r:fdo_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=1
Hi, thank you for the testing. Do you know how is created /tmp/fdouser? Hi,
/tmp/fdouser has nothing to do with fido and selinux, nor this bug, you can ignore it.
I can explain how this file is created:
/tmp/fdouser is created in my test script, it will be copied to /etc/sudoers.d/fdouser in edge os during fdo onboarding, the purpose is to enable 'no password sudo' for fdouser.
Shell script to create it:
tee /tmp/fdouser > /dev/null << EOF
fdouser ALL=(ALL) NOPASSWD: ALL
EOF
Shell script to configure fido owner onboarding server to copy it:
sudo /usr/local/bin/yq -iy '.service_info.files |= [{path: "/etc/sudoers.d/fdouser", source_path: "/tmp/fdouser"}]' /etc/fdo/aio/configs/serviceinfo_api_server.yml
Hi, thank you very much for your help. After evaluating this issue, there are no plans to address it further or fix it in an upcoming release. Therefore, it is being closed. If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened. Re-opened this bug because fdo-manufacturing-server and fdo-rendezvous-server have permission denied error in RHEL 9.3 with selinux-policy-38.1.18-1.el9.noarch. The AVC log attached. *** Bug 2219647 has been marked as a duplicate of this bug. *** We are also experiencing issues with the fdo-init RPM, which works on the dracut stage and needs to copy a file from /etc, to /bootmount. Hi, please open new bug and attach there all SELinux denials. Thank you, Nikola Thanks! I open a new bug https://bugzilla.redhat.com/show_bug.cgi?id=2229722 and attached FDO server and client AVC log in the bug. > please open new bug and attach there all SELinux denials.
This was previously in the VERIFIED state, it hasn't gone out and the changes here still fix things which need to go stable.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:6617 |