Bug 2029873

Summary: SELinux prevents the rhsm-service process from working with /memfd:libffi
Product: Red Hat Enterprise Linux 8 Reporter: Marius Vollmer <mvollmer>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.6CC: amahdal, lvrabec, mmalik, mpitt, ssekidde
Target Milestone: rcKeywords: AutoVerified, Triaged
Target Release: 8.6Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-89.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-10 15:15:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marius Vollmer 2021-12-07 14:09:56 UTC 
Description of problem:

avc:  denied  { write } for  pid=2447 comm="rhsm-service" name="memfd:libffi" dev="tmpfs" ino=41282 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0

Version-Release number of selected component (if applicable):

subscription-manager 1.28.24-1.el8
selinux-policy-targeted-3.14.3-83.el8

How reproducible:
Always

Steps to Reproduce:
1. systemctl start rhsm.service

Actual results:
[  457.672115] audit: type=1400 audit(1638886060.853:4): avc:  denied  { write } for  pid=1778 comm="rhsm-service" name="memfd:libffi" dev="tmpfs" ino=40162 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0
[  457.691018] audit: type=1400 audit(1638886060.871:5): avc:  denied  { write } for  pid=1778 comm="rhsm-service" name="memfd:libffi" dev="tmpfs" ino=40162 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0

Expected results:
No audit messages for rhsm-service
Comment 1 Martin Pitt 2021-12-07 14:31:22 UTC 
Adding regression. This started to happen about a week ago only. Earlier RHEL 8.6 nightlies (and also earlier 8.y) were fine.
Comment 2 Milos Malik 2021-12-07 15:21:46 UTC 
# service rhsm status
Redirecting to /bin/systemctl status rhsm.service
● rhsm.service - RHSM dbus service
   Loaded: loaded (/usr/lib/systemd/system/rhsm.service; disabled; vendor preset: disabled)
   Active: active (running) since Tue 2021-12-07 10:19:31 EST; 36s ago
 Main PID: 21157 (rhsm-service)
    Tasks: 2 (limit: 11356)
   Memory: 32.7M
   CGroup: /system.slice/rhsm.service
           └─21157 /usr/libexec/platform-python /usr/libexec/rhsm-service

Dec 07 10:19:30 removed systemd[1]: Starting RHSM dbus service...
Dec 07 10:19:31 removed systemd[1]: Started RHSM dbus service.
Dec 07 10:19:31 removed rhsm-service[21157]: could not allocate closure
Dec 07 10:19:31 removed rhsm-service[21157]: could not allocate closure
#

----
type=PROCTITLE msg=audit(12/07/2021 10:19:31.355:338) : proctitle=/usr/libexec/platform-python /usr/libexec/rhsm-service 
type=SYSCALL msg=audit(12/07/2021 10:19:31.355:338) : arch=x86_64 syscall=ftruncate success=no exit=EACCES(Permission denied) a0=0x9 a1=0x1000 a2=0x7f04ece62ba0 a3=0x5581e14388c0 items=0 ppid=1 pid=21157 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsm-service exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:rhsmcertd_t:s0 key=(null) 
type=AVC msg=audit(12/07/2021 10:19:31.355:338) : avc:  denied  { write } for  pid=21157 comm=rhsm-service name=memfd:libffi dev="tmpfs" ino=60966 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(12/07/2021 10:19:31.358:339) : proctitle=/usr/libexec/platform-python /usr/libexec/rhsm-service 
type=SYSCALL msg=audit(12/07/2021 10:19:31.358:339) : arch=x86_64 syscall=ftruncate success=no exit=EACCES(Permission denied) a0=0x9 a1=0x1000 a2=0x0 a3=0x0 items=0 ppid=1 pid=21157 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsm-service exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:rhsmcertd_t:s0 key=(null) 
type=AVC msg=audit(12/07/2021 10:19:31.358:339) : avc:  denied  { write } for  pid=21157 comm=rhsm-service name=memfd:libffi dev="tmpfs" ino=60966 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 
----
Comment 3 Milos Malik 2021-12-07 15:25:24 UTC 
Following SELinux denials appear in permissive mode:
----
type=PROCTITLE msg=audit(12/07/2021 10:22:45.186:344) : proctitle=/usr/libexec/platform-python /usr/libexec/rhsm-service 
type=SYSCALL msg=audit(12/07/2021 10:22:45.186:344) : arch=x86_64 syscall=ftruncate success=yes exit=0 a0=0x9 a1=0x1000 a2=0x7fc5885c6ba0 a3=0x555e101338c0 items=0 ppid=1 pid=21223 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsm-service exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:rhsmcertd_t:s0 key=(null) 
type=AVC msg=audit(12/07/2021 10:22:45.186:344) : avc:  denied  { write } for  pid=21223 comm=rhsm-service name=memfd:libffi dev="tmpfs" ino=61424 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(12/07/2021 10:22:45.186:345) : proctitle=/usr/libexec/platform-python /usr/libexec/rhsm-service 
type=MMAP msg=audit(12/07/2021 10:22:45.186:345) : fd=9 flags=MAP_SHARED 
type=SYSCALL msg=audit(12/07/2021 10:22:45.186:345) : arch=x86_64 syscall=mmap success=yes exit=140486531080192 a0=0x0 a1=0x1000 a2=PROT_READ|PROT_EXEC a3=MAP_SHARED items=0 ppid=1 pid=21223 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsm-service exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:rhsmcertd_t:s0 key=(null) 
type=AVC msg=audit(12/07/2021 10:22:45.186:345) : avc:  denied  { read execute } for  pid=21223 comm=rhsm-service path=/memfd:libffi (deleted) dev="tmpfs" ino=61424 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 
type=AVC msg=audit(12/07/2021 10:22:45.186:345) : avc:  denied  { map } for  pid=21223 comm=rhsm-service path=/memfd:libffi (deleted) dev="tmpfs" ino=61424 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 
----
Comment 9 Zdenek Pytela 2022-01-14 16:51:48 UTC 
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/1003
Comment 11 Zdenek Pytela 2022-01-17 16:20:58 UTC 
To backport:
commit f3fcabd0de8510305767481f6dd623f5422dc26d (HEAD -> rawhide, upstream/rawhide)
Author: Zdenek Pytela <zpytela>
Date:   Fri Jan 14 17:50:08 2022 +0100

    Allow rhsm-service read/write its private memfd: objects
Comment 19 Zdenek Pytela 2022-01-21 13:10:17 UTC 
*** Bug 1917445 has been marked as a duplicate of this bug. ***
Comment 20 Zdenek Pytela 2022-01-21 17:43:13 UTC 
I've submitted a Fedora PR to address the remaining issues:
https://github.com/fedora-selinux/selinux-policy/pull/1019
Comment 29 errata-xmlrpc 2022-05-10 15:15:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1995