Bug 2041447

Summary:	SELinux denials with shorewall6-lite service
Product:	Red Hat Enterprise Linux 8	Reporter:	Oliver Freyermuth <o.freyermuth>
Component:	selinux-policy	Assignee:	Zdenek Pytela <zpytela>
Status:	CLOSED ERRATA	QA Contact:	Milos Malik <mmalik>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	CentOS Stream	CC:	bstinson, jwboyer, lvrabec, mmalik, ssekidde, wienemann
Target Milestone:	rc	Keywords:	AutoVerified, Triaged
Target Release:	8.6	Flags:	pm-rhel: mirror+
Hardware:	Unspecified
OS:	Linux
Whiteboard:
Fixed In Version:	selinux-policy-3.14.3-87.el8	Doc Type:	No Doc Update
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2022-05-10 15:15:49 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Oliver Freyermuth 2022-01-17 11:20:05 UTC

Description of problem:
Trying to start the shorewall6-lite service with SELinux in en


Version-Release number of selected component (if applicable):
3.14.3-80.el8_5.2

How reproducible:
Always. 

Steps to Reproduce:
1. Configure shorewall6. 
2. Start shorewall6-lite service. 

Actual results:
Starting fails with permission denied (SELinux denial):
type=AVC msg=audit(1637837574.772:19965): avc:  denied  { getattr } for  pid=1440315 comm="shorewall" path="/var/lib/shorewall6-lite/firewall.conf" dev="md125" ino=679 scontext=system_u:system_r:shorewall_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1637837574.791:19966): avc:  denied  { getattr } for  pid=1440315 comm="shorewall" path="/var/lib/shorewall6-lite/firewall" dev="md125" ino=590 scontext=system_u:system_r:shorewall_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1637837574.791:19967): avc:  denied  { getattr } for  pid=1440315 comm="shorewall" path="/var/lib/shorewall6-lite/firewall" dev="md125" ino=590 scontext=system_u:system_r:shorewall_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0

Expected results:
Works. 

Additional info:
Already fixed upstream via:
https://github.com/fedora-selinux/selinux-policy/pull/954

Comment 1 Milos Malik 2022-01-17 11:37:09 UTC

Caught in enforcing mode:
----
type=PROCTITLE msg=audit(01/17/2022 06:33:24.784:338) : proctitle=/bin/sh /usr/sbin/shorewall -6l start 
type=PATH msg=audit(01/17/2022 06:33:24.784:338) : item=0 name=/var/lib/shorewall6-lite/firewall inode=1254942 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/17/2022 06:33:24.784:338) : cwd=/ 
type=SYSCALL msg=audit(01/17/2022 06:33:24.784:338) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x55c22217eb20 a1=0x7fffb7cd2130 a2=0x7fffb7cd2130 a3=0x10 items=1 ppid=1 pid=6720 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=shorewall exe=/usr/bin/bash subj=system_u:system_r:shorewall_t:s0 key=(null) 
type=AVC msg=audit(01/17/2022 06:33:24.784:338) : avc:  denied  { getattr } for  pid=6720 comm=shorewall path=/var/lib/shorewall6-lite/firewall dev="vda1" ino=1254942 scontext=system_u:system_r:shorewall_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 
----

# rpm -qa shorewall\* selinux-policy\* | sort
selinux-policy-3.14.3-86.el8.noarch
selinux-policy-targeted-3.14.3-86.el8.noarch
shorewall-5.2.2-4.el8.noarch
shorewall6-5.2.2-4.el8.noarch
shorewall6-lite-5.2.2-4.el8.noarch
shorewall-core-5.2.2-4.el8.noarch
# ls -ldZ /var/lib/shorewall*
drwxr-xr-x. 2 root root system_u:object_r:shorewall_var_lib_t:s0  6 Jan 12  2020 /var/lib/shorewall
drwxr-xr-x. 2 root root system_u:object_r:shorewall_var_lib_t:s0  6 Jan 12  2020 /var/lib/shorewall6
drwxr-xr-x. 2 root root system_u:object_r:var_lib_t:s0           22 Jan 17 06:33 /var/lib/shorewall6-lite
# restorecon -Rv /var/lib/
# 

Easily reproducible after installation of above-mentioned packages and the following command:

# touch /var/lib/shorewall6-lite/firewall

Comment 2 Milos Malik 2022-01-17 11:41:51 UTC

Caught in permissive mode:
----
type=PROCTITLE msg=audit(01/17/2022 06:38:07.199:343) : proctitle=/bin/sh /usr/sbin/shorewall -6l start 
type=PATH msg=audit(01/17/2022 06:38:07.199:343) : item=0 name=/var/lib/shorewall6-lite/firewall inode=1254942 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/17/2022 06:38:07.199:343) : cwd=/ 
type=SYSCALL msg=audit(01/17/2022 06:38:07.199:343) : arch=x86_64 syscall=stat success=yes exit=0 a0=0x55eb85c47b20 a1=0x7ffccb580b20 a2=0x7ffccb580b20 a3=0x10 items=1 ppid=1 pid=6779 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=shorewall exe=/usr/bin/bash subj=system_u:system_r:shorewall_t:s0 key=(null) 
type=AVC msg=audit(01/17/2022 06:38:07.199:343) : avc:  denied  { getattr } for  pid=6779 comm=shorewall path=/var/lib/shorewall6-lite/firewall dev="vda1" ino=1254942 scontext=system_u:system_r:shorewall_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1 
----

I believe that 1 file context pattern (which would match the /var/lib/shorewall6-lite location) is missing:

# semanage fcontext -l | grep /var/lib/shorewall
/var/lib/shorewall(/.*)?                           all files          system_u:object_r:shorewall_var_lib_t:s0 
/var/lib/shorewall-lite(/.*)?                      all files          system_u:object_r:shorewall_var_lib_t:s0 
/var/lib/shorewall6(/.*)?                          all files          system_u:object_r:shorewall_var_lib_t:s0 
#

All shorewall* packages come from the EPEL repository.

Comment 3 Oliver Freyermuth 2022-01-17 12:01:45 UTC

(In reply to Milos Malik from comment #2)
> I believe that 1 file context pattern (which would match the
> /var/lib/shorewall6-lite location) is missing:

Indeed, this is exactly the pattern the linked PR adds. 
For reference, here's the direct link to the commit:
https://github.com/fedora-selinux/selinux-policy/commit/9f1eb5d72ed0e9c0859cf6240ac8eace9e3e1c80

Comment 4 Zdenek Pytela 2022-01-17 15:45:35 UTC

Needs to be backported:
commit 9f1eb5d72ed0e9c0859cf6240ac8eace9e3e1c80
Author: Oliver Freyermuth <freyermuth.de>
Date:   Thu Nov 25 11:53:15 2021 +0100

    Label /var/lib/shorewall6-lite with shorewall_var_lib_t

Comment 18 errata-xmlrpc 2022-05-10 15:15:49 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1995