Bug 2041447

Summary: SELinux denials with shorewall6-lite service
Product: Red Hat Enterprise Linux 8 Reporter: Oliver Freyermuth <o.freyermuth>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: CentOS StreamCC: bstinson, jwboyer, lvrabec, mmalik, ssekidde, wienemann
Target Milestone: rcKeywords: AutoVerified, Triaged
Target Release: 8.6   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-87.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-10 15:15:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Oliver Freyermuth 2022-01-17 11:20:05 UTC 
Description of problem:
Trying to start the shorewall6-lite service with SELinux in en


Version-Release number of selected component (if applicable):
3.14.3-80.el8_5.2

How reproducible:
Always. 

Steps to Reproduce:
1. Configure shorewall6. 
2. Start shorewall6-lite service. 

Actual results:
Starting fails with permission denied (SELinux denial):
type=AVC msg=audit(1637837574.772:19965): avc:  denied  { getattr } for  pid=1440315 comm="shorewall" path="/var/lib/shorewall6-lite/firewall.conf" dev="md125" ino=679 scontext=system_u:system_r:shorewall_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1637837574.791:19966): avc:  denied  { getattr } for  pid=1440315 comm="shorewall" path="/var/lib/shorewall6-lite/firewall" dev="md125" ino=590 scontext=system_u:system_r:shorewall_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1637837574.791:19967): avc:  denied  { getattr } for  pid=1440315 comm="shorewall" path="/var/lib/shorewall6-lite/firewall" dev="md125" ino=590 scontext=system_u:system_r:shorewall_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0

Expected results:
Works. 

Additional info:
Already fixed upstream via:
https://github.com/fedora-selinux/selinux-policy/pull/954
Comment 1 Milos Malik 2022-01-17 11:37:09 UTC 
Caught in enforcing mode:
----
type=PROCTITLE msg=audit(01/17/2022 06:33:24.784:338) : proctitle=/bin/sh /usr/sbin/shorewall -6l start 
type=PATH msg=audit(01/17/2022 06:33:24.784:338) : item=0 name=/var/lib/shorewall6-lite/firewall inode=1254942 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/17/2022 06:33:24.784:338) : cwd=/ 
type=SYSCALL msg=audit(01/17/2022 06:33:24.784:338) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x55c22217eb20 a1=0x7fffb7cd2130 a2=0x7fffb7cd2130 a3=0x10 items=1 ppid=1 pid=6720 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=shorewall exe=/usr/bin/bash subj=system_u:system_r:shorewall_t:s0 key=(null) 
type=AVC msg=audit(01/17/2022 06:33:24.784:338) : avc:  denied  { getattr } for  pid=6720 comm=shorewall path=/var/lib/shorewall6-lite/firewall dev="vda1" ino=1254942 scontext=system_u:system_r:shorewall_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 
----

# rpm -qa shorewall\* selinux-policy\* | sort
selinux-policy-3.14.3-86.el8.noarch
selinux-policy-targeted-3.14.3-86.el8.noarch
shorewall-5.2.2-4.el8.noarch
shorewall6-5.2.2-4.el8.noarch
shorewall6-lite-5.2.2-4.el8.noarch
shorewall-core-5.2.2-4.el8.noarch
# ls -ldZ /var/lib/shorewall*
drwxr-xr-x. 2 root root system_u:object_r:shorewall_var_lib_t:s0  6 Jan 12  2020 /var/lib/shorewall
drwxr-xr-x. 2 root root system_u:object_r:shorewall_var_lib_t:s0  6 Jan 12  2020 /var/lib/shorewall6
drwxr-xr-x. 2 root root system_u:object_r:var_lib_t:s0           22 Jan 17 06:33 /var/lib/shorewall6-lite
# restorecon -Rv /var/lib/
# 

Easily reproducible after installation of above-mentioned packages and the following command:

# touch /var/lib/shorewall6-lite/firewall
Comment 2 Milos Malik 2022-01-17 11:41:51 UTC 
Caught in permissive mode:
----
type=PROCTITLE msg=audit(01/17/2022 06:38:07.199:343) : proctitle=/bin/sh /usr/sbin/shorewall -6l start 
type=PATH msg=audit(01/17/2022 06:38:07.199:343) : item=0 name=/var/lib/shorewall6-lite/firewall inode=1254942 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/17/2022 06:38:07.199:343) : cwd=/ 
type=SYSCALL msg=audit(01/17/2022 06:38:07.199:343) : arch=x86_64 syscall=stat success=yes exit=0 a0=0x55eb85c47b20 a1=0x7ffccb580b20 a2=0x7ffccb580b20 a3=0x10 items=1 ppid=1 pid=6779 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=shorewall exe=/usr/bin/bash subj=system_u:system_r:shorewall_t:s0 key=(null) 
type=AVC msg=audit(01/17/2022 06:38:07.199:343) : avc:  denied  { getattr } for  pid=6779 comm=shorewall path=/var/lib/shorewall6-lite/firewall dev="vda1" ino=1254942 scontext=system_u:system_r:shorewall_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1 
----

I believe that 1 file context pattern (which would match the /var/lib/shorewall6-lite location) is missing:

# semanage fcontext -l | grep /var/lib/shorewall
/var/lib/shorewall(/.*)?                           all files          system_u:object_r:shorewall_var_lib_t:s0 
/var/lib/shorewall-lite(/.*)?                      all files          system_u:object_r:shorewall_var_lib_t:s0 
/var/lib/shorewall6(/.*)?                          all files          system_u:object_r:shorewall_var_lib_t:s0 
#

All shorewall* packages come from the EPEL repository.
Comment 3 Oliver Freyermuth 2022-01-17 12:01:45 UTC 
(In reply to Milos Malik from comment #2)
> I believe that 1 file context pattern (which would match the
> /var/lib/shorewall6-lite location) is missing:

Indeed, this is exactly the pattern the linked PR adds. 
For reference, here's the direct link to the commit:
https://github.com/fedora-selinux/selinux-policy/commit/9f1eb5d72ed0e9c0859cf6240ac8eace9e3e1c80
Comment 4 Zdenek Pytela 2022-01-17 15:45:35 UTC 
Needs to be backported:
commit 9f1eb5d72ed0e9c0859cf6240ac8eace9e3e1c80
Author: Oliver Freyermuth <freyermuth.de>
Date:   Thu Nov 25 11:53:15 2021 +0100

    Label /var/lib/shorewall6-lite with shorewall_var_lib_t
Comment 18 errata-xmlrpc 2022-05-10 15:15:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1995