Bug 2088441
| Summary: | /usr/lib/systemd/systemd-socket-proxyd is not labeled appropriately, making the tool unusable | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Renaud Métrich <rmetrich> | |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> | |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
| Severity: | medium | Docs Contact: | Jan Fiala <jafiala> | |
| Priority: | medium | |||
| Version: | 8.6 | CC: | jafiala, lvrabec, mharri, mmalik, zpytela | |
| Target Milestone: | rc | Keywords: | AutoVerified, Triaged | |
| Target Release: | 8.8 | Flags: | pm-rhel:
mirror+
|
|
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | selinux-policy-3.14.3-113.el8 | Doc Type: | Enhancement | |
| Doc Text: |
.New SELinux policy for `systemd-socket-proxyd`
Because the `systemd-socket-proxyd` service requires particular resources usage, a new policy with the required rules was added to the `selinux-policy` packages. As a result, the service runs in its SELinux domain.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 2141606 (view as bug list) | Environment: | ||
| Last Closed: | 2023-05-16 09:03:44 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 2141606 | |||
| Deadline: | 2022-10-24 | |||
We now need to sync with systemd to find an appropriate context. Something similar to what squid can do probably. Commit to backport:
commit ea2da5e990b89f95cbfdebdda0b932e8c860c49d (HEAD -> rawhide, upstream/rawhide)
Author: (GalaxyMaster) <galaxy4public.github.com>
Date: Mon Nov 9 00:50:12 2020 +1100
added policy for systemd-socket-proxyd
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:2965 |
Description of problem: We have a customer trying to use /usr/lib/systemd/systemd-socket-proxyd functionality. The tool is supposed to be able to connect to various sockets since it's supposed to act as a proxy. Currently it's labeled with *init_exec_t*, hence executes in the context of the caller (systemd), *init_t*, which is hopefully not able to connect to the world. From the manpage, the tool is supposed to be used as a service ExecStart command. We need to create a new label for this tool and appropriate transition so that connection to sockets is possible. Version-Release number of selected component (if applicable): systemd-239 How reproducible: Always Steps to Reproduce: 1. Install telnet-server and nmap-ncat -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- # yum -y install telnet-server nmap-ncat # systemctl start telnet.socket -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- 2. Create a proxy-to-telnet socket (/etc/systemd/system/proxy-to-telnet.socket) -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- [Socket] ListenStream=80 [Install] WantedBy=sockets.target -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- 3. Create a proxy-to-telnet service (/etc/systemd/system/proxy-to-telnet.service) -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- [Unit] Requires=proxy-to-telnet.socket After=proxy-to-telnet.socket [Service] ExecStart=/usr/lib/systemd/systemd-socket-proxyd 127.0.0.1:23 -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- 4. Start the socket and try connecting to it -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- # systemctl daemon-reload # ncat -t localhost 80 --> "hangs" -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- Actual results: AVC: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- # ausearch -i -m avc,user_avc -ts recent ---- type=PROCTITLE msg=audit(05/19/2022 14:58:13.294:365) : proctitle=/usr/lib/systemd/systemd-socket-proxyd 127.0.0.1:23 type=SYSCALL msg=audit(05/19/2022 14:58:13.294:365) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0xa a1=0x55e03db88af0 a2=0x10 a3=0x0 items=0 ppid=1 pid=11666 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-socket- exe=/usr/lib/systemd/systemd-socket-proxyd subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(05/19/2022 14:58:13.294:365) : avc: denied { name_connect } for pid=11666 comm=systemd-socket- dest=23 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:telnetd_port_t:s0 tclass=tcp_socket permissive=0 -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- Expected results: Telnet connection happening Additional info: The workaround is to wrap the call in a shell script stored on /usr/local/bin so that, due to the script being labeled with *bin_t*, a transition to *unconfined_service_t* happens: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- # cat /usr/local/bin/systemd-socket-proxyd: #!/bin/sh exec /usr/lib/systemd/systemd-socket-proxyd $* -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- Example Service (/etc/systemd/system/proxy-to-telnet.service): -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- [Unit] Requires=proxy-to-telnet.socket After=proxy-to-telnet.socket [Service] ExecStart=/usr/local/bin/systemd-socket-proxyd 127.0.0.1:23 -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------