Bug 2096857

Summary: policy blocks systemd / sd-mkdcreds from creating service credentials on tmpfs
Product: [Fedora] Fedora Reporter: Daniel Berrangé <berrange>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 36CC: amessina, dwalsh, frigo, grepl.miroslav, henri, joe, lvrabec, mmalik, omosnace, pkoncity, post, systemd-maint, vmojzis, zpytela
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-36.17-1.fc36 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-23 01:20:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Daniel Berrangé 2022-06-14 12:45:59 UTC 
Description of problem:

Systemd has some relatively new features for passing secret credentials to services on a tmpfs volume. I'm experimenting with it and hit many AVCs when starting a service using this feature


AVC avc:  denied  { rename } for  pid=1841 comm="(sd-mkdcreds)" name=".#credb203d1a46b4d1f68" dev="ramfs" ino=29895 scontext=system_u:system_r:init>

AVC avc:  denied  { setattr } for  pid=1841 comm="(sd-mkdcreds)" name=".#credb203d1a46b4d1f68" dev="ramfs" ino=29895 scontext=system_u:system_r:ini>

AVC avc:  denied  { read write open } for  pid=1841 comm="(sd-mkdcreds)" path="/dev/shm/.#credb203d1a46b4d1f68" dev="ramfs" ino=29895 scontext=syst>

Version-Release number of selected component (if applicable):
selinux-policy-36.10-1.fc36.noarch
systemd-250.7-1.fc36.x86_64

How reproducible:
Always

Steps to Reproduce:

I'm testing with 'virtsecretd.service' from libvirt, but you should be able to subsitute any pre-existing .service you have and get the same result

$ echo hello > /foo
$ systemd-creds encrypt /foo /bar
$ mkdir /etc/systemd/system/virtsecretd.service.d
$ cat > /etc/systemd/system/virtsecretd.service.d/creds.conf <<EOF
[Service]
LoadCredentialEncrypted=bar:/bar
EOF
# systemd daemon-reload
# systemctl start virtsecretd.service

Actual results:
Fails to start in enforcing mode, with the earlier mentioned AVCs

Expected results:
Starts without AVCs

Additional info:
Comment 1 Milos Malik 2022-06-14 13:18:56 UTC 
Essential parts (scontext=,tcontext=, tclass=) of the SELinux denials are missing or incomplete.

Please collect the SELinux denials via the following command and attach them to this BZ:

# ausearch -m avc -m user_avc -m selinux_err -i -ts today

Thank you.
Comment 2 Daniel Berrangé 2022-06-14 13:32:10 UTC 
Opps, sorry, didn't notice the cut+paste from the journal got truncated the full data is

type=AVC msg=audit(14/06/22 08:37:26.946:464) : avc:  denied  { read write open } for  pid=1841 comm=(sd-mkdcreds) path=/dev/shm/.#credb203d1a46b4d1f68 dev="ramfs" ino=29895 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ramfs_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(14/06/22 08:37:26.946:465) : avc:  denied  { setattr } for  pid=1841 comm=(sd-mkdcreds) name=.#credb203d1a46b4d1f68 dev="ramfs" ino=29895 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ramfs_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(14/06/22 08:37:26.946:466) : avc:  denied  { rename } for  pid=1841 comm=(sd-mkdcreds) name=.#credb203d1a46b4d1f68 dev="ramfs" ino=29895 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ramfs_t:s0 tclass=file permissive=1
Comment 3 Zdenek Pytela 2022-06-14 15:56:58 UTC 
Daniel,

I see ramfs_t type in the reported files in /dev/shm. Does your system have some special setup?

ls -lZa /dev/shm
grep shm /proc/mounts
Comment 4 Milos Malik 2022-06-14 16:19:06 UTC 
No special setup is needed. The systemd-creds command complains about missing TCTI device, but the device is not really needed.

The following SELinux denial appears when the scenario is reproduced in enforcing mode:
----
type=PROCTITLE msg=audit(06/14/2022 12:10:47.770:673) : proctitle=(sd-mkdcreds) 
type=PATH msg=audit(06/14/2022 12:10:47.770:673) : item=1 name=.#credd43963dcf21a4c4c inode=25102 dev=00:2f mode=file,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ramfs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(06/14/2022 12:10:47.770:673) : item=0 name=/ inode=25101 dev=00:2f mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(06/14/2022 12:10:47.770:673) : cwd=/ 
type=SYSCALL msg=audit(06/14/2022 12:10:47.770:673) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0x3 a1=0x557deee0a8a0 a2=O_RDWR|O_CREAT|O_EXCL|O_NOCTTY|O_NOFOLLOW|O_CLOEXEC a3=0x180 items=2 ppid=1519 pid=1520 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(sd-mkdcreds) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(06/14/2022 12:10:47.770:673) : avc:  denied  { read write open } for  pid=1520 comm=(sd-mkdcreds) path=/dev/shm/.#credd43963dcf21a4c4c dev="ramfs" ino=25102 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ramfs_t:s0 tclass=file permissive=0 
----

# rpm -qa selinux\* systemd\* | sort
selinux-policy-37.4-1.fc37.noarch
selinux-policy-targeted-37.4-1.fc37.noarch
systemd-251.2-1.fc37.x86_64
systemd-libs-251.2-1.fc37.x86_64
systemd-networkd-251.2-1.fc37.x86_64
systemd-oomd-defaults-251.2-1.fc37.noarch
systemd-pam-251.2-1.fc37.x86_64
systemd-resolved-251.2-1.fc37.x86_64
systemd-udev-251.2-1.fc37.x86_64
#
Comment 5 Milos Malik 2022-06-14 16:21:08 UTC 
The following SELinux denials appear when the scenario is reproduced in permissive mode:
----
type=PROCTITLE msg=audit(06/14/2022 12:19:28.536:687) : proctitle=(sd-mkdcreds) 
type=PATH msg=audit(06/14/2022 12:19:28.536:687) : item=1 name=.#cred7b48b9455a1f4c47 inode=25599 dev=00:32 mode=file,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ramfs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(06/14/2022 12:19:28.536:687) : item=0 name=/ inode=25598 dev=00:32 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(06/14/2022 12:19:28.536:687) : cwd=/ 
type=SYSCALL msg=audit(06/14/2022 12:19:28.536:687) : arch=x86_64 syscall=openat success=yes exit=4 a0=0x3 a1=0x557deedbb500 a2=O_RDWR|O_CREAT|O_EXCL|O_NOCTTY|O_NOFOLLOW|O_CLOEXEC a3=0x180 items=2 ppid=1588 pid=1589 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(sd-mkdcreds) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(06/14/2022 12:19:28.536:687) : avc:  denied  { read write open } for  pid=1589 comm=(sd-mkdcreds) path=/dev/shm/.#cred7b48b9455a1f4c47 dev="ramfs" ino=25599 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ramfs_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(06/14/2022 12:19:28.537:688) : proctitle=(sd-mkdcreds) 
type=PATH msg=audit(06/14/2022 12:19:28.537:688) : item=0 name=(null) inode=25599 dev=00:32 mode=file,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ramfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(06/14/2022 12:19:28.537:688) : cwd=/ 
type=SYSCALL msg=audit(06/14/2022 12:19:28.537:688) : arch=x86_64 syscall=fchmod success=yes exit=0 a0=0x4 a1=0400 a2=0x0 a3=0x180 items=1 ppid=1588 pid=1589 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(sd-mkdcreds) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(06/14/2022 12:19:28.537:688) : avc:  denied  { setattr } for  pid=1589 comm=(sd-mkdcreds) name=.#cred7b48b9455a1f4c47 dev="ramfs" ino=25599 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ramfs_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(06/14/2022 12:19:28.537:689) : proctitle=(sd-mkdcreds) 
type=PATH msg=audit(06/14/2022 12:19:28.537:689) : item=3 name=bar inode=25599 dev=00:32 mode=file,400 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ramfs_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(06/14/2022 12:19:28.537:689) : item=2 name=.#cred7b48b9455a1f4c47 inode=25599 dev=00:32 mode=file,400 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ramfs_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(06/14/2022 12:19:28.537:689) : item=1 name=/ inode=25598 dev=00:32 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(06/14/2022 12:19:28.537:689) : item=0 name=/ inode=25598 dev=00:32 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(06/14/2022 12:19:28.537:689) : cwd=/ 
type=SYSCALL msg=audit(06/14/2022 12:19:28.537:689) : arch=x86_64 syscall=renameat success=yes exit=0 a0=0x3 a1=0x557deedbb500 a2=0x3 a3=0x557deee091b0 items=4 ppid=1588 pid=1589 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(sd-mkdcreds) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(06/14/2022 12:19:28.537:689) : avc:  denied  { rename } for  pid=1589 comm=(sd-mkdcreds) name=.#cred7b48b9455a1f4c47 dev="ramfs" ino=25599 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ramfs_t:s0 tclass=file permissive=1 
----
Comment 6 Milos Malik 2022-06-14 16:23:48 UTC 
# cat /proc/mounts 
proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0
sysfs /sys sysfs rw,seclabel,nosuid,nodev,noexec,relatime 0 0
devtmpfs /dev devtmpfs rw,seclabel,nosuid,size=4096k,nr_inodes=1048576,mode=755,inode64 0 0
securityfs /sys/kernel/security securityfs rw,nosuid,nodev,noexec,relatime 0 0
tmpfs /dev/shm tmpfs rw,seclabel,nosuid,nodev,inode64 0 0
devpts /dev/pts devpts rw,seclabel,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
tmpfs /run tmpfs rw,seclabel,nosuid,nodev,size=403236k,nr_inodes=819200,mode=755,inode64 0 0
cgroup2 /sys/fs/cgroup cgroup2 rw,seclabel,nosuid,nodev,noexec,relatime,nsdelegate,memory_recursiveprot 0 0
pstore /sys/fs/pstore pstore rw,seclabel,nosuid,nodev,noexec,relatime 0 0
bpf /sys/fs/bpf bpf rw,nosuid,nodev,noexec,relatime,mode=700 0 0
/dev/vda1 / ext4 rw,seclabel,relatime 0 0
selinuxfs /sys/fs/selinux selinuxfs rw,nosuid,noexec,relatime 0 0
systemd-1 /proc/sys/fs/binfmt_misc autofs rw,relatime,fd=41,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=14890 0 0
debugfs /sys/kernel/debug debugfs rw,seclabel,nosuid,nodev,noexec,relatime 0 0
hugetlbfs /dev/hugepages hugetlbfs rw,seclabel,relatime,pagesize=2M 0 0
mqueue /dev/mqueue mqueue rw,seclabel,nosuid,nodev,noexec,relatime 0 0
tracefs /sys/kernel/tracing tracefs rw,seclabel,nosuid,nodev,noexec,relatime 0 0
fusectl /sys/fs/fuse/connections fusectl rw,nosuid,nodev,noexec,relatime 0 0
configfs /sys/kernel/config configfs rw,nosuid,nodev,noexec,relatime 0 0
tmpfs /tmp tmpfs rw,seclabel,nosuid,nodev,nr_inodes=1048576,inode64 0 0
sunrpc /var/lib/nfs/rpc_pipefs rpc_pipefs rw,relatime 0 0
tmpfs /run/user/0 tmpfs rw,seclabel,nosuid,nodev,relatime,size=201616k,nr_inodes=50404,mode=700,inode64 0 0
binfmt_misc /proc/sys/fs/binfmt_misc binfmt_misc rw,nosuid,nodev,noexec,relatime 0 0
# ls -alZ /dev/shm/
total 0
drwxrwxrwt.  2 root root system_u:object_r:tmpfs_t:s0    40 Jun 14 12:00 .
drwxr-xr-x. 18 root root system_u:object_r:device_t:s0 3640 Jun 14 12:01 ..
#
Comment 7 Daniel Berrangé 2022-06-14 16:41:35 UTC 
(In reply to Zdenek Pytela from comment #3)
> I see ramfs_t type in the reported files in /dev/shm. Does your system have
> some special setup?
> 
> ls -lZa /dev/shm
> grep shm /proc/mounts

Milos' /proc/mounts & /dev/shm setup looks the same as what I have.

#  ls -lZa /dev/shm
total 0
drwxrwxrwt.  2 root root system_u:object_r:tmpfs_t:s0    40 Jun 14 07:08 .
drwxr-xr-x. 19 root root system_u:object_r:device_t:s0 3860 Jun 14 07:08 ..
# grep shm /proc/mounts
tmpfs /dev/shm tmpfs rw,seclabel,nosuid,nodev,inode64 0 0


I am testing in a fresh Fedora 36 server VM installed last week with no significant setup changes applied.
Comment 8 Milos Malik 2022-06-15 07:51:43 UTC 
Test coverage for this BZ exists in a form of PR:
 * https://src.fedoraproject.org/tests/selinux/pull-request/311

The PR waits for review.
Comment 10 Zdenek Pytela 2022-06-16 11:53:02 UTC 
*** Bug 2097681 has been marked as a duplicate of this bug. ***
Comment 11 François Rigault 2022-08-17 07:05:13 UTC 
*** Bug 2118802 has been marked as a duplicate of this bug. ***
Comment 12 Joe Doss 2022-11-21 05:15:18 UTC 
Any ETA on getting this fixed? The PR has been sitting since July with no movement since September. Fedora 37 has shipped and this is still broken with systemd-251.5-607.fc37.x86_64 and selinux-policy-37.12-2.fc37.noarch.

$ sudo setenforce 0
$ sudo systemd-run -P --wait -p LoadCredential=abc:/etc/hosts systemd-creds cat abc
Running as unit: run-u5979.service
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
Finished with result: success
Main processes terminated with: code=exited/status=0
Service runtime: 15ms 
CPU time consumed: 8ms
$ sudo setenforce 1
$ sudo systemd-run -P --wait -p LoadCredential=abc:/etc/hosts systemd-creds cat abc
Running as unit: run-u5995.service
Finished with result: exit-code
Main processes terminated with: code=exited/status=243
Service runtime: 4ms
CPU time consumed: 4ms
Comment 13 Zdenek Pytela 2022-12-05 14:57:34 UTC 
The problem will be addressed by the next build this week, together with some other important reported bugs.
Comment 14 Fedora Update System 2022-12-07 09:20:50 UTC 
FEDORA-2022-e7d50924ec has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-e7d50924ec
Comment 15 Fedora Update System 2022-12-08 02:53:17 UTC 
FEDORA-2022-e7d50924ec has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-e7d50924ec`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-e7d50924ec

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 16 Fedora Update System 2022-12-23 01:20:12 UTC 
FEDORA-2022-e7d50924ec has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.