Bug 2128833

Summary:	Please add policy for booth daemon
Product:	Red Hat Enterprise Linux 9	Reporter:	Jan Friesse <jfriesse>
Component:	selinux-policy	Assignee:	Nikola Knazekova <nknazeko>
Status:	ON_QA ---	QA Contact:	Milos Malik <mmalik>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	9.0	CC:	lvrabec, mmalik, nknazeko, zpytela
Target Milestone:	rc	Keywords:	Triaged
Target Release:	---
Hardware:	Unspecified
OS:	Linux
Whiteboard:
Fixed In Version:	selinux-policy-38.1.17-1.el9	Doc Type:	No Doc Update
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Jan Friesse 2022-09-21 15:45:32 UTC

Description of problem:
Booth daemon doesn't have any selinux policy so it is running as a unconfined_service_t service - found during solving of https://issues.redhat.com/browse/RHELPLAN-130860

Version-Release number of selected component (if applicable):
All

How reproducible:
100%

Steps to Reproduce:
1. Run booth daemon

Actual results:
Booth is running as a unconfined_service_t

Expected results:
Booth is not running as a unconfined_service_t

Additional info:
Booth is quite different from other daemons - so it will probably need its own policy in https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/contrib/rhcs.fc .

Configuration:
High level config is described in https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_high_availability_clusters/assembly_configuring-multisite-cluster-configuring-and-managing-high-availability-clusters. Low level it is enough to create booth.conf and run 'boothd daemon -SD'

Expected functionality:
Boothd binary is used as a:
- Arbitrator - daemon executed via systemd
- Site - daemon executed via pacemaker
- Client - used to grant/list/revoke tickets - connecting via TCP to local (or remote) daemon

Booth must be able to:
- bind/listen/connectto a port (default 9929, but it is expected to be configured also to different one) for both TCP and UDP
- send/recv UDP/TCP packets
- exec arbitrary binary - it is communicating with pacemaker using crm_ticket command and allows before-acquire-handler functionality
- write lock file (/var/run/booth/booth.pid by default)
- read config file (/etc/booth/booth.conf and optionally /etc/booth/authfile, but both can and are expected to be changed (there is even systemd 'booth@' service using /etc/booth/%i.conf which also changes name of lock file)

In constrast of other rhcs daemons (like corosync/pcmk) it is not using libqb ipc (so no /dev/shm/ files created).

Please ask me more questions if you are unsure if other system calls are expected.

Comment 1 Nikola Knazekova 2022-10-31 19:12:38 UTC

Hi Jan,

I created initial SELinux policy for Booth, but I am not able to test it properly.

Can you please test it and attach AVC messages?
New SELinux policy with boothd module is available on copr:

# dnf copr enable nknazeko/boothd-selinux 
# dnf update selinux-policy


Also before testing is useful to have enabled full auditing:

Open /etc/audit/rules.d/audit.rules file in an editor.

 1. Remove following line if it exists:

-a task,never

 2. Add following line at the end of the file:

-w /etc/shadow -p w

 3. Restart the audit daemon:

 # service auditd restart


Draft Pull Request is available here: https://github.com/fedora-selinux/selinux-policy/pull/1451/files

Thank you

Nikola

Comment 2 Jan Friesse 2022-11-01 11:26:11 UTC

Hi Nikola,
thanks, I will try to give it a shot hopefully later this week and let you know.

Comment 7 Nikola Knazekova 2022-11-21 22:17:11 UTC

Hi Jan,

thank you very much for detailed description and logs.

I made another copr build (37.14-1.fc38.10) with new fixes.

Can you please test it again and attach logs here? 

Thank you.

Nikola

Comment 17 Zdenek Pytela 2023-02-21 11:21:32 UTC

Could you try the following local module:

# cat local_boothd.cil
(allow boothd_t boothd_t (tcp_socket (read,write)))
(allow boothd_t boothd_t (udp_socket (write)))

# semodule -i local_boothd.cil

then reproduce in SELinux enforcing mode and check the service status and/or audit denials?

Comment 18 Jan Friesse 2023-02-21 15:18:52 UTC

# semodule -i local_boothd.cil
Failed to resolve permission read,write
Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/400/local_boothd/cil:1
Failed to resolve AST
semodule:  Failed!

Comment 21 Nikola Knazekova 2023-03-13 15:52:34 UTC

Hi Jan, 
I have fixed all AVC messages and created copr build ver 38.8-1.fc39.310, can you please test it?

Comment 22 Jan Friesse 2023-03-30 13:29:44 UTC

Nikola, I had too much work fixing other issue in different project and meanwhile selinux policy in rawhide got updated to newer version 38.9-1 - could you please send me updated build to test?

Comment 23 Nikola Knazekova 2023-03-31 13:26:24 UTC

Hi Jan, 
I understand, copr build is updated with version 38.10-1.fc39.410 
Thank you for your help.

Comment 24 Jan Friesse 2023-04-03 08:12:48 UTC

Hi Nikola,
thanks for updated package. I've tested with selinux-policy-38.10-1.fc39.410.noarch and haven't found any issue (= test passed successfully).

# semodule -DB
# semodule -l  | grep booth
boothd

(no local_boothd -> there should be no leftovers from previous testing)

# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today | grep -c booth
0

So I think policy is good to go for QE testing.

Regards,
  Honza

Comment 25 Nikola Knazekova 2023-04-03 13:38:54 UTC

Hi Honza,

thank you for the help,
Nikola