Bug 2128833
Summary: | Please add policy for booth daemon | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 9 | Reporter: | Jan Friesse <jfriesse> |
Component: | selinux-policy | Assignee: | Nobody <nobody> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 9.0 | CC: | lvrabec, mmalik, zpytela |
Target Milestone: | rc | Keywords: | Triaged |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-38.1.17-1.el9 | Doc Type: | No Doc Update |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2023-11-07 08:52:15 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jan Friesse
2022-09-21 15:45:32 UTC
Hi Jan, I created initial SELinux policy for Booth, but I am not able to test it properly. Can you please test it and attach AVC messages? New SELinux policy with boothd module is available on copr: # dnf copr enable nknazeko/boothd-selinux # dnf update selinux-policy Also before testing is useful to have enabled full auditing: Open /etc/audit/rules.d/audit.rules file in an editor. 1. Remove following line if it exists: -a task,never 2. Add following line at the end of the file: -w /etc/shadow -p w 3. Restart the audit daemon: # service auditd restart Draft Pull Request is available here: https://github.com/fedora-selinux/selinux-policy/pull/1451/files Thank you Nikola Hi Nikola, thanks, I will try to give it a shot hopefully later this week and let you know. Hi Jan, thank you very much for detailed description and logs. I made another copr build (37.14-1.fc38.10) with new fixes. Can you please test it again and attach logs here? Thank you. Nikola Could you try the following local module: # cat local_boothd.cil (allow boothd_t boothd_t (tcp_socket (read,write))) (allow boothd_t boothd_t (udp_socket (write))) # semodule -i local_boothd.cil then reproduce in SELinux enforcing mode and check the service status and/or audit denials? # semodule -i local_boothd.cil Failed to resolve permission read,write Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/400/local_boothd/cil:1 Failed to resolve AST semodule: Failed! Hi Jan, I have fixed all AVC messages and created copr build ver 38.8-1.fc39.310, can you please test it? Nikola, I had too much work fixing other issue in different project and meanwhile selinux policy in rawhide got updated to newer version 38.9-1 - could you please send me updated build to test? Hi Jan, I understand, copr build is updated with version 38.10-1.fc39.410 Thank you for your help. Hi Nikola, thanks for updated package. I've tested with selinux-policy-38.10-1.fc39.410.noarch and haven't found any issue (= test passed successfully). # semodule -DB # semodule -l | grep booth boothd (no local_boothd -> there should be no leftovers from previous testing) # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today | grep -c booth 0 So I think policy is good to go for QE testing. Regards, Honza Hi Honza, thank you for the help, Nikola Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:6617 |