Bug 2139363

Summary: [RFE] add interfaces for watch and watch_sb to allow fapolicyd to easily cover it with its DSP
Product: Red Hat Enterprise Linux 9 Reporter: Dalibor Pospíšil <dapospis>
Component: selinux-policyAssignee: Nikola Knazekova <nknazeko>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: high    
Version: 9.2CC: lvrabec, mmalik, nknazeko, rsroka, zpytela
Target Milestone: rcKeywords: FutureFeature, Triaged
Target Release: 9.2Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-38.1.2-1.el9 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-09 08:16:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dalibor Pospíšil 2022-11-02 09:59:44 UTC 
Description of problem:
To easily create a DSP module rules we would like to use some generic interfaces to cover following AVCs:

# ausearch -m avc 
----
time->Tue Nov  1 20:45:43 2022
type=PROCTITLE msg=audit(1667331943.183:17123): proctitle="/usr/sbin/fapolicyd"
type=PATH msg=audit(1667331943.183:17123): item=0 name="/dev/shm" inode=1 dev=00:17 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmpfs_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1667331943.183:17123): cwd="/"
type=SYSCALL msg=audit(1667331943.183:17123): arch=c000003e syscall=301 success=yes exit=0 a0=8 a1=101 a2=50000 a3=ffffffff items=1 ppid=1 pid=385164 auid=4294967295 uid=980 gid=979 euid=980 suid=980 fsuid=980 egid=979 sgid=979 fsgid=979 tty=(none) ses=4294967295 comm="fapolicyd" exe="/usr/sbin/fapolicyd" subj=system_u:system_r:fapolicyd_t:s0 key=(null)
type=AVC msg=audit(1667331943.183:17123): avc:  denied  { watch_sb } for  pid=385164 comm="fapolicyd" path="/dev/shm" dev="tmpfs" ino=1 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1667331943.183:17123): avc:  denied  { watch } for  pid=385164 comm="fapolicyd" path="/dev/shm" dev="tmpfs" ino=1 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=1
----
time->Tue Nov  1 20:45:43 2022
type=PROCTITLE msg=audit(1667331943.194:17124): proctitle="/usr/sbin/fapolicyd"
type=PATH msg=audit(1667331943.194:17124): item=0 name="/" inode=128 dev=fd:00 mode=040555 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:root_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1667331943.194:17124): cwd="/"
type=SYSCALL msg=audit(1667331943.194:17124): arch=c000003e syscall=301 success=yes exit=0 a0=8 a1=101 a2=50000 a3=ffffffff items=1 ppid=1 pid=385164 auid=4294967295 uid=980 gid=979 euid=980 suid=980 fsuid=980 egid=979 sgid=979 fsgid=979 tty=(none) ses=4294967295 comm="fapolicyd" exe="/usr/sbin/fapolicyd" subj=system_u:system_r:fapolicyd_t:s0 key=(null)
type=AVC msg=audit(1667331943.194:17124): avc:  denied  { watch_sb } for  pid=385164 comm="fapolicyd" path="/" dev="dm-0" ino=128 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1667331943.194:17124): avc:  denied  { watch } for  pid=385164 comm="fapolicyd" path="/" dev="dm-0" ino=128 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1
----
time->Tue Nov  1 20:45:43 2022
type=PROCTITLE msg=audit(1667331943.195:17125): proctitle="/usr/sbin/fapolicyd"
type=PATH msg=audit(1667331943.195:17125): item=0 name="/boot" inode=2 dev=fc:01 mode=040555 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:boot_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1667331943.195:17125): cwd="/"
type=SYSCALL msg=audit(1667331943.195:17125): arch=c000003e syscall=301 success=yes exit=0 a0=8 a1=101 a2=50000 a3=ffffffff items=1 ppid=1 pid=385164 auid=4294967295 uid=980 gid=979 euid=980 suid=980 fsuid=980 egid=979 sgid=979 fsgid=979 tty=(none) ses=4294967295 comm="fapolicyd" exe="/usr/sbin/fapolicyd" subj=system_u:system_r:fapolicyd_t:s0 key=(null)
type=AVC msg=audit(1667331943.195:17125): avc:  denied  { watch_sb } for  pid=385164 comm="fapolicyd" path="/boot" dev="vda1" ino=2 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=dir permissive=1
----
time->Tue Nov  1 20:45:43 2022
type=PROCTITLE msg=audit(1667331943.196:17126): proctitle="/usr/sbin/fapolicyd"
type=PATH msg=audit(1667331943.196:17126): item=0 name="/run/user/0" inode=1 dev=00:29 mode=040700 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1667331943.196:17126): cwd="/"
type=SYSCALL msg=audit(1667331943.196:17126): arch=c000003e syscall=301 success=yes exit=0 a0=8 a1=101 a2=50000 a3=ffffffff items=1 ppid=1 pid=385164 auid=4294967295 uid=980 gid=979 euid=980 suid=980 fsuid=980 egid=979 sgid=979 fsgid=979 tty=(none) ses=4294967295 comm="fapolicyd" exe="/usr/sbin/fapolicyd" subj=system_u:system_r:fapolicyd_t:s0 key=(null)
type=AVC msg=audit(1667331943.196:17126): avc:  denied  { watch_sb } for  pid=385164 comm="fapolicyd" path="/run/user/0" dev="tmpfs" ino=1 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir permissive=1


Version-Release number of selected component (if applicable):
# rpm -qa selinux\* 
selinux-policy-34.1.43-1.el9.noarch
selinux-policy-targeted-34.1.43-1.el9.noarch
selinux-policy-devel-34.1.43-1.el9.noarch
# rpm -qa fapolicyd 
fapolicyd-1.1.3-102.el9_1.1.x86_64


How reproducible:
100%

Steps to Reproduce:
1. make sure the allow_filesystem_mark in /etc/fapolicyd/fapolicyd.conf is set to 1
2. systemctl start fapolicyd

Actual results:
* fapolicyd does not start
* AVC appear
Comment 16 Zdenek Pytela 2022-11-29 17:45:30 UTC 
List of new interfaces in rawhide:
f6454cd66 (HEAD -> rawhide, upstream/rawhide, origin/rawhide, origin/HEAD) Watch_sb all file type directories.
b9e9efd2f Add watch and watch_sb dosfs interface
972e4dbcd Add interface to watch all filesystems
a65d7a6e5 Add watch_sb interfaces
01197e1c6 Add watch interfaces
Comment 22 errata-xmlrpc 2023-05-09 08:16:52 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2483