Bug 2157835

Summary:	rpm-plugin-ima tried to add IMA signature to directories (for efi-filesystem, nfs-utils)
Product:	Red Hat Enterprise Linux 9	Reporter:	Coiby <coxu>
Component:	rpm	Assignee:	Packaging Maintenance Team <packaging-team-maint>
Status:	CLOSED ERRATA	QA Contact:	Jan Blazek <jblazek>
Severity:	low	Docs Contact:
Priority:	unspecified
Version:	9.2	CC:	ffesti, karl, mbanas, mthacker, pmatilai
Target Milestone:	rc	Keywords:	AutoVerified, Triaged
Target Release:	---	Flags:	pm-rhel: mirror+
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	rpm-4.16.1.3-23.el9	Doc Type:	No Doc Update
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2023-11-07 08:52:54 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Coiby 2023-01-03 07:24:48 UTC

Description of problem:

After installing rpm-plugin-ima, nfs-utils and efi-filesystems failes to be reinstalled/upgraded,

    $ dnf install nfs-utils
      Upgrading        : nfs-utils-1:2.5.4-17.el9.x86_64                                                                                                                                     1/2 
    error: ima: could not apply signature on '/var/lib/nfs/rpc_pipefs': Operation not supported
    error: Plugin ima: hook fsm_file_prepare failed
    
    Error unpacking rpm package nfs-utils-1:2.5.4-17.el9.x86_64
      Verifying        : nfs-utils-1:2.5.4-17.el9.x86_64                                                                                                                                     1/2 
      Verifying        : nfs-utils-1:2.5.4-16.el9.x86_64                                                                                                                                     2/2 
    
    Error: Transaction failed
    
    $ dnf reinstall efi-filesystem -y
    
    error: ima: could not apply signature on '/boot/efi': Operation not supported
    error: Plugin ima: hook fsm_file_prepare failed
    
    Error unpacking rpm package efi-filesystem-6-2.el9_0.noarch
      Verifying        : efi-filesystem-6-2.el9_0.noarch                                                                                                                                     1/2 
      Verifying        : efi-filesystem-6-2.el9_0.noarch                                                                                                                                     2/2 
    
    Error: Transaction failed

Version-Release number of selected component (if applicable):

rpm-plugin-ima-4.16.1.3-22.el9

How reproducible:
always

Steps to Reproduce:
1. Install RHEL9 or use cloud image e.g. rhel-guest-image-9.2-20221205.2.x86_64.qcow2
2. dnf install rpm-plugin-ima
3. dnf install nfs-utils or dnf reinstall efi-filesystem

Actual results:

nfs-utils can't be upgraded and efi-filesystem can't be reinstalled.

Expected results:

nfs-utils and efi-flesystem can be upgraded/reinstalled and reinstalled package files have IMA signatures.

Additional info:

Comment 1 Panu Matilainen 2023-01-03 08:27:21 UTC

Yup, ENOTSUPP needs to be filtered in the IMA plugin, similarly to what we do with selinux.

Comment 2 Coiby 2023-01-06 02:14:15 UTC

(In reply to Panu Matilainen from comment #1)
> Yup, ENOTSUPP needs to be filtered in the IMA plugin, similarly to what we
> do with selinux.

I don't know what ENOTSUPP means. I just notice rpm-plugin-ima have successfully added signatures to other folders,
    [root@localhost ~]# getfattr -m security.ima -d /usr/lib/dracut
    # file: usr/lib/dracut
    security.ima=0sAwIE0zIESQBnMGUCMDOlu62KzrxD8Fb1iKqP0JQvJKS2cHH4SrkKncgClefQhsa5ogurUIuUTsXe9ZoQQAIxAOnIT2F8ZEEi2x3Y8pMeaZSMkz6/gwFptAaG065G9HzExkmwv5HBjuNImtqep2390A==
    
    [root@localhost ~]# getfattr -m security.ima -d /usr/bin
    # file: usr/bin
    security.ima=0sAwIE0zIESQBmMGQCMADWhM6S/RAmh37grWsMgfRtJEXQ6NHnn7tjn6x75tVaMBpJffTDuC3ZqvkHva222wIwZXoR/QDx7IjolZyzkaL2dkgey9M0D3GpHLMP2hmfSPgC284LQX6DYoLDLuElIzVu


But somehow /boot/efi and /var/lib/nfs/rpc_pipefs are special and can't be added signatures.

So I guess rpm-plugin-ima tries to add signatures to all folders. But there is completely no need to do so from the perspective of IMA as folders are not supported,

    [root@localhost ~]# evmctl ima_verify /usr/lib/dracut/
    Unsupported file type (0x4000)

Comment 3 Panu Matilainen 2023-01-09 08:45:45 UTC

Oh so there are at least two bugs in here: EFI fs does not support extended attributes at all so we should ignore the "not supported" errors from the FS. But in addition, rpm is IMA-signing directories and trying to apply signatures to them on install, so actually that makes three bugs in total.

Comment 4 Florian Festi 2023-01-09 14:49:13 UTC

The first issue is fixed upstream with https://github.com/rpm-software-management/rpm/commit/7db2efa95d859cebda2b095ffdffac42812bd6d9 which should also mitigate the third issue.

On first glance it looks like upstream might still generate signatures for directories. But that's something we might not need to fix in RHEL if rpm is no longer failing when encountering them.

Comment 6 Coiby 2023-01-25 07:42:42 UTC

(In reply to Panu Matilainen from comment #3)
> Oh so there are at least two bugs in here: EFI fs does not support extended
> attributes at all

Besides EFI fs, rpc_pipefs (pipe file system) doesn't support xattrs either.

> so we should ignore the "not supported" errors from the
> FS. 

Yeah, I checked the kernel source code and can confirm it returns ENOTSUPP for those not supported cases.

> But in addition, rpm is IMA-signing directories and trying to apply
> signatures to them on install, so actually that makes three bugs in total.

Yes, this is a different issue. And filtering ENOTSUPP doesn't work for this case.

Comment 7 Coiby 2023-01-25 07:47:28 UTC

(In reply to Florian Festi from comment #4)
> The first issue is fixed upstream with
> https://github.com/rpm-software-management/rpm/commit/
> 7db2efa95d859cebda2b095ffdffac42812bd6d9 which should also mitigate the
> third issue.

Good to know that!

> 
> On first glance it looks like upstream might still generate signatures for
> directories. But that's something we might not need to fix in RHEL if rpm is
> no longer failing when encountering them.

Btw, I'm not sure you mean Fedora when you say upstream. But unfortunately Fedora package files currently doesn't have IMA signatures after installing rpm-plugin-ima (https://bugzilla.redhat.com/show_bug.cgi?id=2076296#c4). Will EPEL packages file have IMA signatures after bz2076296 gets truly resolved?

Comment 8 Florian Festi 2023-01-25 12:02:17 UTC

Upstream in this case means RPM upstream. But the patch is in the rpm-4.18 release already and as such part of Fedora 37.

Comment 15 Yongcheng Yang 2023-05-24 08:35:36 UTC

*** Bug 2209135 has been marked as a duplicate of this bug. ***

Comment 20 errata-xmlrpc 2023-11-07 08:52:54 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (rpm bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6623