Bug 2181514

Summary: RFE: protect the system from hanging through protecting fapolicyd
Product: Red Hat Enterprise Linux 8 Reporter: Renaud Métrich <rmetrich>
Component: fapolicydAssignee: Radovan Sroka <rsroka>
Status: CLOSED MIGRATED QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.7CC: bwelterl, plautrba, qguo, zpytela
Target Milestone: rcKeywords: FutureFeature, MigratedToJIRA, Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-08-16 14:58:18 UTC Type: Story
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2181968    
Bug Blocks:    

Description Renaud Métrich 2023-03-24 10:55:37 UTC 
Description of problem:

When stracing fapolicyd or sending a SIGSTOP signal to fapolicyd, the system hangs and needs to be forcibly rebooted.

Assuming SELinux is enabled and in Enforcing (which is the default), it should be very easy to avoid such system hang by protecting the process with some new rule such as below:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
(neverallow domain fapolicyd_t (process (sigstop ptrace)))
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Version-Release number of selected component (if applicable):

fapolicyd-selinux-1.1.3-8.el8_7.1.noarch

How reproducible:

Always

Steps to Reproduce:
1. Send SIGSTOP as root/unconfined

Actual results:

System unusable until rebooted forcibly

Expected results:

Cannot send SIGSTOP

Additional info:

Unfortunately there seems to be something in SELinux that doesn't take "neverallow" rules into account.
If I add such rule, "sesearch --neverallow" still doesn't list anything, weird:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# bunzip2 -c /var/lib/selinux/targeted/active/modules/400/protect_fapolicyd/cil 
(neverallow domain fapolicyd_t (process (sigstop ptrace)))

--> rule is present and loaded in policy

# sesearch --neverallow
--> nothing
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
Comment 2 Radovan Sroka 2023-08-16 14:45:15 UTC 
This bug is going to be migrated.

Contact point for migration questions or issues: rsroka
Guidance for Bugzilla users to test their Jira account or create one if needed:

https://redhat.service-now.com/help?id=kb_article_view&sysparm_article=KB0016394
https://redhat.service-now.com/help?id=kb_article_view&sysparm_article=KB0016694
https://redhat.service-now.com/help?id=kb_article_view&sysparm_article=KB0016774