Bug 2209235

Summary: AVC denials caused by rebased pkcsslotd
Product: Red Hat Enterprise Linux 9 Reporter: Karel Srot <ksrot>
Component: selinux-policyAssignee: Nobody <nobody>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: unspecified    
Version: 9.2CC: lvrabec, mmalik, zpytela
Target Milestone: betaKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-38.1.14-1.el9 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-11-07 08:52:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2160061    
Deadline: 2023-05-23   

Description Karel Srot 2023-05-23 07:42:10 UTC 
As expected, this issue is relevant also for RHEL-9.
This bug was initially created as a copy of Bug #2208162

Description of problem:

In bug 2160061 we are rebasing opencryptoki for RHEL-9.3 to the latest version.
However, this updated version is causing some AVC denials due to pkcsslotd not being to transition to the correct domain

Below is a copy of relevant logs from the respective RHEL-8 bug:


# setenforce 0
# systemctl start pkcsslotd
# ausearch -m avc 
----
time->Thu May 18 05:05:03 2023
type=AVC msg=audit(1684400703.589:1104): avc:  denied  { unlink } for  pid=1 comm="systemd" name="var.lib.opencryptoki.swtok" dev="tmpfs" ino=42503 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:pkcs_slotd_tmpfs_t:s0 tclass=file permissive=1
----
time->Thu May 18 05:05:08 2023
type=PROCTITLE msg=audit(1684400708.895:1105): proctitle="/usr/sbin/pkcsslotd"
type=PATH msg=audit(1684400708.895:1105): item=0 name="/lib64/ld-linux-x86-64.so.2" inode=10411 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1684400708.895:1105): cwd="/"
type=EXECVE msg=audit(1684400708.895:1105): argc=1 a0="/usr/sbin/pkcsslotd"
type=SYSCALL msg=audit(1684400708.895:1105): arch=c000003e syscall=59 success=yes exit=0 a0=564d7765de10 a1=564d7765e570 a2=564d776179b0 a3=0 items=1 ppid=1 pid=10231 auid=4294967295 uid=994 gid=991 euid=994 suid=994 fsuid=994 egid=991 sgid=991 fsgid=991 tty=(none) ses=4294967295 comm="pkcsslotd" exe="/usr/sbin/pkcsslotd" subj=system_u:system_r:pkcs_slotd_t:s0 key=(null)
type=AVC msg=audit(1684400708.895:1105): avc:  denied  { nnp_transition } for  pid=10231 comm="(kcsslotd)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:pkcs_slotd_t:s0 tclass=process2 permissive=1
----
time->Thu May 18 05:05:08 2023
type=PROCTITLE msg=audit(1684400708.910:1106): proctitle="/usr/sbin/pkcsslotd"
type=CAPSET msg=audit(1684400708.910:1106): pid=10231 cap_pi=0 cap_pp=0 cap_pe=0 cap_pa=0
type=SYSCALL msg=audit(1684400708.910:1106): arch=c000003e syscall=126 success=yes exit=0 a0=55adee3d7774 a1=55adee3d777c a2=55adee3d777c a3=0 items=0 ppid=1 pid=10231 auid=4294967295 uid=994 gid=991 euid=994 suid=994 fsuid=994 egid=991 sgid=991 fsgid=991 tty=(none) ses=4294967295 comm="pkcsslotd" exe="/usr/sbin/pkcsslotd" subj=system_u:system_r:pkcs_slotd_t:s0 key=(null)
type=AVC msg=audit(1684400708.910:1106): avc:  denied  { setcap } for  pid=10231 comm="pkcsslotd" scontext=system_u:system_r:pkcs_slotd_t:s0 tcontext=system_u:system_r:pkcs_slotd_t:s0 tclass=process permissive=1

In permissive pkcsslotd is running as 
# ps -eZ | grep pkcsslotd
system_u:system_r:pkcs_slotd_t:s0 10232 ?        00:00:00 pkcsslotd
while in enforcing it is 
# ps -eZ | grep pkcsslotd
system_u:system_r:init_t:s0       10254 ?        00:00:00 pkcsslotd


How reproducible:
always

Steps to Reproduce:
start pkcsslotd and initialize a token, basically any opencryptoki tests hits this issue

Actual results:
pkcsslotd is running in the init_t domain and not in its correct domain

Expected results:
No AVCs, pkcsslotd running in the correct domain


Additional info:
We want to rebase opencryptoki also in RHEL-9.3 so most likely the same change would be needed there. We just don't have a build yet to have it confirmed.
Comment 10 errata-xmlrpc 2023-11-07 08:52:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6617