Bug 2215526

Summary: fapolicyd still allows execution of a program after "untrusting" it
Product: Red Hat Enterprise Linux 9 Reporter: Radovan Sroka <rsroka>
Component: fapolicydAssignee: Radovan Sroka <rsroka>
Status: CLOSED MIGRATED QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 9.2CC: dapospis, qe-baseos-security, rmetrich
Target Milestone: rcKeywords: MigratedToJIRA, Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2181472 Environment:
Last Closed: 2023-06-16 12:03:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2181472    
Bug Blocks:    

Description Radovan Sroka 2023-06-16 11:21:56 UTC 
+++ This bug was initially created as a clone of Bug #2181472 +++

Description of problem:

Removing a program from trust database, then reloading fapolicyd, has no effect. The program can still execute, until fapolicyd is restarted, as shown in the example below:

Sample program:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
[user@vm-fapolicy8 ~]$ cat > hello.c << EOF
#include <stdio.h>
int main(int argc, char *argv[])
{
  printf("Hello!\n");
  return 0;
}
EOF

[user@vm-fapolicy8 ~]$ gcc -o hello hello.c
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Program initially untrusted:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
[user@vm-fapolicy8 ~]$ ./hello
-bash: ./hello: Operation not permitted
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Trusting the program:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
[root@vm-fapolicy8 ~]# fapolicyd-cli -f add /home/user/hello
[root@vm-fapolicy8 ~]# fapolicyd-cli -u
Fapolicyd was notified
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Program now trusted:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
[user@vm-fapolicy8 ~]$ ./hello
Hello!
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Untrusting the program:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
[root@vm-fapolicy8 ~]# fapolicyd-cli -f delete /home/user/hello
[root@vm-fapolicy8 ~]# fapolicyd-cli -u
Fapolicyd was notified
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Program untrusted again: (STILL EXECUTES!)
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
[user@vm-fapolicy8 ~]$ ./hello
Hello!
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Looks like a cache issue.

Version-Release number of selected component (if applicable):

fapolicyd-1.1.3-8.el8_7.1.x86_64

How reproducible:

Always, see above.

--- Additional comment from Renaud Métrich on 2023-03-24 13:56:50 UTC ---

I checked with "integrity = sha256", this doesn't help (just in case this was related to BZ #2181544).

--- Additional comment from Radovan Sroka on 2023-03-24 14:08:38 UTC ---

(In reply to Renaud Métrich from comment #1)
> I checked with "integrity = sha256", this doesn't help (just in case this
> was related to BZ #2181544).

This is basically duplicate of BZ #2179701. Different symptoms but the same source. I want to keep both bugzillas open for now.
Comment 1 Radovan Sroka 2023-06-16 12:00:31 UTC 
This bug is going to be migrated.

Contact point for migration questions or issues: rsroka
Guidance for Bugzilla users to test their Jira account or create one if needed:

https://redhat.service-now.com/help?id=kb_article_view&sysparm_article=KB0016394
https://redhat.service-now.com/help?id=kb_article_view&sysparm_article=KB0016694
https://redhat.service-now.com/help?id=kb_article_view&sysparm_article=KB0016774
Comment 2 Radovan Sroka 2023-06-16 12:03:11 UTC 
The bugzilla has been migrated to Jira and is now available in the RHEL ticket, where it will continue its lifecycle.