Bug 2228245
| Summary: | Missing execute_no_trans policy for nut stack: upsmon -> upssched -> script > upsmon | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Leon Fauster <leonfauster> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 38 | CC: | dwalsh, lvrabec, mmalik, nknazeko, omosnacek, pkoncity, vmojzis, zpytela |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-38.24-1.fc38 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-08-12 04:22:55 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
FEDORA-2023-a79a6bdd37 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-a79a6bdd37 FEDORA-2023-a79a6bdd37 has been pushed to the Fedora 38 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-a79a6bdd37` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-a79a6bdd37 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2023-a79a6bdd37 has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report. |
NUT UPS monitor (upsmon) - executes helper (upssched) and that executes via custom script the monitor again (upsmon) This seems not to be allowed -> denied { execute_no_trans } As an temp solution we installed a semodule with allow nut_upsmon_t nut_upsmon_exec_t:file execute_no_trans; Should this be included? Reproducible: Always Steps to Reproduce: 1. Install nut-client 2. Configure the client (nut-monitor) to use upssched 3. grep upssch /etc/ups/upsmon.conf NOTIFYCMD /usr/sbin/upssched 4. Configure upssched to use the custom script (e.g. /usr/bin/upssched-cmd) 5. Add to the custom script "/usr/sbin/upsmon -c fsd" to force a shutdown Actual Results: type=AVC msg=audit(1690760021.301:222): avc: denied { execute_no_trans } for pid=2267 comm="upssched-handle" path="/usr/sbin/upsmon" dev="dm-0" ino=27404 scontext=system_u:system_r:nut_upsmon_t:s0 tcontext=system_u:object_r:nut_upsmon_exec_t:s0 tclass=file permissive=1 Expected Results: upsmon should be able to exec "upsmon -c fsd" via upssched + script chain to shut the system down. From the nut docs: "upsmon starts as root and forks an unprivileged process which does the actual monitoring over the network. When a shutdown is necessary, a single character is sent to the privileged process. It then calls the predefined shutdown command. " Therefore the "/usr/sbin/upsmon -c fsd" command (fsd = force shutdown)