Bug 2232480

Summary: SELinux is preventing /usr/bin/fwupdmgr from map access on the file /root/.cache/dconf/user.
Product: Red Hat Enterprise Linux 8 Reporter: Flos Qi Guo <qguo>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: NEW --- QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: low    
Version: 8.8CC: lvrabec, mmalik, nknazeko
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Flos Qi Guo 2023-08-17 04:57:54 UTC 
This bug was initially created as a copy of Bug #2219542

Copying this bug because RHEL8 needs backporting this fix either.
----------------8< ----------------8< ----------------8< ----------------
Description of problem:
Every night when the `fwupdagent` runs it produces the log entry shown in the summary of this BZ. The complete sealert message is:

~~~
$ sudo sealert -l 41fff8c8-5296-4fdc-80ee-3276cb55142b
SELinux is preventing /usr/bin/fwupdmgr from map access on the file /root/.cache/dconf/user.

*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************

If you want to allow domain to can mmap files
Then you must tell SELinux about this by enabling the 'domain_can_mmap_files' boolean.

Do
setsebool -P domain_can_mmap_files 1

*****  Plugin catchall (11.6 confidence) suggests   **************************

If you believe that fwupdmgr should be allowed map access on the user file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'fwupdagent' --raw | audit2allow -M my-fwupdagent
# semodule -X 300 -i my-fwupdagent.pp


Additional Information:
Source Context                system_u:system_r:insights_client_t:s0
Target Context                system_u:object_r:cache_home_t:s0
Target Objects                /root/.cache/dconf/user [ file ]
Source                        fwupdagent
Source Path                   /usr/bin/fwupdmgr
Port                          <Unknown>
Host                          host.example.com
Source RPM Packages           fwupd-1.8.10-2.el9.x86_64
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-38.1.11-2.el9_2.3.noarch
Local Policy RPM              selinux-policy-targeted-38.1.11-2.el9_2.3.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     host.example.com
Platform                      Linux host.example.com 5.14.0-284.18.1.el9_2.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023
                              x86_64 x86_64
Alert Count                   39
First Seen                    2023-04-26 02:08:13 CEST
Last Seen                     2023-07-04 03:14:11 CEST
Local ID                      41fff8c8-5296-4fdc-80ee-3276cb55142b

Raw Audit Messages
type=AVC msg=audit(1688433251.557:834): avc:  denied  { map } for  pid=33387 comm="fwupdagent" path="/root/.cache/dconf/user" dev="dm-1" ino=1310729 scontext=system_u:system_r:insights_client_t:s0 tcontext=system_u:object_r:cache_home_t:s0 tclass=file permissive=1


type=SYSCALL msg=audit(1688433251.557:834): arch=x86_64 syscall=mmap success=yes exit=140588147630080 a0=0 a1=1 a2=1 a3=1 items=0 ppid=33386 pid=33387 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=fwupdagent exe=/usr/bin/fwupdmgr subj=system_u:system_r:insights_client_t:s0 key=(null)

Hash: fwupdagent,insights_client_t,cache_home_t,file,map
~~~

I checked with the upstream project of fwupd and they can reproduce it and are sure this is a bug as fwupdmgr should be allowed map access on the user file by default.

Version-Release number of selected component (if applicable):
Source RPM Packages: fwupd-1.8.10-2.el9.x86_64
SELinux Policy RPM: selinux-policy-targeted-38.1.11-2.el9_2.3.noarch
Local Policy RPM: selinux-policy-targeted-38.1.11-2.el9_2.3.noarch

How reproducible:

Recurs every night when the fwupdagent runs.

Actual results:
Entry in journalctl:
SELinux is preventing /usr/bin/fwupdmgr from map access on the file /root/.cache/dconf/user.

Expected results:
fwupdmgr should be allowed map access on the user file by default.

Additional info:
Link to upstream discussion: https://github.com/fwupd/fwupd/discussions/5962
----------------8< ----------------8< ----------------8< ----------------
Comment 2 Zdenek Pytela 2023-08-17 06:46:50 UTC 
There are 3 different issues, all of them have been fixed already.

sesearch -A -s insights_client_t -t cache_home_t -c file -p map
allow domain file_type:file map; [ domain_can_mmap_files ]:True
allow insights_client_t non_security_file_type:file { getattr ioctl lock map open read };

rhel89# sesearch -A -s insights_client_t -t var_log_t -c file -p map
allow domain file_type:file map; [ domain_can_mmap_files ]:True
allow insights_client_t non_security_file_type:file { getattr ioctl lock map open read };
allow insights_client_t var_log_t:file map;

rhel89# sesearch -A -s insights_client_t -t fs_t -c filesystem -p quotaget
allow insights_client_t filesystem_type:filesystem { getattr quotaget };

Refer to
https://bugzilla.redhat.com/show_bug.cgi?id=2091117
https://bugzilla.redhat.com/show_bug.cgi?id=2214572
https://bugzilla.redhat.com/show_bug.cgi?id=2183351