1015067 – New OpenLMI-storage AVCs

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1015067 - New OpenLMI-storage AVCs

Summary: New OpenLMI-storage AVCs

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.0
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-10-03 11:56 UTC by Jan Safranek
Modified:	2014-12-10 09:30 UTC (History)
CC List:	3 users (show)
Fixed In Version:	selinux-policy-3.12.1-109.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-06-13 09:44:34 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
openlmi-storage AVCs (334.31 KB, text/plain) 2013-10-03 11:56 UTC, Jan Safranek	no flags	Details
AVCs with selinux-policy-targeted-3.12.1-86.el7 (160.30 KB, text/plain) 2013-10-08 09:06 UTC, Jan Safranek	no flags	Details
OpenLMI sotrage AVCs with policy-targeted-3.12.1-108 (289.55 KB, text/plain) 2013-12-05 10:03 UTC, Jan Safranek	no flags	Details
View All

Description Jan Safranek 2013-10-03 11:56:31 UTC

Created attachment 807055 [details]
openlmi-storage AVCs

As development and testing of OpenLMI Storage provider continues, I've noticed new AVCs in audit.log (see attachment) which need to be reflected in our policy.

Acquired with:
selinux-policy-targeted-3.12.1-84
openlmi-storage-0.6.0

Comment 1 Jan Safranek 2013-10-03 12:04:03 UTC

Adding David Lehman (Blivet author) to cc: to provide some info why is something necessary (see @Dave below, please grep attached avc.txt to see what file is being accessed.

Editing audit2allow output, I added some comments what is being rejected and if it should be allowed. My doubts increase with nr. of question marks.

#============= mdadm_t ==============

# ???: reading & writing /dev/mapper/control
# (it's lvm file, why is mdadm writing it?)
allow mdadm_t lvm_control_t:chr_file { read write };

# ???: mdadm wants to create /tmp/.tmp.md.23125:9:126
# why?
allow mdadm_t tmp_t:blk_file { read create unlink open };

# ALLOW: reading /dev/urandom, looks harmless
allow mdadm_t urandom_device_t:chr_file { read open };

#============= pegasus_openlmi_storage_t ==============
# ALLOW: probing of block devices
allow pegasus_openlmi_storage_t fixed_disk_device_t:blk_file { getattr open ioctl };

# ALLOW: create filestems
allow pegasus_openlmi_storage_t fsadm_exec_t:file { read execute open execute_no_trans };

# ALLOW: device management
allow pegasus_openlmi_storage_t sysfs_t:file { write append };

# ALLOW: manipulate /etc/mdadm.conf
allow pegasus_openlmi_storage_t etc_t:dir { write remove_name add_name };
allow pegasus_openlmi_storage_t etc_t:file { write create unlink append };

# ALLOW?: looks harmless, but why is it needed?
# @Dave, any idea?
allow pegasus_openlmi_storage_t fs_t:filesystem getattr;
allow pegasus_openlmi_storage_t lost_found_t:dir getattr;

# ALLOW?: create+delete /tmp/btrfs-tmp.554TSzS_
# Note it's on /dev/sdb1 (= the *test* disk, where btrfs was just created;
# @Dave, any idea?
system is on /dev/vda*)
allow pegasus_openlmi_storage_t file_t:dir { read getattr open ioctl };

# ALLOW?: probably system probing
allow pegasus_openlmi_storage_t self:capability sys_rawio;
allow pegasus_openlmi_storage_t udev_var_run_t:file { read getattr open };

# ??? what is it and why is blivet doing it ???
# @Dave, any idea?
allow pegasus_openlmi_storage_t kernel_t:system ipc_info;
allow pegasus_openlmi_storage_t modules_object_t:dir getattr;

# do not allow? Blivet should probably use /var/run/blivet
allow pegasus_openlmi_storage_t tmp_t:dir { write remove_name create add_name rmdir };
allow pegasus_openlmi_storage_t tmp_t:file { write create unlink open };

# do not allow? This is creation of /var/lib/openlmi-storage directory, it should be in RPM
allow pegasus_openlmi_storage_t var_lib_t:dir create;

Comment 2 Jan Safranek 2013-10-03 12:04:47 UTC

Note that this bug applies also to current rawhide.

Comment 4 Miroslav Grepl 2013-10-03 18:13:48 UTC

I added some fixes to cleanup this bug. Let's test it with the latest build which is coming today.

Comment 5 David Lehman 2013-10-07 17:25:28 UTC

(In reply to Jan Safranek from comment #1)
> # ALLOW?: looks harmless, but why is it needed?
> # @Dave, any idea?
> allow pegasus_openlmi_storage_t fs_t:filesystem getattr;
> allow pegasus_openlmi_storage_t lost_found_t:dir getattr;

Could be related to selinux contexts. Blivet sets default selinux context when mounting a filesystem. Perhaps this should only be in installer mode?

> 
> # ALLOW?: create+delete /tmp/btrfs-tmp.554TSzS_
> # Note it's on /dev/sdb1 (= the *test* disk, where btrfs was just created;
> # @Dave, any idea?
> system is on /dev/vda*)
> allow pegasus_openlmi_storage_t file_t:dir { read getattr open ioctl };

You have to mount a btrfs subvolume before you can create a subvolume on it.

> 
> # ALLOW?: probably system probing
> allow pegasus_openlmi_storage_t self:capability sys_rawio;
> allow pegasus_openlmi_storage_t udev_var_run_t:file { read getattr open };
> 
> # ??? what is it and why is blivet doing it ???
> # @Dave, any idea?
> allow pegasus_openlmi_storage_t kernel_t:system ipc_info;

What were you doing when you saw this? Something related to LUKS volumes?

> allow pegasus_openlmi_storage_t modules_object_t:dir getattr;

Blivet loads kernel modules for filesystems as part of the format constructor. Maybe this should only happen in installer mode?

> 
> # do not allow? Blivet should probably use /var/run/blivet
> allow pegasus_openlmi_storage_t tmp_t:dir { write remove_name create
> add_name rmdir };
> allow pegasus_openlmi_storage_t tmp_t:file { write create unlink open };

I'll look into this.

Comment 6 Miroslav Grepl 2013-10-07 19:09:09 UTC

Could you re-run it with the latest policy build?

Comment 7 Jan Safranek 2013-10-08 07:05:43 UTC

(In reply to David Lehman from comment #5)
> (In reply to Jan Safranek from comment #1)
> > # ALLOW?: looks harmless, but why is it needed?
> > # @Dave, any idea?
> > allow pegasus_openlmi_storage_t fs_t:filesystem getattr;
> > allow pegasus_openlmi_storage_t lost_found_t:dir getattr;
> 
> Could be related to selinux contexts. Blivet sets default selinux context
> when mounting a filesystem. Perhaps this should only be in installer mode?
> 
> > 
> > # ALLOW?: create+delete /tmp/btrfs-tmp.554TSzS_
> > # Note it's on /dev/sdb1 (= the *test* disk, where btrfs was just created;
> > # @Dave, any idea?
> > system is on /dev/vda*)
> > allow pegasus_openlmi_storage_t file_t:dir { read getattr open ioctl };
> 
> You have to mount a btrfs subvolume before you can create a subvolume on it.

Well, I don't create subvolumes (yet), just mkfs.btrfs /dev/sdb1 and blivet.reset(). I guess it's related to bug #1015072.

> > allow pegasus_openlmi_storage_t modules_object_t:dir getattr;
> 
> Blivet loads kernel modules for filesystems as part of the format
> constructor. Maybe this should only happen in installer mode?

Yes please. If a tool (mkfs, cryptsetup, mdadm, mount...) needs a kernel module, it should load it by itself. And SELinux policy should have proper transitions from pegasus_openlmi_storage_t.

Comment 8 Jan Safranek 2013-10-08 09:06:03 UTC

Created attachment 809184 [details]
AVCs with selinux-policy-targeted-3.12.1-86.el7

With today's RHEL7 selinux-policy-targeted-3.12.1-86.el7.noarch I get:

#============= mdadm_t ==============
# DENY: this one is caused by blivet leaking file descriptor with opened
# /dev/mapper/control to mdadm (bug #1016467)
allow mdadm_t lvm_control_t:chr_file { read write };

#============= pegasus_openlmi_storage_t ==============
# DENY: Covered in bug #1015072
allow pegasus_openlmi_storage_t tmp_t:dir { write remove_name create add_name rmdir };
allow pegasus_openlmi_storage_t tmp_t:file { write create unlink open };

# DENY: fixed today in openlmi upstream
allow pegasus_openlmi_storage_t var_lib_t:file { read write getattr open };

# DENY: blivet should not load modules on its own
allow pegasus_openlmi_storage_t modules_object_t:dir getattr;

# ALLOW: this comes from parted/pypated, in strace I can see:
#    2590  write(2, "DEBUG:blivet: looking up parted "..., 49) = 49
#    2590  lstat("/dev", {st_mode=S_IFDIR|0755, st_size=3100, ...}) = 0
#    2590  lstat("/dev/vda", {st_mode=S_IFBLK|0660, st_rdev=makedev(253, 0), ...}) = 0
#    2590  semctl(0, 0, SEM_INFO, 0x7fffdb6dee30) = 0
#    2590  open("/etc/udev/udev.conf", O_RDONLY|O_CLOEXEC) = 3
# see StorageDevice.partedDevice()
# The same does 'parted /dev/vda print'.
allow pegasus_openlmi_storage_t kernel_t:system ipc_info;

# ALLOW?: These are discussed in previous comments, I think we should allow it.
# openlmi-storage can do *anything* to storage devices anyway.
allow pegasus_openlmi_storage_t file_t:dir { read getattr open ioctl };
allow pegasus_openlmi_storage_t fixed_disk_device_t:blk_file { getattr open ioctl };
allow pegasus_openlmi_storage_t lost_found_t:dir getattr;

Comment 9 Miroslav Grepl 2013-10-16 08:51:54 UTC

Jan,
it is really much more easier to update the policy with your comments. Thanks.

Added to selinux-policy-3.12.1-91.el7

Comment 10 Miroslav Grepl 2013-10-16 08:52:58 UTC

commit 5fdffd0fd3816fba7861614c32030d950ebcb699
Author: Miroslav Grepl <mgrepl>
Date:   Wed Oct 16 10:52:24 2013 +0200

    Update openlmi-storage policy to reflect #1015067

Comment 11 David Lehman 2013-10-16 19:04:54 UTC

(In reply to Jan Safranek from comment #7)

Please open bugs for whatever you want to see changed in F20 or RHEL7 since everything is locked down now. Thanks.

Comment 13 Miroslav Grepl 2013-11-26 15:47:09 UTC

Added labeling.

Comment 15 Jan Safranek 2013-12-05 10:00:54 UTC

There are some new AVCs we've noticed during testing, see attachment.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.12.1-108.el7.noarch

audit2allow reports:

# ALLOW: blivet imports libiscsi.so, which checks for /run/lock/iscsi/lock, sets capabilities and higher stack size.
# Basically blivet can do anything that libiscsi.so can do and that's already tracked as  iscsid_exec_t (/sbin/iscsiadm).
allow pegasus_openlmi_storage_t var_lock_t:dir search;
allow pegasus_openlmi_storage_t var_lock_t:lnk_file read;
allow pegasus_openlmi_storage_t iscsi_lock_t:dir { write remove_name search add_name };
allow pegasus_openlmi_storage_t iscsi_lock_t:file { read write unlink open link };
allow pegasus_openlmi_storage_t self:netlink_route_socket { bind create getattr nlmsg_read };
allow pegasus_openlmi_storage_t self:process setrlimit;
allow pegasus_openlmi_storage_t self:capability { sys_resource ipc_lock };


# ALLOW: blivet imports libcryptsetup.so, which loads dm_crypt.ko.
# Similarly to previous paragraph, blivet can do anything that /sbin/cryptsetup can (lvm_exec_t).
allow pegasus_openlmi_storage_t kernel_t:system module_request;

# ALLOW: blivet has heuristics to determine if a filesystem is mountable. One of the technique is to check for /usr/lib/modules/<fsname>.ko.
allow pegasus_openlmi_storage_t modules_object_t:dir getattr;


# DENY: blivet reads SELinux context on /lost+found, blivet should not do it; bz#1038146.
allow pegasus_openlmi_storage_t lost_found_t:dir getattr;

# DENY: Blivet creates /tmp/XXXXXXX, which is bad; bz#1038205.
allow pegasus_openlmi_storage_t tmp_t:dir { write add_name };
allow pegasus_openlmi_storage_t tmp_t:file { write create open };

# DENY: already tracked above.
allow pegasus_openlmi_storage_t file_t:dir { read getattr open ioctl };

Comment 16 Jan Safranek 2013-12-05 10:03:09 UTC

Created attachment 833064 [details]
OpenLMI sotrage AVCs with policy-targeted-3.12.1-108

Comment 17 Jan Safranek 2013-12-05 10:03:57 UTC

Moving back to assigned for new AVCs, see comment #15.

Comment 18 Miroslav Grepl 2013-12-06 13:03:32 UTC

commit 7e5034e85b57664e19431e6edfc5324b2531fb84
Author: Miroslav Grepl <mgrepl>
Date:   Fri Dec 6 14:03:04 2013 +0100

    Update pegasus_openlmi_storage_t policy

Comment 21 Ludek Smid 2014-06-13 09:44:34 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.