Bug 1015067 - New OpenLMI-storage AVCs
New OpenLMI-storage AVCs
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.0
All Linux
unspecified Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-03 07:56 EDT by Jan Safranek
Modified: 2014-12-10 04:30 EST (History)
3 users (show)

See Also:
Fixed In Version: selinux-policy-3.12.1-109.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-13 05:44:34 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
openlmi-storage AVCs (334.31 KB, text/plain)
2013-10-03 07:56 EDT, Jan Safranek
no flags Details
AVCs with selinux-policy-targeted-3.12.1-86.el7 (160.30 KB, text/plain)
2013-10-08 05:06 EDT, Jan Safranek
no flags Details
OpenLMI sotrage AVCs with policy-targeted-3.12.1-108 (289.55 KB, text/plain)
2013-12-05 05:03 EST, Jan Safranek
no flags Details

  None (edit)
Description Jan Safranek 2013-10-03 07:56:31 EDT
Created attachment 807055 [details]
openlmi-storage AVCs

As development and testing of OpenLMI Storage provider continues, I've noticed new AVCs in audit.log (see attachment) which need to be reflected in our policy.

Acquired with:
selinux-policy-targeted-3.12.1-84
openlmi-storage-0.6.0
Comment 1 Jan Safranek 2013-10-03 08:04:03 EDT
Adding David Lehman (Blivet author) to cc: to provide some info why is something necessary (see @Dave below, please grep attached avc.txt to see what file is being accessed.

Editing audit2allow output, I added some comments what is being rejected and if it should be allowed. My doubts increase with nr. of question marks.

#============= mdadm_t ==============

# ???: reading & writing /dev/mapper/control
# (it's lvm file, why is mdadm writing it?)
allow mdadm_t lvm_control_t:chr_file { read write };

# ???: mdadm wants to create /tmp/.tmp.md.23125:9:126
# why?
allow mdadm_t tmp_t:blk_file { read create unlink open };

# ALLOW: reading /dev/urandom, looks harmless
allow mdadm_t urandom_device_t:chr_file { read open };

#============= pegasus_openlmi_storage_t ==============
# ALLOW: probing of block devices
allow pegasus_openlmi_storage_t fixed_disk_device_t:blk_file { getattr open ioctl };

# ALLOW: create filestems
allow pegasus_openlmi_storage_t fsadm_exec_t:file { read execute open execute_no_trans };

# ALLOW: device management
allow pegasus_openlmi_storage_t sysfs_t:file { write append };

# ALLOW: manipulate /etc/mdadm.conf
allow pegasus_openlmi_storage_t etc_t:dir { write remove_name add_name };
allow pegasus_openlmi_storage_t etc_t:file { write create unlink append };

# ALLOW?: looks harmless, but why is it needed?
# @Dave, any idea?
allow pegasus_openlmi_storage_t fs_t:filesystem getattr;
allow pegasus_openlmi_storage_t lost_found_t:dir getattr;

# ALLOW?: create+delete /tmp/btrfs-tmp.554TSzS_
# Note it's on /dev/sdb1 (= the *test* disk, where btrfs was just created;
# @Dave, any idea?
system is on /dev/vda*)
allow pegasus_openlmi_storage_t file_t:dir { read getattr open ioctl };

# ALLOW?: probably system probing
allow pegasus_openlmi_storage_t self:capability sys_rawio;
allow pegasus_openlmi_storage_t udev_var_run_t:file { read getattr open };

# ??? what is it and why is blivet doing it ???
# @Dave, any idea?
allow pegasus_openlmi_storage_t kernel_t:system ipc_info;
allow pegasus_openlmi_storage_t modules_object_t:dir getattr;

# do not allow? Blivet should probably use /var/run/blivet
allow pegasus_openlmi_storage_t tmp_t:dir { write remove_name create add_name rmdir };
allow pegasus_openlmi_storage_t tmp_t:file { write create unlink open };

# do not allow? This is creation of /var/lib/openlmi-storage directory, it should be in RPM
allow pegasus_openlmi_storage_t var_lib_t:dir create;
Comment 2 Jan Safranek 2013-10-03 08:04:47 EDT
Note that this bug applies also to current rawhide.
Comment 4 Miroslav Grepl 2013-10-03 14:13:48 EDT
I added some fixes to cleanup this bug. Let's test it with the latest build which is coming today.
Comment 5 David Lehman 2013-10-07 13:25:28 EDT
(In reply to Jan Safranek from comment #1)
> # ALLOW?: looks harmless, but why is it needed?
> # @Dave, any idea?
> allow pegasus_openlmi_storage_t fs_t:filesystem getattr;
> allow pegasus_openlmi_storage_t lost_found_t:dir getattr;

Could be related to selinux contexts. Blivet sets default selinux context when mounting a filesystem. Perhaps this should only be in installer mode?

> 
> # ALLOW?: create+delete /tmp/btrfs-tmp.554TSzS_
> # Note it's on /dev/sdb1 (= the *test* disk, where btrfs was just created;
> # @Dave, any idea?
> system is on /dev/vda*)
> allow pegasus_openlmi_storage_t file_t:dir { read getattr open ioctl };

You have to mount a btrfs subvolume before you can create a subvolume on it.

> 
> # ALLOW?: probably system probing
> allow pegasus_openlmi_storage_t self:capability sys_rawio;
> allow pegasus_openlmi_storage_t udev_var_run_t:file { read getattr open };
> 
> # ??? what is it and why is blivet doing it ???
> # @Dave, any idea?
> allow pegasus_openlmi_storage_t kernel_t:system ipc_info;

What were you doing when you saw this? Something related to LUKS volumes?

> allow pegasus_openlmi_storage_t modules_object_t:dir getattr;

Blivet loads kernel modules for filesystems as part of the format constructor. Maybe this should only happen in installer mode?

> 
> # do not allow? Blivet should probably use /var/run/blivet
> allow pegasus_openlmi_storage_t tmp_t:dir { write remove_name create
> add_name rmdir };
> allow pegasus_openlmi_storage_t tmp_t:file { write create unlink open };

I'll look into this.
Comment 6 Miroslav Grepl 2013-10-07 15:09:09 EDT
Could you re-run it with the latest policy build?
Comment 7 Jan Safranek 2013-10-08 03:05:43 EDT
(In reply to David Lehman from comment #5)
> (In reply to Jan Safranek from comment #1)
> > # ALLOW?: looks harmless, but why is it needed?
> > # @Dave, any idea?
> > allow pegasus_openlmi_storage_t fs_t:filesystem getattr;
> > allow pegasus_openlmi_storage_t lost_found_t:dir getattr;
> 
> Could be related to selinux contexts. Blivet sets default selinux context
> when mounting a filesystem. Perhaps this should only be in installer mode?
> 
> > 
> > # ALLOW?: create+delete /tmp/btrfs-tmp.554TSzS_
> > # Note it's on /dev/sdb1 (= the *test* disk, where btrfs was just created;
> > # @Dave, any idea?
> > system is on /dev/vda*)
> > allow pegasus_openlmi_storage_t file_t:dir { read getattr open ioctl };
> 
> You have to mount a btrfs subvolume before you can create a subvolume on it.

Well, I don't create subvolumes (yet), just mkfs.btrfs /dev/sdb1 and blivet.reset(). I guess it's related to bug #1015072.

> > allow pegasus_openlmi_storage_t modules_object_t:dir getattr;
> 
> Blivet loads kernel modules for filesystems as part of the format
> constructor. Maybe this should only happen in installer mode?

Yes please. If a tool (mkfs, cryptsetup, mdadm, mount...) needs a kernel module, it should load it by itself. And SELinux policy should have proper transitions from pegasus_openlmi_storage_t.
Comment 8 Jan Safranek 2013-10-08 05:06:03 EDT
Created attachment 809184 [details]
AVCs with selinux-policy-targeted-3.12.1-86.el7

With today's RHEL7 selinux-policy-targeted-3.12.1-86.el7.noarch I get:

#============= mdadm_t ==============
# DENY: this one is caused by blivet leaking file descriptor with opened
# /dev/mapper/control to mdadm (bug #1016467)
allow mdadm_t lvm_control_t:chr_file { read write };

#============= pegasus_openlmi_storage_t ==============
# DENY: Covered in bug #1015072
allow pegasus_openlmi_storage_t tmp_t:dir { write remove_name create add_name rmdir };
allow pegasus_openlmi_storage_t tmp_t:file { write create unlink open };

# DENY: fixed today in openlmi upstream
allow pegasus_openlmi_storage_t var_lib_t:file { read write getattr open };

# DENY: blivet should not load modules on its own
allow pegasus_openlmi_storage_t modules_object_t:dir getattr;

# ALLOW: this comes from parted/pypated, in strace I can see:
#    2590  write(2, "DEBUG:blivet: looking up parted "..., 49) = 49
#    2590  lstat("/dev", {st_mode=S_IFDIR|0755, st_size=3100, ...}) = 0
#    2590  lstat("/dev/vda", {st_mode=S_IFBLK|0660, st_rdev=makedev(253, 0), ...}) = 0
#    2590  semctl(0, 0, SEM_INFO, 0x7fffdb6dee30) = 0
#    2590  open("/etc/udev/udev.conf", O_RDONLY|O_CLOEXEC) = 3
# see StorageDevice.partedDevice()
# The same does 'parted /dev/vda print'.
allow pegasus_openlmi_storage_t kernel_t:system ipc_info;

# ALLOW?: These are discussed in previous comments, I think we should allow it.
# openlmi-storage can do *anything* to storage devices anyway.
allow pegasus_openlmi_storage_t file_t:dir { read getattr open ioctl };
allow pegasus_openlmi_storage_t fixed_disk_device_t:blk_file { getattr open ioctl };
allow pegasus_openlmi_storage_t lost_found_t:dir getattr;
Comment 9 Miroslav Grepl 2013-10-16 04:51:54 EDT
Jan,
it is really much more easier to update the policy with your comments. Thanks.

Added to selinux-policy-3.12.1-91.el7
Comment 10 Miroslav Grepl 2013-10-16 04:52:58 EDT
commit 5fdffd0fd3816fba7861614c32030d950ebcb699
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Wed Oct 16 10:52:24 2013 +0200

    Update openlmi-storage policy to reflect #1015067
Comment 11 David Lehman 2013-10-16 15:04:54 EDT
(In reply to Jan Safranek from comment #7)

Please open bugs for whatever you want to see changed in F20 or RHEL7 since everything is locked down now. Thanks.
Comment 13 Miroslav Grepl 2013-11-26 10:47:09 EST
Added labeling.
Comment 15 Jan Safranek 2013-12-05 05:00:54 EST
There are some new AVCs we've noticed during testing, see attachment.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.12.1-108.el7.noarch

audit2allow reports:

# ALLOW: blivet imports libiscsi.so, which checks for /run/lock/iscsi/lock, sets capabilities and higher stack size.
# Basically blivet can do anything that libiscsi.so can do and that's already tracked as  iscsid_exec_t (/sbin/iscsiadm).
allow pegasus_openlmi_storage_t var_lock_t:dir search;
allow pegasus_openlmi_storage_t var_lock_t:lnk_file read;
allow pegasus_openlmi_storage_t iscsi_lock_t:dir { write remove_name search add_name };
allow pegasus_openlmi_storage_t iscsi_lock_t:file { read write unlink open link };
allow pegasus_openlmi_storage_t self:netlink_route_socket { bind create getattr nlmsg_read };
allow pegasus_openlmi_storage_t self:process setrlimit;
allow pegasus_openlmi_storage_t self:capability { sys_resource ipc_lock };


# ALLOW: blivet imports libcryptsetup.so, which loads dm_crypt.ko.
# Similarly to previous paragraph, blivet can do anything that /sbin/cryptsetup can (lvm_exec_t).
allow pegasus_openlmi_storage_t kernel_t:system module_request;

# ALLOW: blivet has heuristics to determine if a filesystem is mountable. One of the technique is to check for /usr/lib/modules/<fsname>.ko.
allow pegasus_openlmi_storage_t modules_object_t:dir getattr;


# DENY: blivet reads SELinux context on /lost+found, blivet should not do it; bz#1038146.
allow pegasus_openlmi_storage_t lost_found_t:dir getattr;

# DENY: Blivet creates /tmp/XXXXXXX, which is bad; bz#1038205.
allow pegasus_openlmi_storage_t tmp_t:dir { write add_name };
allow pegasus_openlmi_storage_t tmp_t:file { write create open };

# DENY: already tracked above.
allow pegasus_openlmi_storage_t file_t:dir { read getattr open ioctl };
Comment 16 Jan Safranek 2013-12-05 05:03:09 EST
Created attachment 833064 [details]
OpenLMI sotrage AVCs with policy-targeted-3.12.1-108
Comment 17 Jan Safranek 2013-12-05 05:03:57 EST
Moving back to assigned for new AVCs, see comment #15.
Comment 18 Miroslav Grepl 2013-12-06 08:03:32 EST
commit 7e5034e85b57664e19431e6edfc5324b2531fb84
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Fri Dec 6 14:03:04 2013 +0100

    Update pegasus_openlmi_storage_t policy
Comment 21 Ludek Smid 2014-06-13 05:44:34 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.