Bug 1117420 - rhsmcertd versus ostree versus selinux
Summary: rhsmcertd versus ostree versus selinux
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.1
Hardware: Unspecified
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks: 1123889
TreeView+ depends on / blocked
 
Reported: 2014-07-08 16:18 UTC by Colin Walters
Modified: 2014-09-11 14:11 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-09-01 09:45:47 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Colin Walters 2014-07-08 16:18:29 UTC
I'm seeing:

type=AVC msg=audit(1404835626.233:83): avc:  denied  { read } for  pid=827 comm="rhsmcertd-worke" name="ostree" dev="sda3" ino=8389295 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file

See also https://bugzilla.redhat.com/show_bug.cgi?id=1115212

The right fix may be an updated SELinux policy.

Comment 1 Colin Walters 2014-07-08 16:26:59 UTC
Normally most userspace processes shouldn't need access to /ostree (or /sysroot), but subscription-manager right now writes to /ostree/repo/config.

Can we just allow this access in RHEL7?

Comment 3 Adrian Likins 2014-07-28 16:45:28 UTC
rhsmcertd-worker will need to:

- read  /ostree/repo/config
- write /ostree/repo/config

/usr/share/rhsm/subscription_manager/plugin/ostree/gi_wrapper.py
will need to be able to read/write

/ostree/deploy/rhel-atomic-host/deploy/*.origin

(and likely..
/ostree/deploy/*/deploy/*.origin


If those files get specific contexts, subscription-manager will
need to be able to read/write as well.

Comment 4 Miroslav Grepl 2014-07-30 14:52:59 UTC
How are /ostree/repo and /ostree/deploy/*/deploy dirs placed? Basically I will add mnt_t label for /ostree but we will need to add filenametrans for these subdirs to get correct labeling.

Comment 5 Colin Walters 2014-07-30 15:01:26 UTC
mnt_t would be strange for /ostree.  I think usr_t would be a better match.

Right now these files are generated by Anaconda, which calls into ostree itself to initialize the rootfs.  I think we can take care of just looking up the label for /usr and using that as the context for these files.

Comment 6 Miroslav Grepl 2014-07-30 18:14:32 UTC
Yes I have been thinking also about usr_t. 

Well but you don't want to allow rhsmcertd_t to write generic types like usr_t or mnt_t.

Comment 7 Colin Walters 2014-07-30 18:44:42 UTC
I think we can make /ostree/repo/config etc_t.

(Note in current ostree versions, /etc/ostree/remotes.d exists, and ideally RHSM uses that)

Comment 8 Miroslav Grepl 2014-07-31 06:47:11 UTC
Actually system_conf_t is a label which we want to add for 

/ostree/repo/config
/etc/ostree/remotes.d

Comment 9 Miroslav Grepl 2014-07-31 19:52:45 UTC
I added all changes to rawhide/f21.

Comment 10 Colin Walters 2014-09-11 14:11:58 UTC
If anyone hits this bug, you can work around it by:

systemctl stop rhsmcertd
subscription-manager register ...


Note You need to log in before you can comment on or make changes to this bug.