Bug 1323732 - Selinux prevents snapper timer services
Summary: Selinux prevents snapper timer services
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 24
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-04-04 14:27 UTC by Ondrej Kozina
Modified: 2016-05-07 11:43 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-3.13.1-185.fc24
Clone Of:
Environment:
Last Closed: 2016-05-07 11:43:47 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Ondrej Kozina 2016-04-04 14:27:31 UTC
Description of problem:

Snapper is not allowed to perform some actions:

Snapper timer services (crond replacement in systemd) are not allowed to communicate with snapperd daemon.

In enforcing mode I see this message in a timer service log:
systemd-helper[2994]: Failure (org.freedesktop.DBus.Error.AccessDenied).

this can be seen in audit.log

type=USER_AVC msg=audit(1459779311.778:484): pid=3020 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.opensuse.Snapper member=ListConfigs dest=org.opensuse.Snapper spid=3128 tpid=3130 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

I guess it's caused by timer sevices executing /usr/lib/snapper/systemd-helper
which result in processes being in init_t domain?

Version-Release number of selected component (if applicable):
snapper-0.2.8-2.fc24.x86_64
selinux-policy-targeted-3.13.1-180.fc25.noarch
kernel-4.6.0-0.rc1.git0.1.fc25.x86_64

How reproducible:
always

Steps to Reproduce:
Enable and/or manually start snapper-timeline service while snapper is configured to snapshot some mounted volume

Comment 1 Ondrej Kozina 2016-04-04 15:31:40 UTC
Also snapperd seems to be restricted from performing few ioctl calls, but I will need a help on how to debug it properly. The only lines I see in audit.log wrt to blocked ioctls are:

type=AVC msg=audit(1459782391.281:764): avc:  denied  { sys_admin } for  pid=3573 comm="snapperd" capability=21  scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tclass=capability permissive=0

and ioctl syscal returns 'Operation not permitted'

snapperd seems to be unable lower the priority background threads:
type=AVC msg=audit(1459782360.278:758): avc:  denied  { setsched } for  pid=3560 comm="snapperd" scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tclass=process permissive=0

Let me know If you want me to create separate bug for it...

Comment 2 Lukas Vrabec 2016-04-12 12:13:31 UTC
Hello Ondrej, 

I fixed your first issue with this change:
 # chcon -t snapperd_exec_t /usr/lib/snapper/systemd-helper

Could you test it also, if we can add snapperd_exec_t file context for /usr/lib/snapper/systemd-helper? 

Do you have some reproducer for AVCs in comment 1 ? 

Thank you.

Comment 3 Ondrej Kozina 2016-04-12 14:12:45 UTC
(In reply to Lukas Vrabec from comment #2)
> Hello Ondrej, 
> 
> I fixed your first issue with this change:
>  # chcon -t snapperd_exec_t /usr/lib/snapper/systemd-helper

Yup, that fixed it for me. Thanks!

With regard to others:

1) ioctls issued by snapperd while performing actions on btrfs backend:

(optional: if you want to see snapperd debug messages edit /usr/share/dbus-1/system-services/org.opensuse.Snapper.service and add "-d" option to Exec= value)

1) create and mount btrfs on /mnt/btrfs
2) create snapper config: snapper -c btrfs create-config /mnt/btrfs
3) now perform restorecon -R /mnt/btrfs (selinux support is not yet merged in snapper)
4) invoke background comparison in snapper daemon by: snapper -c btrfs create -t pre-post --command "touch /mnt/btrfs/some_file"

It'll generate denied ioctl on /mnt/btrfs directory (subvolume).

2) Also it'll cause denied setpriority() for snapperd thread with param prio = 20 (which is general issue for any snapper backend not only btrfs)

(obviously 2nd denial is not so big deal)

Comment 4 Ondrej Kozina 2016-04-12 14:15:33 UTC
"ausearch -m avc,user_avc -ts recent" output for the reproduce above:

type=AVC msg=audit(1460409569.810:14537): avc:  denied  { rlimitinh } for  pid=7137 comm="snapperd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tclass=process permissive=0
----
time->Mon Apr 11 23:19:29 2016
type=AVC msg=audit(1460409569.813:14538): avc:  denied  { siginh } for  pid=7137 comm="snapperd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tclass=process permissive=0
----
time->Mon Apr 11 23:19:29 2016
type=AVC msg=audit(1460409569.813:14539): avc:  denied  { noatsecure } for  pid=7137 comm="snapperd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tclass=process permissive=0
----
time->Mon Apr 11 23:19:29 2016
type=AVC msg=audit(1460409569.952:14540): avc:  denied  { read write } for  pid=1 comm="systemd" path="socket:[208448]" dev="sockfs" ino=208448 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0
----
time->Mon Apr 11 23:19:29 2016
type=AVC msg=audit(1460409569.952:14541): avc:  denied  { read write } for  pid=1 comm="systemd" path="socket:[208450]" dev="sockfs" ino=208450 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0
----
time->Mon Apr 11 23:19:30 2016
type=AVC msg=audit(1460409570.150:14542): avc:  denied  { setsched } for  pid=7140 comm="snapperd" scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tclass=process permissive=0
----
time->Mon Apr 11 23:19:30 2016
type=AVC msg=audit(1460409570.150:14543): avc:  denied  { setsched } for  pid=7140 comm="snapperd" scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tclass=process permissive=0
----
time->Mon Apr 11 23:19:30 2016
type=AVC msg=audit(1460409570.150:14544): avc:  denied  { sys_admin } for  pid=7140 comm="snapperd" capability=21  scontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:snapperd_t:s0-s0:c0.c1023 tclass=capability permissive=0

Comment 5 Lukas Vrabec 2016-04-22 12:26:55 UTC
OK, I push fixes with labeling /usr/lib/snapper/systemd-helper.

commit cdd71e4d94be7e60bbeedfb65e8e6150f866ce38
Author: Lukas Vrabec <lvrabec>
Date:   Fri Apr 22 14:26:00 2016 +0200

    Label /usr/lib/snapper/systemd-helper as snapperd_exec_t. rhbz#1323732

Comment 6 Lukas Vrabec 2016-04-22 12:34:09 UTC
Could you reproduce your issue with following test policy? 

$ cat snapperd_test.te 

policy_module(snapperd_test, 1.0)

require {
	type snapperd_t;
	class process setsched;
	class capability sys_admin;
}

#============= snapperd_t ==============
allow snapperd_t self:capability sys_admin;
allow snapperd_t self:process setsched;


$ make -f /usr/share/selinux/devel/Makefile snapperd_test.pp
# semodule -i snapperd_test.pp

Thank you.

Comment 7 Ondrej Kozina 2016-04-28 14:45:12 UTC
Yup, works for me. Both errors are gone, thanks!

Comment 8 Fedora Update System 2016-05-02 10:53:14 UTC
selinux-policy-3.13.1-184.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-e163032315

Comment 9 Fedora Update System 2016-05-07 11:43:38 UTC
selinux-policy-3.13.1-184.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.