1447411 – sssd-kcm should not run as unconfined_service_t

Bug 1447411 - sssd-kcm should not run as unconfined_service_t

Summary: sssd-kcm should not run as unconfined_service_t

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	26
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1448060
TreeView+	depends on / blocked

Reported:	2017-05-02 16:19 UTC by Lukas Slebodnik
Modified:	2017-06-09 18:58 UTC (History)
CC List:	7 users (show)
Fixed In Version:	selinux-policy-3.13.1-254.fc26
Clone Of:
Clones:	1448060 (view as bug list)
Environment:
Last Closed:	2017-06-09 18:58:38 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Lukas Slebodnik 2017-05-02 16:19:55 UTC

SELinux is preventing systemd from create access on the unix_stream_socket Unknown.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemd should be allowed create access on the Unknown unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd' --raw | audit2allow -M my-systemd
# semodule -X 300 -i my-systemd.pp


Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:system_r:unconfined_service_t:s0
Target Objects                Unknown [ unix_stream_socket ]
Source                        systemd
Source Path                   systemd
Port                          <Unknown>
Host                          vm-058-043.example.com
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-251.fc26.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     vm-058-043.example.com
Platform                      Linux vm-058-043.example.com
                              4.11.0-0.rc8.git0.1.fc26.x86_64 #1 SMP Mon Apr 24
                              15:42:54 UTC 2017 x86_64 x86_64
Alert Count                   1
First Seen                    2017-05-02 18:00:30 CEST
Last Seen                     2017-05-02 18:00:30 CEST
Local ID                      5ac9a2c2-e4fb-4ad1-97e6-e46f3aab16cd

Raw Audit Messages
type=AVC msg=audit(1493740830.125:704): avc:  denied  { create } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=0


Hash: systemd,init_t,unconfined_service_t,unix_stream_socket,create

Comment 1 Lukas Slebodnik 2017-05-02 16:22:17 UTC

How to reproduce:
dnf install --nogpgcheck --enablerepo=rawhide sssd-kcm // will backport to f26 in few weeks :-) 
systemctl enable sssd-secrets.socket sssd-kcm.socket
systemctl start sssd-kcm.socket

AVCs in permissive mode

type=AVC msg=audit(05/02/2017 18:01:25.561:727) : avc:  denied  { create } for  pid=1 comm=systemd scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1 
----
type=AVC msg=audit(05/02/2017 18:01:25.561:728) : avc:  denied  { setopt } for  pid=1 comm=systemd scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1 
----
type=AVC msg=audit(05/02/2017 18:01:25.562:729) : avc:  denied  { bind } for  pid=1 comm=systemd scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1 
----
type=AVC msg=audit(05/02/2017 18:01:25.563:730) : avc:  denied  { listen } for  pid=1 comm=systemd path=/run/.heim_org.h5l.kcm-socket scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=1

Comment 2 Lukas Slebodnik 2017-05-02 16:25:58 UTC

There is also an AVC when using sssd-kcm.
sssd-kcm store KRB5 tickets in sssd-secrets and there is deny to write there.

Enforcing:
type=AVC msg=audit(05/02/2017 18:13:11.178:894) : avc:  denied  { write } for  pid=3252 comm=sssd_kcm name=secrets.socket dev="tmpfs" ino=49715 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:sssd_var_run_t:s0 tclass=sock_file permissive=0 

Permissive:
type=AVC msg=audit(05/02/2017 18:15:50.917:932) : avc:  denied  { write } for  pid=3317 comm=sssd_kcm name=secrets.socket dev="tmpfs" ino=49769 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:sssd_var_run_t:s0 tclass=sock_file permissive=1

SELinux is preventing sssd_kcm from write access on the sock_file secrets.socket.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that sssd_kcm should be allowed write access on the secrets.socket sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'sssd_kcm' --raw | audit2allow -M my-sssdkcm
# semodule -X 300 -i my-sssdkcm.pp


Additional Information:
Source Context                system_u:system_r:sssd_t:s0
Target Context                system_u:object_r:sssd_var_run_t:s0
Target Objects                secrets.socket [ sock_file ]
Source                        sssd_kcm
Source Path                   sssd_kcm
Port                          <Unknown>
Host                          vm-058-043.example.com
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-251.fc26.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     vm-058-043.example.com
Platform                      Linux vm-058-043.example.com
                              4.11.0-0.rc8.git0.1.fc26.x86_64 #1 SMP Mon Apr 24
                              15:42:54 UTC 2017 x86_64 x86_64
Alert Count                   7
First Seen                    2017-05-02 18:06:19 CEST
Last Seen                     2017-05-02 18:13:11 CEST
Local ID                      a2fe4f0e-d1af-4482-8559-6264a8190e6d

Raw Audit Messages
type=AVC msg=audit(1493741591.178:894): avc:  denied  { write } for  pid=3252 comm="sssd_kcm" name="secrets.socket" dev="tmpfs" ino=49715 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:sssd_var_run_t:s0 tclass=sock_file permissive=0


Hash: sssd_kcm,sssd_t,sssd_var_run_t,sock_file,write

Comment 3 Lukas Slebodnik 2017-05-04 12:58:34 UTC

PR: https://github.com/fedora-selinux/selinux-policy-contrib/pull/11

Comment 4 Fedora Update System 2017-05-15 21:15:14 UTC

selinux-policy-3.13.1-254.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-7f762b31f8

Comment 5 Fedora Update System 2017-05-16 06:10:21 UTC

selinux-policy-3.13.1-254.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-7f762b31f8

Comment 6 Lukas Slebodnik 2017-05-16 11:08:30 UTC

There is missing transition rule for sockets

And I do not understand why there is a wrong file context
sh# matchpathcon /var/run/.heim_org.h5l.kcm-socket /run/.heim_org.h5l.kcm-socket /usr/libexec/sssd/sssd_kcm 
/var/run/.heim_org.h5l.kcm-socket       system_u:object_r:var_run_t:s0
/run/.heim_org.h5l.kcm-socket   system_u:object_r:var_run_t:s0
/usr/libexec/sssd/sssd_kcm      system_u:object_r:sssd_exec_t:s0

sh# rpm -q selinux-policy
selinux-policy-3.13.1-254.fc26.noarch

Comment 7 Lukas Vrabec 2017-05-17 09:57:09 UTC

Lukas,

This commit is missing in -254.fc26 package: 

commit 8fd96cc5dadad1abb10a7a60b62bef887cd8361d
Author: Lukas Vrabec <lvrabec>
Date:   Tue May 16 15:06:26 2017 +0200

    Allow sssd_t domain creating sock files labeled as sssd_var_run_t in /var/run/

It was fixed after update of -254.fc26. Fix will be part of -255.fc26

Comment 8 Lukas Slebodnik 2017-05-17 10:48:05 UTC

(In reply to Lukas Vrabec from comment #7)
> Lukas,
> 
> This commit is missing in -254.fc26 package: 
> 
> commit 8fd96cc5dadad1abb10a7a60b62bef887cd8361d
> Author: Lukas Vrabec <lvrabec>
> Date:   Tue May 16 15:06:26 2017 +0200
> 
>     Allow sssd_t domain creating sock files labeled as sssd_var_run_t in
> /var/run/
> 
> It was fixed after update of -254.fc26. Fix will be part of -255.fc26

It is not related to transition. I build my own rpms with this patch and still have this problem. You can see it in seaserch output. But it does not explain why matchpathcon says *var_run_t* instead of *sssd_var_run_t*

sh# rpm -q selinux-policy
selinux-policy-3.13.1-254.fc26.ls.1495009265.noarch

sh# sesearch -T -s sssd_t -t var_run_t
type_transition sssd_t var_run_t:dir sssd_var_run_t;
type_transition sssd_t var_run_t:file sssd_var_run_t;
type_transition sssd_t var_run_t:sock_file sssd_var_run_t;

sh# matchpathcon /var/run/.heim_org.h5l.kcm-socket /run/.heim_org.h5l.kcm-socket /usr/libexec/sssd/sssd_kcm 
/var/run/.heim_org.h5l.kcm-socket       system_u:object_r:var_run_t:s0
/run/.heim_org.h5l.kcm-socket   system_u:object_r:var_run_t:s0
/usr/libexec/sssd/sssd_kcm      system_u:object_r:sssd_exec_t:s0

Comment 9 Lukas Slebodnik 2017-05-17 11:01:09 UTC

It kind of works with following diff (removed double dash).
But I have no idea why it works well in el7 with double dash

diff --git a/sssd.fc b/sssd.fc
index 47b49ea17..e98b2def3 100644
--- a/sssd.fc
+++ b/sssd.fc
@@ -27,4 +27,4 @@
 
 /var/run/sssd.pid      --      gen_context(system_u:object_r:sssd_var_run_t,s0)
 /var/run/secrets.socket                gen_context(system_u:object_r:sssd_var_run_t,s0)
-/var/run/.heim_org.h5l.kcm-socket      --      gen_context(system_u:object_r:sssd_var_run_t,s0)
+/var/run/.heim_org.h5l.kcm-socket              gen_context(system_u:object_r:sssd_var_run_t,s0)

sh# matchpathcon /var/run/.heim_org.h5l.kcm-socket /run/.heim_org.h5l.kcm-socket /usr/libexec/sssd/sssd_kcm 
/var/run/.heim_org.h5l.kcm-socket       system_u:object_r:sssd_var_run_t:s0
/run/.heim_org.h5l.kcm-socket   system_u:object_r:sssd_var_run_t:s0
/usr/libexec/sssd/sssd_kcm      system_u:object_r:sssd_exec_t:s0

Comment 10 Lukas Slebodnik 2017-05-17 14:55:12 UTC

Previous issue seems to be fixed by patch https://github.com/fedora-selinux/selinux-policy-contrib/pull/12


But there is still wrong context after starting socket with systemctl.

sh# systemctl stop sssd-kcm.{socket,service}
sh# rm -f /var/run/.heim_org.h5l.kcm-socket

sh# systemctl start sssd-kcm
sh# ls -lZ /var/run/.heim_org.h5l.kcm-socket
srw-rw-rw-. 1 root root system_u:object_r:sssd_var_run_t:s0 0 May 17 16:50 /var/run/.heim_org.h5l.kcm-socket

sh# systemctl stop sssd-kcm.{socket,service}
sh# rm -f /var/run/.heim_org.h5l.kcm-socket
sh# systemctl start sssd-kcm.socket

sh# ls -lZ /var/run/.heim_org.h5l.kcm-socket
srw-rw-rw-. 1 root root system_u:object_r:var_run_t:s0 0 May 17 16:50 /var/run/.heim_org.h5l.kcm-socket


sh# matchpathcon /var/run/.heim_org.h5l.kcm-socket /run/.heim_org.h5l.kcm-socket /usr/libexec/sssd/sssd_kcm 
/var/run/.heim_org.h5l.kcm-socket       system_u:object_r:sssd_var_run_t:s0
/run/.heim_org.h5l.kcm-socket   system_u:object_r:sssd_var_run_t:s0
/usr/libexec/sssd/sssd_kcm      system_u:object_r:sssd_exec_t:s0

sh# semanage fcontext -l | grep heim_org
/var/run/\.heim_org\.h5l\.kcm-socket               socket             system_u:object_r:sssd_var_run_t:s0

Comment 11 Fedora Update System 2017-06-09 18:58:38 UTC

selinux-policy-3.13.1-254.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.