Bug 1468744 - selinux-policy preventing pesign from accessing necessary items
selinux-policy preventing pesign from accessing necessary items
Status: ON_QA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.3
All Linux
unspecified Severity medium
: rc
: ---
Assigned To: Lukas Vrabec
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-07 15:43 EDT by Pat Riehecky
Modified: 2018-06-14 14:57 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
audit log errors (32.34 KB, text/plain)
2017-07-07 15:43 EDT, Pat Riehecky
no flags Details
audit log with pesigh 0.112 (3.21 KB, text/plain)
2017-07-07 17:17 EDT, Pat Riehecky
no flags Details

  None (edit)
Description Pat Riehecky 2017-07-07 15:43:27 EDT
Created attachment 1295398 [details]
audit log errors

Description of problem:
pesign requires the ability to change attributes of files within /tmp as well as access to random devices.

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-102.el7_3.16
pesign-0.109-10.el7

How reproducible:100%


Steps to Reproduce:
1.Start pesign under selinux enforcing mode
2.attempt to sign a binary
3.review audit log

Actual results:
Sign fails (see attached audit log)

Expected results:
pesign works as expected

Additional info:
Comment 2 Pat Riehecky 2017-07-07 15:47:43 EDT
audit2allow spits out:

allow pesign_t random_device_t:chr_file { open read };
allow pesign_t self:capability dac_override;
allow pesign_t self:netlink_kobject_uevent_socket { bind create };

#!!!! WARNING: 'tmp_t' is a base type.
allow pesign_t tmp_t:dir { add_name create remove_name setattr write };
allow pesign_t tmp_t:file { create open setattr unlink write };
allow pesign_t tmpfs_t:file { read write };

allow pesign_t var_run_t:file { open write };
Comment 3 Pat Riehecky 2017-07-07 17:17 EDT
Created attachment 1295408 [details]
audit log with pesigh 0.112

For forward compatibility it may be wise to add the additional requirement for pesign 0.112.

I've attached an audit log from a system with the newer version.

$ cat new_pesign.log |audit2allow 

#============= pesign_t ==============
allow pesign_t efivarfs_t:filesystem getattr;

allow pesign_t random_device_t:chr_file { open read };
allow pesign_t self:capability dac_override;
allow pesign_t self:netlink_kobject_uevent_socket { bind create };

#!!!! WARNING: 'tmp_t' is a base type.
allow pesign_t tmp_t:dir { add_name create setattr write };
allow pesign_t tmp_t:file { create open setattr write };
allow pesign_t tmpfs_t:file { read write };

Note You need to log in before you can comment on or make changes to this bug.