Bug 1468744 - selinux-policy preventing pesign from accessing necessary items
Summary: selinux-policy preventing pesign from accessing necessary items
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.3
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-07-07 19:43 UTC by Pat Riehecky
Modified: 2018-10-30 10:02 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-3.13.1-223.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-10-30 10:00:43 UTC
Target Upstream Version:


Attachments (Terms of Use)
audit log errors (32.34 KB, text/plain)
2017-07-07 19:43 UTC, Pat Riehecky
no flags Details
audit log with pesigh 0.112 (3.21 KB, text/plain)
2017-07-07 21:17 UTC, Pat Riehecky
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:3111 None None None 2018-10-30 10:02:09 UTC

Description Pat Riehecky 2017-07-07 19:43:27 UTC
Created attachment 1295398 [details]
audit log errors

Description of problem:
pesign requires the ability to change attributes of files within /tmp as well as access to random devices.

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-102.el7_3.16
pesign-0.109-10.el7

How reproducible:100%


Steps to Reproduce:
1.Start pesign under selinux enforcing mode
2.attempt to sign a binary
3.review audit log

Actual results:
Sign fails (see attached audit log)

Expected results:
pesign works as expected

Additional info:

Comment 2 Pat Riehecky 2017-07-07 19:47:43 UTC
audit2allow spits out:

allow pesign_t random_device_t:chr_file { open read };
allow pesign_t self:capability dac_override;
allow pesign_t self:netlink_kobject_uevent_socket { bind create };

#!!!! WARNING: 'tmp_t' is a base type.
allow pesign_t tmp_t:dir { add_name create remove_name setattr write };
allow pesign_t tmp_t:file { create open setattr unlink write };
allow pesign_t tmpfs_t:file { read write };

allow pesign_t var_run_t:file { open write };

Comment 3 Pat Riehecky 2017-07-07 21:17:55 UTC
Created attachment 1295408 [details]
audit log with pesigh 0.112

For forward compatibility it may be wise to add the additional requirement for pesign 0.112.

I've attached an audit log from a system with the newer version.

$ cat new_pesign.log |audit2allow 

#============= pesign_t ==============
allow pesign_t efivarfs_t:filesystem getattr;

allow pesign_t random_device_t:chr_file { open read };
allow pesign_t self:capability dac_override;
allow pesign_t self:netlink_kobject_uevent_socket { bind create };

#!!!! WARNING: 'tmp_t' is a base type.
allow pesign_t tmp_t:dir { add_name create setattr write };
allow pesign_t tmp_t:file { create open setattr write };
allow pesign_t tmpfs_t:file { read write };

Comment 10 errata-xmlrpc 2018-10-30 10:00:43 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111


Note You need to log in before you can comment on or make changes to this bug.