1509054 – Tang needs a policy

Bug 1509054 - Tang needs a policy

Summary: Tang needs a policy

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	28
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-11-02 19:58 UTC by Nathaniel McCallum
Modified:	2018-05-26 20:43 UTC (History)
CC List:	9 users (show)
Fixed In Version:	selinux-policy-3.14.1-25.fc28 selinux-policy-3.14.1-29.fc28
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-05-26 20:43:58 UTC
Type:	Bug
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Nathaniel McCallum 2017-11-02 19:58:34 UTC

We currently run as unconfined. But we should tighten this way down.

Comment 1 Alexander Bokovoy 2017-11-02 20:16:07 UTC

Following AVCs are seen when enabling Tang and when connecting to it from a Clevis client:

type=AVC msg=audit(1509613727.798:1348): avc:  denied  { setopt } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=tcp_socket permissive=1
type=AVC msg=audit(1509613727.798:1349): avc:  denied  { bind } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=tcp_socket permissive=1
type=AVC msg=audit(1509613727.799:1350): avc:  denied  { listen } for  pid=1 comm="systemd" lport=80 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=tcp_socket permissive=1
type=AVC msg=audit(1509618433.322:1618): avc:  denied  { accept } for  pid=1 comm="systemd" lport=80 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=tcp_socket permissive=1
type=AVC msg=audit(1509618433.322:1619): avc:  denied  { getattr } for  pid=1 comm="systemd" laddr=::ffff:192.168.100.1 lport=80 faddr=::ffff:192.168.100.154 fport=39176 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=tcp_socket permissive=1
type=SERVICE_START msg=audit(1509618433.324:1620): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=tangd@0-192.168.100.1:80-192.168.100.154:39176 comm="
systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1509618433.371:1621): avc:  denied  { ioctl } for  pid=7196 comm="(tangd)" path="socket:[5165584]" dev="sockfs" ino=5165584 ioctlcmd=0x5401 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=tcp_socket permissive=1
type=SERVICE_STOP msg=audit(1509618433.452:1622): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=tangd@0-192.168.100.1:80-192.168.100.154:39176 comm="s
ystemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1509618539.334:1623): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=tangd@1-192.168.100.1:80-192.168.100.153:35544 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1509618539.387:1624): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=tangd@1-192.168.100.1:80-192.168.100.153:35544 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1509619793.194:1625): avc:  denied  { accept } for  pid=1 comm="systemd" lport=80 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=tcp_socket permissive=1
type=AVC msg=audit(1509619793.195:1626): avc:  denied  { getattr } for  pid=1 comm="systemd" laddr=::ffff:192.168.100.1 lport=80 faddr=::ffff:192.168.100.153 fport=58904 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=tcp_socket permissive=1
type=SERVICE_START msg=audit(1509619793.198:1627): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=tangd@2-192.168.100.1:80-192.168.100.153:58904 comm="
systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1509619793.243:1628): avc:  denied  { ioctl } for  pid=7681 comm="(tangd)" path="socket:[5197563]" dev="sockfs" ino=5197563 ioctlcmd=0x5401 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=tcp_socket permissive=1
type=SERVICE_STOP msg=audit(1509619793.250:1629): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=tangd@2-192.168.100.1:80-192.168.100.153:58904 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'

They end up to require a policy that defines

#============= init_t ==============
allow init_t unconfined_service_t:tcp_socket { accept getattr ioctl };
allow init_t unconfined_service_t:tcp_socket { bind create listen setopt };

We need to define a new context, label tang executables with it, and also add SELinuxContext= to the systemd socket definitions. We also need to define file system context for tang databases.

Comment 2 Lukas Vrabec 2017-11-07 11:15:48 UTC

Hi, 

I created scratch build with initial tang policy: 

https://koji.fedoraproject.org/koji/taskinfo?taskID=22971675

Please install this packages and try some scenarios with tang and collect AVCs, 
then please provide output of: 

# ausearch -m AVC,USER_AVC -ts today 


Thanks,
Lukas.

Comment 3 Alexander Bokovoy 2017-11-07 14:21:03 UTC

I tried with f26 build that Lukas kindly provided to me: https://koji.fedoraproject.org/koji/taskinfo?taskID=22972521

Below is the list of generated AVCs:
----
time->Tue Nov  7 16:18:40 2017
type=AVC msg=audit(1510064320.135:3725): avc:  denied  { accept } for  pid=1 comm="systemd" lport=80 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=tcp_socket permissive=1
----
time->Tue Nov  7 16:18:40 2017
type=AVC msg=audit(1510064320.135:3726): avc:  denied  { getattr } for  pid=1 comm="systemd" laddr=::ffff:192.168.100.1 lport=80 faddr=::ffff:192.168.100.153 fport=49366 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=tcp_socket permissive=1
----
time->Tue Nov  7 16:18:40 2017
type=AVC msg=audit(1510064320.400:3728): avc:  denied  { ioctl } for  pid=17908 comm="(tangd)" path="socket:[11879014]" dev="sockfs" ino=11879014 ioctlcmd=0x5401 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=tcp_socket permissive=1

Comment 4 Fedora End Of Life 2018-02-20 15:27:33 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 28 development cycle.
Changing version to '28'.

Comment 5 Martin Pitt 2018-05-15 08:15:39 UTC

On latest Fedora 28 we get similar messages during the Cockpit integration tests, where `clevis decrypt` now fails:

AVC avc:  denied  { search } for  pid=1728 comm="tangd-update" name="sss" dev="dm-0" ino=12797776 scontext=system_u:system_r:tangd_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=1
AVC avc:  denied  { search } for  pid=1728 comm="tangd-update" name="mc" dev="dm-0" ino=12797777 scontext=system_u:system_r:tangd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir permissive=1
AVC avc:  denied  { read } for  pid=1728 comm="tangd-update" name="passwd" dev="dm-0" ino=12704957 scontext=system_u:system_r:tangd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
AVC avc:  denied  { open } for  pid=1728 comm="tangd-update" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=12704957 scontext=system_u:system_r:tangd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1

Note that our previous image built on April 26 still worked, so this regression got introduced in the last two weeks. Now `clevis decrypt` fails.

Comment 6 Fedora Update System 2018-05-21 09:56:13 UTC

selinux-policy-3.14.1-25.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-d19ffdb4ba

Comment 7 Fedora Update System 2018-05-21 17:15:35 UTC

selinux-policy-3.14.1-25.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-d19ffdb4ba

Comment 8 Fedora Update System 2018-05-23 15:40:21 UTC

selinux-policy-3.14.1-25.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 9 Martin Pitt 2018-05-24 07:29:44 UTC

I've built an image with selinux-policy-3.14.1-25.fc28, and tang still fails with

type=1400 audit(1527146050.725:316): avc:  denied  { read } for  pid=1 comm="systemd" name="tang" dev="dm-0" ino=13574196 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tangd_db_t:s0 tclass=dir permissive=0
type=1400 audit(1527146050.810:318): avc:  denied  { getattr } for  pid=2140 comm="tangd" path="socket:[34752]" dev="sockfs" ino=34752 scontext=system_u:system_r:tangd_t:s0 tcontext=system_u:system_r:tangd_t:s0 tclass=tcp_socket permissive=1
type=1400 audit(1527146060.524:324): avc:  denied  { read } for  pid=1 comm="systemd" name="tang" dev="dm-0" ino=13574196 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tangd_db_t:s0 tclass=dir permissive=0
type=1400 audit(1527146066.227:338): avc:  denied  { read } for  pid=1 comm="systemd" name="tang" dev="dm-0" ino=13574196 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tangd_db_t:s0 tclass=dir permissive=0
type=1400 audit(1527146066.538:341): avc:  denied  { read } for  pid=1 comm="systemd" name="tang" dev="dm-0" ino=13574196 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tangd_db_t:s0 tclass=dir permissive=0

I. e. it's exactly the same bug still. Should this report be reopened, or do you want a new one?

Comment 10 Fedora Update System 2018-05-24 14:35:14 UTC

selinux-policy-3.14.1-29.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a74875b364

Comment 11 Fedora Update System 2018-05-25 18:42:08 UTC

selinux-policy-3.14.1-29.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a74875b364

Comment 12 Fedora Update System 2018-05-26 20:43:58 UTC

selinux-policy-3.14.1-29.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.