We currently run as unconfined. But we should tighten this way down.
Following AVCs are seen when enabling Tang and when connecting to it from a Clevis client: type=AVC msg=audit(1509613727.798:1348): avc: denied { setopt } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=tcp_socket permissive=1 type=AVC msg=audit(1509613727.798:1349): avc: denied { bind } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=tcp_socket permissive=1 type=AVC msg=audit(1509613727.799:1350): avc: denied { listen } for pid=1 comm="systemd" lport=80 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=tcp_socket permissive=1 type=AVC msg=audit(1509618433.322:1618): avc: denied { accept } for pid=1 comm="systemd" lport=80 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=tcp_socket permissive=1 type=AVC msg=audit(1509618433.322:1619): avc: denied { getattr } for pid=1 comm="systemd" laddr=::ffff:192.168.100.1 lport=80 faddr=::ffff:192.168.100.154 fport=39176 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=tcp_socket permissive=1 type=SERVICE_START msg=audit(1509618433.324:1620): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=tangd.100.1:80-192.168.100.154:39176 comm=" systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=AVC msg=audit(1509618433.371:1621): avc: denied { ioctl } for pid=7196 comm="(tangd)" path="socket:[5165584]" dev="sockfs" ino=5165584 ioctlcmd=0x5401 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=tcp_socket permissive=1 type=SERVICE_STOP msg=audit(1509618433.452:1622): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=tangd.100.1:80-192.168.100.154:39176 comm="s ystemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=SERVICE_START msg=audit(1509618539.334:1623): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=tangd.100.1:80-192.168.100.153:35544 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=SERVICE_STOP msg=audit(1509618539.387:1624): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=tangd.100.1:80-192.168.100.153:35544 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=AVC msg=audit(1509619793.194:1625): avc: denied { accept } for pid=1 comm="systemd" lport=80 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=tcp_socket permissive=1 type=AVC msg=audit(1509619793.195:1626): avc: denied { getattr } for pid=1 comm="systemd" laddr=::ffff:192.168.100.1 lport=80 faddr=::ffff:192.168.100.153 fport=58904 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=tcp_socket permissive=1 type=SERVICE_START msg=audit(1509619793.198:1627): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=tangd.100.1:80-192.168.100.153:58904 comm=" systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=AVC msg=audit(1509619793.243:1628): avc: denied { ioctl } for pid=7681 comm="(tangd)" path="socket:[5197563]" dev="sockfs" ino=5197563 ioctlcmd=0x5401 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=tcp_socket permissive=1 type=SERVICE_STOP msg=audit(1509619793.250:1629): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=tangd.100.1:80-192.168.100.153:58904 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' They end up to require a policy that defines #============= init_t ============== allow init_t unconfined_service_t:tcp_socket { accept getattr ioctl }; allow init_t unconfined_service_t:tcp_socket { bind create listen setopt }; We need to define a new context, label tang executables with it, and also add SELinuxContext= to the systemd socket definitions. We also need to define file system context for tang databases.
Hi, I created scratch build with initial tang policy: https://koji.fedoraproject.org/koji/taskinfo?taskID=22971675 Please install this packages and try some scenarios with tang and collect AVCs, then please provide output of: # ausearch -m AVC,USER_AVC -ts today Thanks, Lukas.
I tried with f26 build that Lukas kindly provided to me: https://koji.fedoraproject.org/koji/taskinfo?taskID=22972521 Below is the list of generated AVCs: ---- time->Tue Nov 7 16:18:40 2017 type=AVC msg=audit(1510064320.135:3725): avc: denied { accept } for pid=1 comm="systemd" lport=80 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=tcp_socket permissive=1 ---- time->Tue Nov 7 16:18:40 2017 type=AVC msg=audit(1510064320.135:3726): avc: denied { getattr } for pid=1 comm="systemd" laddr=::ffff:192.168.100.1 lport=80 faddr=::ffff:192.168.100.153 fport=49366 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=tcp_socket permissive=1 ---- time->Tue Nov 7 16:18:40 2017 type=AVC msg=audit(1510064320.400:3728): avc: denied { ioctl } for pid=17908 comm="(tangd)" path="socket:[11879014]" dev="sockfs" ino=11879014 ioctlcmd=0x5401 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=tcp_socket permissive=1
This bug appears to have been reported against 'rawhide' during the Fedora 28 development cycle. Changing version to '28'.
On latest Fedora 28 we get similar messages during the Cockpit integration tests, where `clevis decrypt` now fails: AVC avc: denied { search } for pid=1728 comm="tangd-update" name="sss" dev="dm-0" ino=12797776 scontext=system_u:system_r:tangd_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=1 AVC avc: denied { search } for pid=1728 comm="tangd-update" name="mc" dev="dm-0" ino=12797777 scontext=system_u:system_r:tangd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir permissive=1 AVC avc: denied { read } for pid=1728 comm="tangd-update" name="passwd" dev="dm-0" ino=12704957 scontext=system_u:system_r:tangd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 AVC avc: denied { open } for pid=1728 comm="tangd-update" path="/var/lib/sss/mc/passwd" dev="dm-0" ino=12704957 scontext=system_u:system_r:tangd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 Note that our previous image built on April 26 still worked, so this regression got introduced in the last two weeks. Now `clevis decrypt` fails.
selinux-policy-3.14.1-25.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-d19ffdb4ba
selinux-policy-3.14.1-25.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-d19ffdb4ba
selinux-policy-3.14.1-25.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
I've built an image with selinux-policy-3.14.1-25.fc28, and tang still fails with type=1400 audit(1527146050.725:316): avc: denied { read } for pid=1 comm="systemd" name="tang" dev="dm-0" ino=13574196 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tangd_db_t:s0 tclass=dir permissive=0 type=1400 audit(1527146050.810:318): avc: denied { getattr } for pid=2140 comm="tangd" path="socket:[34752]" dev="sockfs" ino=34752 scontext=system_u:system_r:tangd_t:s0 tcontext=system_u:system_r:tangd_t:s0 tclass=tcp_socket permissive=1 type=1400 audit(1527146060.524:324): avc: denied { read } for pid=1 comm="systemd" name="tang" dev="dm-0" ino=13574196 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tangd_db_t:s0 tclass=dir permissive=0 type=1400 audit(1527146066.227:338): avc: denied { read } for pid=1 comm="systemd" name="tang" dev="dm-0" ino=13574196 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tangd_db_t:s0 tclass=dir permissive=0 type=1400 audit(1527146066.538:341): avc: denied { read } for pid=1 comm="systemd" name="tang" dev="dm-0" ino=13574196 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tangd_db_t:s0 tclass=dir permissive=0 I. e. it's exactly the same bug still. Should this report be reopened, or do you want a new one?
selinux-policy-3.14.1-29.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a74875b364
selinux-policy-3.14.1-29.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a74875b364
selinux-policy-3.14.1-29.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.