Description of problem: After installing cjdns and cjdns-selinux, I tried to start cjdns with systemctl start cjdns. SELinux is preventing cjdroute from 'map' accesses on the fichier /usr/sbin/cjdroute. ***** Plugin catchall (100. confidence) suggests ************************** Si vous pensez que cjdroute devrait être autorisé à accéder map sur cjdroute file par défaut. Then vous devriez rapporter ceci en tant qu'anomalie. Vous pouvez générer un module de stratégie local pour autoriser cet accès. Do autoriser cet accès pour le moment en exécutant : # ausearch -c "cjdroute" --raw | audit2allow -M my-cjdroute # semodule -X 300 -i my-cjdroute.pp Additional Information: Source Context system_u:system_r:cjdns_t:s0 Target Context system_u:object_r:cjdns_exec_t:s0 Target Objects /usr/sbin/cjdroute [ file ] Source cjdroute Source Path cjdroute Port <Inconnu> Host (removed) Source RPM Packages Target RPM Packages cjdns-19.1-4.fc27.x86_64 Policy RPM selinux-policy-3.13.1-283.26.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.15.6-300.fc27.x86_64 #1 SMP Mon Feb 26 18:43:03 UTC 2018 x86_64 x86_64 Alert Count 6 First Seen 2018-03-04 05:20:51 CET Last Seen 2018-03-04 05:22:26 CET Local ID fc70890f-631f-471f-993f-7dfe5c837a86 Raw Audit Messages type=AVC msg=audit(1520137346.920:336): avc: denied { map } for pid=23233 comm="cjdroute" path="/usr/sbin/cjdroute" dev="dm-1" ino=526285 scontext=system_u:system_r:cjdns_t:s0 tcontext=system_u:object_r:cjdns_exec_t:s0 tclass=file permissive=0 Hash: cjdroute,cjdns_t,cjdns_exec_t,file,map Version-Release number of selected component: selinux-policy-3.13.1-283.26.fc27.noarch Additional info: component: selinux-policy reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.15.6-300.fc27.x86_64 type: libreport
After loading the audit2allow policy: #============= cjdns_t ============== allow cjdns_t cjdns_exec_t:file map; I was able to start cjdns properly. The policy file /usr/share/doc/cjdns-selinux/cjdns.te should probably be modified to allow this map.
And yet, it still runs despite getting the map error for me. Which makes me suspicious whether the map call is actually necessary. Does cjdns actually refuse to run for you? I kind of wanted to track down where this map call is done. Why is it done on the executable? Is it actually needed to run the program? cjdroute is not supposed to use any files. It immediately does a chroot to /var/empty/cjdns, and forks a non-root process to do the protocol work (root only does net-route things). But apparently, this map privilege was recently added - so it could be a legit part of an exec() call. Can you shed any light?
bug#1471320 is about cjdroute trying to access /var/lib/sss/mc - which again is not actually needed. If your cjdroute is actually starting despite the map access report, I should silence the report while still blocking the access.
This is okay to allow in cjdns policy.
I pushed the change into rawhide. But I am not getting this denial on 20.1, which is the version in rawhide.
I tested a f27 system, and it does indeed fail to start. I'm not happy with 20.1 - seems to have routing problems, so I will want to make a new release for 19.1.
cjdns-19.1-11.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-fd8872ea14
cjdns-19.1-11.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-fd8872ea14
cjdns-19.1-11.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-14f3a6bf57
cjdns-19.1-11.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-14f3a6bf57
cjdns-19.1-11.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
cjdns-19.1-11.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.