1694968 – xenstored runs as unconfined_service_t even if the program is confined

Bug 1694968 - xenstored runs as unconfined_service_t even if the program is confined

Summary: xenstored runs as unconfined_service_t even if the program is confined

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	29
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-04-02 08:00 UTC by Milos Malik
Modified:	2019-04-08 01:52 UTC (History)
CC List:	5 users (show)
Fixed In Version:	selinux-policy-3.14.2-53.fc29
Clone Of:
Environment:
Last Closed:	2019-04-08 01:52:59 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Milos Malik 2019-04-02 08:00:30 UTC

Description of problem:
# grep ExecStart= /usr/lib/systemd/system/xenstored.service 
ExecStart=/etc/xen/scripts/launch-xenstore
# ls -Z /etc/xen/scripts/launch-xenstore
system_u:object_r:bin_t:s0 /etc/xen/scripts/launch-xenstore
#

Even if xenstored is labeled correctly, the launch-xenstore script runs first, it transitions into unconfined_service_t and execution of xenstored cannot escape this domain.

# ls -Z `which xenstored`
system_u:object_r:xenstored_exec_t:s0 /usr/sbin/xenstored
# sesearch -s unconfined_service_t -c process -T
type_transition unconfined_service_t abrt_helper_exec_t:process abrt_helper_t;
type_transition unconfined_service_t chronyc_exec_t:process chronyc_t;
type_transition unconfined_service_t container_runtime_exec_t:process container_runtime_t;
#

Version-Release number of selected component (if applicable):
selinux-policy-3.14.2-51.fc29.noarch
selinux-policy-devel-3.14.2-51.fc29.noarch
selinux-policy-doc-3.14.2-51.fc29.noarch
selinux-policy-minimum-3.14.2-51.fc29.noarch
selinux-policy-mls-3.14.2-51.fc29.noarch
selinux-policy-sandbox-3.14.2-51.fc29.noarch
selinux-policy-targeted-3.14.2-51.fc29.noarch
xen-4.11.1-4.fc29.x86_64
xen-hypervisor-4.11.1-4.fc29.x86_64
xen-libs-4.11.1-4.fc29.x86_64
xen-licenses-4.11.1-4.fc29.x86_64
xen-runtime-4.11.1-4.fc29.x86_64

How reproducible:
 * always

Steps to Reproduce:
1. get a Fedora 29
2. boot the kernel with Xen hypervisor
3. start the xenstored service if it's not running
4. ps -efZ | grep xenstored

Actual results:
 * xenstored process runs under unconfined_service_t

Expected results:
 * xenstored process runs under xenstored_t

Comment 1 Milos Malik 2019-04-02 08:39:08 UTC

# chcon -t xenstored_exec_t /etc/xen/scripts/launch-xenstore

After ^^^ command and reboot, the xenstored service triggers following SELinux denials:
----
type=PROCTITLE msg=audit(04/02/2019 09:32:03.668:118) : proctitle=/usr/bin/bash /etc/xen/scripts/launch-xenstore 
type=PATH msg=audit(04/02/2019 09:32:03.668:118) : item=0 name=/usr/sbin/xenstored inode=26842619 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:xenstored_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(04/02/2019 09:32:03.668:118) : cwd=/ 
type=SYSCALL msg=audit(04/02/2019 09:32:03.668:118) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x563cf3abb880 a1=0x563cf3abbac0 a2=0x563cf3ab1c30 a3=0x8 items=1 ppid=741 pid=744 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=launch-xenstore exe=/usr/bin/bash subj=system_u:system_r:xenstored_t:s0 key=(null) 
type=AVC msg=audit(04/02/2019 09:32:03.668:118) : avc:  denied  { execute_no_trans } for  pid=744 comm=launch-xenstore path=/usr/sbin/xenstored dev="vda2" ino=26842619 scontext=system_u:system_r:xenstored_t:s0 tcontext=system_u:object_r:xenstored_exec_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(04/02/2019 09:32:03.688:120) : proctitle=/usr/bin/bash /etc/xen/scripts/launch-xenstore 
type=PATH msg=audit(04/02/2019 09:32:03.688:120) : item=0 name=/usr/bin/systemd-notify inode=17019727 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:systemd_notify_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(04/02/2019 09:32:03.688:120) : cwd=/ 
type=SYSCALL msg=audit(04/02/2019 09:32:03.688:120) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x563cf3abb880 a1=0x7ffd77987570 a2=0x7ffd77987570 a3=0x563cf3aa3010 items=1 ppid=1 pid=741 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=launch-xenstore exe=/usr/bin/bash subj=system_u:system_r:xenstored_t:s0 key=(null) 
type=AVC msg=audit(04/02/2019 09:32:03.688:120) : avc:  denied  { getattr } for  pid=741 comm=launch-xenstore path=/usr/bin/systemd-notify dev="vda2" ino=17019727 scontext=system_u:system_r:xenstored_t:s0 tcontext=system_u:object_r:systemd_notify_exec_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(04/02/2019 10:17:05.214:115) : proctitle=/usr/bin/bash /etc/xen/scripts/launch-xenstore 
type=PATH msg=audit(04/02/2019 10:17:05.214:115) : item=0 name=/var/lib/sss/pipes/nss nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(04/02/2019 10:17:05.214:115) : cwd=/ 
type=SOCKADDR msg=audit(04/02/2019 10:17:05.214:115) : saddr={ fam=local path=/var/lib/sss/pipes/nss } 
type=SYSCALL msg=audit(04/02/2019 10:17:05.214:115) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x3 a1=0x7ffc86a21bb0 a2=0x6e a3=0x0 items=1 ppid=1 pid=740 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=launch-xenstore exe=/usr/bin/bash subj=system_u:system_r:xenstored_t:s0 key=(null) 
type=AVC msg=audit(04/02/2019 10:17:05.214:115) : avc:  denied  { search } for  pid=740 comm=launch-xenstore name=sss dev="vda2" ino=9099012 scontext=system_u:system_r:xenstored_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(04/02/2019 10:17:05.218:116) : proctitle=/usr/bin/bash /etc/xen/scripts/launch-xenstore 
type=PATH msg=audit(04/02/2019 10:17:05.218:116) : item=0 name=/etc/passwd inode=8643738 dev=fc:02 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:passwd_file_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(04/02/2019 10:17:05.218:116) : cwd=/ 
type=SYSCALL msg=audit(04/02/2019 10:17:05.218:116) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7fd3dc767169 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=740 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=launch-xenstore exe=/usr/bin/bash subj=system_u:system_r:xenstored_t:s0 key=(null) 
type=AVC msg=audit(04/02/2019 10:17:05.218:116) : avc:  denied  { read } for  pid=740 comm=launch-xenstore name=passwd dev="vda2" ino=8643738 scontext=system_u:system_r:xenstored_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(04/02/2019 10:17:05.278:119) : proctitle=/usr/bin/bash /etc/xen/scripts/launch-xenstore 
type=PATH msg=audit(04/02/2019 10:17:05.278:119) : item=0 name=/bin/mkdir inode=16988514 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(04/02/2019 10:17:05.278:119) : cwd=/ 
type=SYSCALL msg=audit(04/02/2019 10:17:05.278:119) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x555d31938300 a1=0x555d31934710 a2=0x555d3192ec30 a3=0x8 items=1 ppid=740 pid=744 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=launch-xenstore exe=/usr/bin/bash subj=system_u:system_r:xenstored_t:s0 key=(null) 
type=AVC msg=audit(04/02/2019 10:17:05.278:119) : avc:  denied  { execute } for  pid=744 comm=launch-xenstore name=mkdir dev="vda2" ino=16988514 scontext=system_u:system_r:xenstored_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0 
----

Comment 2 Lukas Vrabec 2019-04-02 16:32:12 UTC

We have fixes in Fedora: 

commit 9cd0f77325fac5811c46f5190b08c05546087aee (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec>
Date:   Tue Apr 2 18:29:39 2019 +0200

    Update SELinux policy for xen services

Comment 3 Fedora Update System 2019-04-05 17:27:53 UTC

selinux-policy-3.14.2-53.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-bf377d92c7

Comment 4 Fedora Update System 2019-04-06 20:51:13 UTC

selinux-policy-3.14.2-53.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-bf377d92c7

Comment 5 Fedora Update System 2019-04-08 01:52:59 UTC

selinux-policy-3.14.2-53.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.