Description of problem: The recent policy update in bug 1690444 brought the initial bits for adding smart card authentication support to Cockpit. But we had to improve the design a bit to allow a more trustworthy way of treating the client certificates. These now get passed around as sealed memfds, which SELinux treats as tmpfs_t. Thus we need to allow cockpit-ws and cockpit-cert-session to handle tmpfs files: audit: type=1400 audit(1554890529.511:520): avc: denied { write } for pid=7871 comm="cockpit-ws" path=2F6D656D66643A636C69656E742D63657274202864656C6574656429 dev="tmpfs" ino=45387 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 audit: type=1400 audit(1554890542.604:530): avc: denied { read write } for pid=7896 comm="cockpit-cert-se" path=2F6D656D66643A636C69656E742D63657274202864656C6574656429 dev="tmpfs" ino=45900 scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 audit: type=1400 audit(1554890542.621:531): avc: denied { getattr } for pid=7896 comm="cockpit-cert-se" path=2F6D656D66643A636C69656E742D63657274202864656C6574656429 dev="tmpfs" ino=45900 scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 The diff of my local policy adjustment looks like this: module local 1.0; -require { type cockpit_session_t; type sssd_t; type cockpit_ws_t; type cert_t; class dbus send_msg; class file { read map }; } +require { type cockpit_session_t; type sssd_t; type cockpit_ws_t; type cert_t; type tmpfs_t; class dbus send_msg; class file { read write map getattr }; } +allow cockpit_session_t tmpfs_t:file { read write map getattr }; allow cockpit_session_t sssd_t:dbus send_msg; allow sssd_t cockpit_session_t:dbus send_msg; +allow cockpit_ws_t tmpfs_t:file { read write map getattr }; dontaudit cockpit_ws_t cert_t:file { read map }; Note that this is a tiny bit more leeway than currently required (ws_t doesn't need to read, and neither currently needs to map), but IMHO these don't hurt and will allow some more flexibility later on. Thank you! Version-Release number of selected component (if applicable): selinux-policy-3.14.2-51.fc29.noarch
commit 8f8113db710c73145e668ae8c7e479fcc53bfa89 (HEAD -> rawhide) Author: Lukas Vrabec <lvrabec> Date: Wed Apr 10 14:38:39 2019 +0200 Create cockpit_tmpfs_t and allow cockpit ws and session to use it BZ(1698405)
I locally built the selinux-policy rpm with this patch applied and confirm that it works. Many thanks!
selinux-policy-3.14.2-54.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-6add7b193f
selinux-policy-3.14.2-54.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-6add7b193f
selinux-policy-3.14.2-54.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.