RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1726259 - the stratisd service runs as unconfined_service_t
Summary: the stratisd service runs as unconfined_service_t
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.1
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: 8.2
Assignee: Zdenek Pytela
QA Contact: Milos Malik
Jan Fiala
URL:
Whiteboard:
Depends On:
Blocks: 1726199
TreeView+ depends on / blocked
 
Reported: 2019-07-02 12:48 UTC by Milos Malik
Modified: 2020-04-28 16:41 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
.New SELinux types enable services to run confined This update introduces new SELinux types that enable the following services to run as confined services in SELinux enforcing mode instead of running in the `unconfined_service_t` domain: * `lldpd` now runs as `lldpad_t` * `rrdcached` now runs as `rrdcached_t` * `stratisd` now runs as `stratisd_t` * `timedatex` now runs as `timedatex_t`
Clone Of:
Environment:
Last Closed: 2020-04-28 16:40:41 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:1773 0 None None None 2020-04-28 16:41:12 UTC

Description Milos Malik 2019-07-02 12:48:17 UTC 
Description of problem:
 * the service is shipped but it is not confined

Version-Release number of selected component (if applicable):
selinux-policy-3.14.3-9.el8.noarch
selinux-policy-targeted-3.14.3-9.el8.noarch
stratisd-1.0.4-2.el8.x86_64

How reproducible:
 * always

Steps to Reproduce:
# service stratisd status
Redirecting to /bin/systemctl status stratisd.service
● stratisd.service - A daemon that manages a pool of block devices to create flexible file systems
   Loaded: loaded (/usr/lib/systemd/system/stratisd.service; enabled; vendor preset: enabled)
   Active: inactive (dead) since Tue 2019-07-02 08:42:40 EDT; 5s ago
     Docs: man:stratisd(8)
  Process: 10992 ExecStart=/usr/libexec/stratisd --debug (code=exited, status=0/SUCCESS)
 Main PID: 10992 (code=exited, status=0/SUCCESS)

Jul 02 08:40:24 ci-vm-10-0-136-62.hosted.upshift.rdu2.redhat.com stratisd[10992]:  INFO stratisd: Dump timer expired, dumpi…tate
Jul 02 08:40:24 ci-vm-10-0-136-62.hosted.upshift.rdu2.redhat.com stratisd[10992]: DEBUG stratisd: Engine state:
Jul 02 08:40:24 ci-vm-10-0-136-62.hosted.upshift.rdu2.redhat.com stratisd[10992]: StratEngine {
Jul 02 08:40:24 ci-vm-10-0-136-62.hosted.upshift.rdu2.redhat.com stratisd[10992]:     pools: {},
Jul 02 08:40:24 ci-vm-10-0-136-62.hosted.upshift.rdu2.redhat.com stratisd[10992]:     incomplete_pools: {},
Jul 02 08:40:24 ci-vm-10-0-136-62.hosted.upshift.rdu2.redhat.com stratisd[10992]:     watched_dev_last_event_nrs: {},
Jul 02 08:40:24 ci-vm-10-0-136-62.hosted.upshift.rdu2.redhat.com stratisd[10992]: }
Jul 02 08:42:40 ci-vm-10-0-136-62.hosted.upshift.rdu2.redhat.com systemd[1]: Stopping A daemon that manages a pool of bloc…ms...
Jul 02 08:42:40 ci-vm-10-0-136-62.hosted.upshift.rdu2.redhat.com stratisd[10992]:  INFO stratisd: SIGINT received, exiting
Jul 02 08:42:40 ci-vm-10-0-136-62.hosted.upshift.rdu2.redhat.com systemd[1]: Stopped A daemon that manages a pool of block…tems.
Hint: Some lines were ellipsized, use -l to show in full.
# service stratisd start
Redirecting to /bin/systemctl start stratisd.service
# service stratisd status
Redirecting to /bin/systemctl status stratisd.service
● stratisd.service - A daemon that manages a pool of block devices to create flexible file systems
   Loaded: loaded (/usr/lib/systemd/system/stratisd.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2019-07-02 08:42:49 EDT; 1s ago
     Docs: man:stratisd(8)
 Main PID: 18133 (stratisd)
    Tasks: 1 (limit: 11518)
   Memory: 788.0K
   CGroup: /system.slice/stratisd.service
           └─18133 /usr/libexec/stratisd --debug

Jul 02 08:42:49 ci-vm-10-0-136-62.hosted.upshift.rdu2.redhat.com systemd[1]: Started A daemon that manages a pool of block…tems.
Jul 02 08:42:49 ci-vm-10-0-136-62.hosted.upshift.rdu2.redhat.com stratisd[18133]: DEBUG libstratis::stratis::buff_log: Buff…none
Jul 02 08:42:49 ci-vm-10-0-136-62.hosted.upshift.rdu2.redhat.com stratisd[18133]:  INFO stratisd: Using StratEngine
Jul 02 08:42:49 ci-vm-10-0-136-62.hosted.upshift.rdu2.redhat.com stratisd[18133]: DEBUG stratisd: Engine state:
Jul 02 08:42:49 ci-vm-10-0-136-62.hosted.upshift.rdu2.redhat.com stratisd[18133]: StratEngine {
Jul 02 08:42:49 ci-vm-10-0-136-62.hosted.upshift.rdu2.redhat.com stratisd[18133]:     pools: {},
Jul 02 08:42:49 ci-vm-10-0-136-62.hosted.upshift.rdu2.redhat.com stratisd[18133]:     incomplete_pools: {},
Jul 02 08:42:49 ci-vm-10-0-136-62.hosted.upshift.rdu2.redhat.com stratisd[18133]:     watched_dev_last_event_nrs: {},
Jul 02 08:42:49 ci-vm-10-0-136-62.hosted.upshift.rdu2.redhat.com stratisd[18133]: }
Jul 02 08:42:49 ci-vm-10-0-136-62.hosted.upshift.rdu2.redhat.com stratisd[18133]:  INFO stratisd: D-Bus API is available
Hint: Some lines were ellipsized, use -l to show in full.
# ps -efZ | grep stratisd
system_u:system_r:unconfined_service_t:s0 root 18133 1  0 08:42 ?      00:00:00 /usr/libexec/stratisd --debug
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 18180 4655  0 08:43 pts/0 00:00:00 grep --color=auto stratisd
# ls -Z /usr/libexec/stratisd
system_u:object_r:bin_t:s0 /usr/libexec/stratisd
#

Actual results:
 * the service is not confined

Expected results:
 * the service is confined
Comment 2 Patrik Koncity 2019-08-20 11:23:35 UTC 
https://github.com/fedora-selinux/selinux-policy-contrib/pull/132/commits/e27376b775abc93092a2ba233754d9c848c4fba8
Comment 4 Nikola Knazekova 2019-10-25 09:37:59 UTC 
During manual testing a USER_AVC was found:
----
type=USER_AVC msg=audit(10/25/2019 05:28:33.468:461) : pid=504 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { acquire_svc } for  scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=0  exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?' 
----
Comment 5 Nikola Knazekova 2019-10-25 09:56:16 UTC 
This selinux denial will be fixed in the Stratis component, because the service is trying to create a directory in wrong location /stratis
----
type=PROCTITLE msg=audit(10/25/2019 05:17:02.313:392) : proctitle=/usr/libexec/stratisd --debug 
type=PATH msg=audit(10/25/2019 05:17:02.313:392) : item=1 name=/stratis nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(10/25/2019 05:17:02.313:392) : item=0 name=/ inode=2 dev=fc:01 mode=dir,555 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:root_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(10/25/2019 05:17:02.313:392) : cwd=/ 
type=SYSCALL msg=audit(10/25/2019 05:17:02.313:392) : arch=x86_64 syscall=mkdir success=no exit=EACCES(Permission denied) a0=0x561728dd59d0 a1=0777 a2=0x9 a3=0x561728dddbf8 items=2 ppid=1 pid=4969 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=stratisd exe=/usr/libexec/stratisd subj=system_u:system_r:stratisd_t:s0 key=(null) 
type=AVC msg=audit(10/25/2019 05:17:02.313:392) : avc:  denied  { dac_override } for  pid=4969 comm=stratisd capability=dac_override  scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:system_r:stratisd_t:s0 tclass=capability permissive=0
Comment 7 Nikola Knazekova 2019-10-30 17:04:55 UTC 
Fixed USER_AVC.
PR for Fedora: https://github.com/fedora-selinux/selinux-policy-contrib/pull/157
Comment 19 errata-xmlrpc 2020-04-28 16:40:41 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1773
Note You need to log in before you can comment on or make changes to this bug.