Bug 1750112 - selinux is blocking gdm from accessing boot_t files, breaking the grub hidden menu feature
Summary: selinux is blocking gdm from accessing boot_t files, breaking the grub hidden...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 30
Hardware: Unspecified
OS: Unspecified
medium
high
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-09-08 12:58 UTC by Hans de Goede
Modified: 2019-11-17 01:13 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.14.3-52.fc30
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-11-17 01:13:19 UTC


Attachments (Terms of Use)

Description Hans de Goede 2019-09-08 12:58:26 UTC
This is an (unfixed) variant of bug 1645770.

Quoting from bug 1645770 for some background: "When rebooting using the GNOME3 system menu from within gdm, gnome-session calls the grub2-set-bootflag helper to modify the grubenv (which sets on the UEFI ESP partition which is vfat) to indicate that this was a user initiated reboot and that the previous boot thus was successful, so that the grub menu will stay hidden."

The problem in bug 1645770 was selinux blocking xdm_t from accessing dosfs_t files, such as the grubenv file when the system is booted through UEFI and /boot/EFI is a separate VFAT partition.

The Fedora 30 problem which I just noticed is that when rebooting from within gdm on a system using classic PC BIOS boot, the setting of the boot_success flag in the grubenv still gets blocked by selinux and the boot-menu is still shown even though this was a "clean" reboot.

This caused by /boot/EFI not being a separate VFAT parition when using classic PC BIOS boot. In this case it is just a subdir of the ext4 /boot partition and the selinux type of grubenv is not dosfs_t but rather boot_t, leading to this denial getting logged (there may be other silent ones):

  type=AVC msg=audit(1567796410.435:125): avc:  denied  { write } for  pid=1490
   comm="grub2-set-bootf" name="grubenv" dev="sda1" ino=395
   scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
   tcontext=unconfined_u:object_r:boot_t:s0 tclass=file permissive=0

And to illustrate the UEFI vs BIOS boot system difference:

  Classic BIOS boot:
   [root@localhost ~]# ls -Z /boot/efi/EFI/fedora/grubenv 
   unconfined_u:object_r:boot_t:s0 /boot/efi/EFI/fedora/grubenv
  EFI:
   [hans@shalem gnome-session]$ sudo ls -Z /boot/efi/EFI/fedora/grubenv
   system_u:object_r:dosfs_t:s0 /boot/efi/EFI/fedora/grubenv

Note I've not tested this on F31, but I expect F31 to also be affected, it would be good if we can get this fixed before F31 final.

Comment 1 nknazeko 2019-09-18 14:20:54 UTC
PR for Fedora: https://github.com/fedora-selinux/selinux-policy/pull/277

Comment 2 Lukas Vrabec 2019-09-19 08:25:39 UTC
commit 43a040b61451c4bc7f0cfc0132843621f0359b52
Author: Nikola Knazekova <nknazeko@redhat.com>
Date:   Tue Sep 10 18:47:52 2019 +0200

    Introduce xdm_manage_bootloader booelan
    
    Created xdm_manage_bootloader boolean to create, read, write, and delete files in the /boot director
 & DOS filesystem.
    
    Fixed Red Hat Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1750112#

Comment 3 Fedora Update System 2019-10-04 13:36:23 UTC
FEDORA-2019-6bbf3d600d has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-6bbf3d600d

Comment 4 Fedora Update System 2019-10-04 22:14:56 UTC
selinux-policy-3.14.3-48.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-6bbf3d600d

Comment 5 Fedora Update System 2019-10-10 07:49:09 UTC
FEDORA-2019-6bbf3d600d has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-6bbf3d600d

Comment 6 Fedora Update System 2019-10-10 17:29:14 UTC
selinux-policy-3.14.3-49.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-6bbf3d600d

Comment 7 Fedora Update System 2019-10-23 07:00:32 UTC
FEDORA-2019-d68c9e27f8 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-d68c9e27f8

Comment 8 Fedora Update System 2019-10-25 19:34:06 UTC
selinux-policy-3.14.3-50.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-d68c9e27f8

Comment 9 Fedora Update System 2019-10-26 17:02:55 UTC
FEDORA-2019-f83217e2bf has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-f83217e2bf

Comment 10 Fedora Update System 2019-10-27 03:54:53 UTC
selinux-policy-3.14.3-51.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-f83217e2bf

Comment 11 Fedora Update System 2019-11-03 14:10:56 UTC
FEDORA-2019-70d80ad4bc has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-70d80ad4bc

Comment 12 Fedora Update System 2019-11-04 02:10:20 UTC
selinux-policy-3.14.3-52.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-70d80ad4bc

Comment 13 Fedora Update System 2019-11-17 01:13:19 UTC
selinux-policy-3.14.3-52.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.