Bug 1769221 - the rdisc service uses NoNewPrivileges=yes and triggers SELinux denials
Summary: the rdisc service uses NoNewPrivileges=yes and triggers SELinux denials
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 31
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Richard Fiľo
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-11-06 08:09 UTC by Milos Malik
Modified: 2020-01-21 15:14 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.14.4-44.fc31
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-01-21 01:38:41 UTC
Type: Bug


Attachments (Terms of Use)

Description Milos Malik 2019-11-06 08:09:04 UTC
Description of problem:
# grep NoNew /usr/lib/systemd/system/rdisc.service 
NoNewPrivileges=yes
# sesearch -t rdisc_t -c process2 -p nnp_transition -A
#

Version-Release number of selected component (if applicable):
iputils-20190515-3.fc31.x86_64
selinux-policy-3.14.4-40.fc31.noarch
selinux-policy-devel-3.14.4-40.fc31.noarch
selinux-policy-targeted-3.14.4-40.fc31.noarch

How reproducible:
 * always

Steps to Reproduce:
1. get a Fedora 31 machine (targeted policy is active)
2. start the rdisc service
3. search for SELinux denials

Actual results:
----
type=PROCTITLE msg=audit(11/06/2019 02:49:59.826:341) : proctitle=/usr/sbin/rdisc -f -t 
type=PATH msg=audit(11/06/2019 02:49:59.826:341) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=136860 dev=fc:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(11/06/2019 02:49:59.826:341) : item=0 name=/usr/sbin/rdisc inode=146819 dev=fc:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:rdisc_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(11/06/2019 02:49:59.826:341) : cwd=/ 
type=EXECVE msg=audit(11/06/2019 02:49:59.826:341) : argc=3 a0=/usr/sbin/rdisc a1=-f a2=-t 
type=BPRM_FCAPS msg=audit(11/06/2019 02:49:59.826:341) : fver=0 fp=none fi=none fe=0 old_pp=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read old_pi=net_raw old_pe=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read old_pa=net_raw pp=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read pi=net_raw pe=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read pa=net_raw frootid=0 
type=SYSCALL msg=audit(11/06/2019 02:49:59.826:341) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x555d92d279b0 a1=0x555d92e6eed0 a2=0x555d92dc5060 a3=0x7 items=2 ppid=1 pid=22728 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rdisc exe=/usr/sbin/rdisc subj=system_u:system_r:init_t:s0 key=(null) 
type=SELINUX_ERR msg=audit(11/06/2019 02:49:59.826:341) : op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:rdisc_t:s0 
type=AVC msg=audit(11/06/2019 02:49:59.826:341) : avc:  denied  { nnp_transition } for  pid=22728 comm=(rdisc) scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:rdisc_t:s0 tclass=process2 permissive=0 
----
type=PROCTITLE msg=audit(11/06/2019 02:49:59.830:342) : proctitle=/usr/sbin/rdisc -f -t 
type=SYSCALL msg=audit(11/06/2019 02:49:59.830:342) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=inet a1=SOCK_RAW a2=icmp a3=0x7fc20cb84ac0 items=0 ppid=1 pid=22728 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rdisc exe=/usr/sbin/rdisc subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(11/06/2019 02:49:59.830:342) : avc:  denied  { create } for  pid=22728 comm=rdisc scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=rawip_socket permissive=0
----

Expected results:
 * the scenario does not trigger SELinux denials
 * the rdisc service runs successfully in enforcing mode

Comment 2 Richard Fiľo 2019-11-28 17:00:28 UTC
Link to scratch build with fix: https://copr-be.cloud.fedoraproject.org/results/rfilo/Selinux-policy-f31/fedora-31-x86_64/01120048-selinux-policy/

It should be fixed in the selinux-policy packages.

RP: https://github.com/fedora-selinux/selinux-policy-contrib/pull/171

Comment 4 Fedora Update System 2020-01-14 01:43:30 UTC
selinux-policy-3.14.4-44.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-397eea28b7

Comment 6 Fedora Update System 2020-01-21 01:38:41 UTC
selinux-policy-3.14.4-44.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.