As part of teaching Cockpit about client-cert authentication I had to make some SELinux policy modifications, [1], [2], and for this bug report, https://github.com/fedora-selinux/selinux-policy-contrib/pull/130 This is contained in F30 and F31. With that, cockpit-session can (or at least used to be able to) read a particular file in /run/cockpit/tls/some.cert. But because reasons I now also need cockpit-session to read that directory, in particular running glob(3) on /run/cockpit/tls/%s-*.cert. But glob fails with GLOB_ABORTED, and I get this: AVC avc: denied { read } for pid=10855 comm="cockpit-session" name="tls" dev="tmpfs" ino=53185 scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:cockpit_var_run_t:s0 tclass=dir permissive=0 So apparently that gets as far as opening /run/cockpit and reading the "tls" directory entry in it. But I don't quite understand this -- the rule in PR #130 says read_files_pattern(cockpit_session_t, cockpit_var_run_t, cockpit_var_run_t) which at least matches the the source context (cockpit_session_t) and target context (cockpit_var_run_t)? Does read_files_pattern() perhaps need an additional operation, even though the message says { read }? I also tried with my old local workaround, which is more direct and doesn't use the macros: allow cockpit_session_t cockpit_var_run_t:file { open read map getattr }; and it has the same problem. The files and dirs have the right context, AFAICS: /run/cockpit/: drwxr-xr-x. 2 cockpit-ws cockpit-ws system_u:object_r:cockpit_var_run_t:s0 40 Nov 8 09:09 tls /run/cockpit/tls: total 4 -rw-r--r--. 1 cockpit-ws cockpit-ws system_u:object_r:cockpit_var_run_t:s0 1099 Nov 8 09:09 b7bc12ed3b825d0ace739b2b76f99747f84cb8caafa6397769aff5bcb5a2781a-6.cert [1] https://github.com/fedora-selinux/selinux-policy-contrib/pull/114 [2] https://github.com/fedora-selinux/selinux-policy-contrib/pull/161
Hi Martin, You need to allow also listing directories labeled cockpit_var_run_t (see tclass=dir in your SELinux denial) you can easily fix it using this macro: list_dirs_pattern(cockpit_session_t, cockpit_var_run_t, cockpit_var_run_t) Could you please create new PR? :) Thanks, Lukas.
Thanks Lukas! That was it. I tested this locally with allow cockpit_session_t cockpit_var_run_t:dir { getattr search open read }; (the expansion of search_dir_perms and list_dir_perms) and that worked fine. I sent https://github.com/fedora-selinux/selinux-policy-contrib/pull/162
PR merged to Fedora Rawhide, F31 and F30
FEDORA-2019-fefda9dd5e has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-fefda9dd5e
selinux-policy-3.14.4-42.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-fefda9dd5e
container-selinux-2.123.0-2.fc31, selinux-policy-3.14.4-43.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-fefda9dd5e
container-selinux-2.123.0-2.fc31, selinux-policy-3.14.4-43.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.