Bug 1777936 - start of the uuidd service triggers SELinux denials
Summary: start of the uuidd service triggers SELinux denials
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 31
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Richard Fiľo
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-11-28 17:54 UTC by Milos Malik
Modified: 2020-01-21 01:38 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.14.4-44.fc31
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-01-21 01:38:46 UTC
Type: Bug


Attachments (Terms of Use)

Description Milos Malik 2019-11-28 17:54:49 UTC
Description of problem:
 * the uuidd service runs, but it cannot transition into the correct domain (uuidd_t)

Version-Release number of selected component (if applicable):
selinux-policy-3.14.4-40.fc31.noarch
selinux-policy-targeted-3.14.4-40.fc31.noarch
uuidd-2.34-3.fc31.x86_64

How reproducible:
 * always

Steps to Reproduce:
1. get a Fedora 31 machine (targeted policy is active)
2. start the uuidd service
3. search for SELinux denials

Actual results:
----
type=PROCTITLE msg=audit(11/28/2019 12:43:47.724:293) : proctitle=/usr/sbin/uuidd --socket-activation 
type=PATH msg=audit(11/28/2019 12:43:47.724:293) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=136860 dev=fc:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(11/28/2019 12:43:47.724:293) : item=0 name=/usr/sbin/uuidd inode=144736 dev=fc:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:uuidd_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(11/28/2019 12:43:47.724:293) : cwd=/ 
type=EXECVE msg=audit(11/28/2019 12:43:47.724:293) : argc=2 a0=/usr/sbin/uuidd a1=--socket-activation 
type=SYSCALL msg=audit(11/28/2019 12:43:47.724:293) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x55979be631a0 a1=0x55979bea3030 a2=0x55979be6b470 a3=0x7 items=2 ppid=1 pid=1181 auid=unset uid=uuidd gid=uuidd euid=uuidd suid=uuidd fsuid=uuidd egid=uuidd sgid=uuidd fsgid=uuidd tty=(none) ses=unset comm=uuidd exe=/usr/sbin/uuidd subj=system_u:system_r:init_t:s0 key=(null) 
type=SELINUX_ERR msg=audit(11/28/2019 12:43:47.724:293) : op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:uuidd_t:s0 
type=AVC msg=audit(11/28/2019 12:43:47.724:293) : avc:  denied  { nnp_transition } for  pid=1181 comm=(uuidd) scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:uuidd_t:s0 tclass=process2 permissive=0 
----

Expected results:
 * no SELinux denials
 * the uuidd service runs under uuidd_t context

Additional info:
# ps -efZ | grep uuidd
system_u:system_r:init_t:s0     uuidd       1181       1  0 12:43 ?        00:00:00 /usr/sbin/uuidd --socket-activation
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 1198 939  0 12:47 pts/0 00:00:00 grep --color=auto uuidd
#

Comment 2 Richard Fiľo 2019-11-29 13:44:14 UTC
Link to scratch build with fix: https://copr-be.cloud.fedoraproject.org/results/rfilo/Selinux-policy-f31/fedora-31-x86_64/01120543-selinux-policy/

It should be fixed in the selinux-policy packages.

RP: https://github.com/fedora-selinux/selinux-policy-contrib/pull/173

Comment 3 Lukas Vrabec 2019-11-29 15:36:52 UTC
commit 29cc7c44b93fd2c34426dad4d410d0672c7aa014 (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Richard Filo <rfilo>
Date:   Fri Nov 29 14:04:54 2019 +0100

    Allow uuidd_t Domain trasition from sytemd into confined domain with NoNewPrivileges Systemd Security feature.
    
    Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1777936

Comment 4 Fedora Update System 2020-01-14 01:43:35 UTC
selinux-policy-3.14.4-44.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-397eea28b7

Comment 5 Fedora Update System 2020-01-21 01:38:46 UTC
selinux-policy-3.14.4-44.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.