Bug 1779098

*** Bug 1779641 has been marked as a duplicate of this bug. ***

We have not seen this any more in our tests since December 17th, so a recent RHEL 8.2 update fixed that.

Miroslav,

It was reported that timedatex requests reading files in /etc/selinux/targeted/contexts/files/ and writing to /sys/fs/selinux/context. Could you help with answering these questions?

1. Are these access attempts correct and expected?
2. If the access was not granted but rather dontaudited, would it have impact on the command behaviour?

The easiest reproducer is to change timezone:

timedatectl set-timezone Europe/Bratislava

There time zone actually changes, there is no error reported, and the exit code is 0, however AVC denials appear. In SELinux enforcing mode, timedatex is denied access to /etc/selinux/targeted/contexts/. In permissive, we can see that files in /etc/selinux/targeted/contexts/files/ were read and subsequently /sys/fs/selinux/context was written to. According to audit logs it really was timedatex command, started by systemd. It happens in RHEL 8.2 only.

systemd-239-21.el8.x86_64
timedatex-0.5-3.el8.x86_64

----
type=PROCTITLE msg=audit(01/22/20 16:36:16.841:329) : proctitle=/usr/sbin/timedatex 
type=PATH msg=audit(01/22/20 16:36:16.841:329) : item=0 name=/etc/selinux/targeted/contexts/files/file_contexts.subs_dist nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/22/20 16:36:16.841:329) : cwd=/ 
type=SYSCALL msg=audit(01/22/20 16:36:16.841:329) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x55e8a9a34df0 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=5624 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=timedatex exe=/usr/sbin/timedatex subj=system_u:system_r:timedatex_t:s0 key=(null) 
type=AVC msg=audit(01/22/20 16:36:16.841:329) : avc:  denied  { search } for  pid=5624 comm=timedatex name=contexts dev="vda1" ino=2594507 scontext=system_u:system_r:timedatex_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=dir permissive=0

The timedatex code uses matchpathcon_init_prefix() and matchpathcon() to fix the context of the /etc/localtime file when the timezone is changed. 

Does that explain the reported file operations?

Miroslav,

Thank you for your explanation. I have another question though: do you think the code in set_localtime_file_context() is necessary? There are SELinux policy transitions in place:

rhel82# sesearch -T -s timedatex_t -t etc_t
type_transition timedatex_t etc_t:file locale_t locale.conf;
type_transition timedatex_t etc_t:file locale_t localtime;
type_transition timedatex_t etc_t:file locale_t timezone;
type_transition timedatex_t etc_t:file locale_t vconsole.conf;
type_transition timedatex_t etc_t:file locale_t;
type_transition timedatex_t etc_t:lnk_file locale_t localtime;
type_transition timedatex_t etc_t:lnk_file locale_t;

introduced in
https://bugzilla.redhat.com/show_bug.cgi?id=1730204#c5

meaning the context of /etc/localtime is set properly when the symlink is created.

Anyway, the library calls are ineffective at the moment as the access is not allowed by SELinux and there is no apparent reason to do so unless you have some example when the transitions are not working.

If the context of /etc/localtime is now set automatically, I supposed we could disable that code in timedatex. However, there are no other bugs currently reported for timedatex and I'm not sure how quickly we could get that change out.

Would it make sense to disable logging of those messages for timedatex in the selinux policy?

Miroslav,

This bug is of high priority and needs to be resolved soon. Before taking an action though I would like to confirm with you the current state. The timedatex support has been in selinux-policy since version 3.14.3-25.el8. The current version is 3.14.3-36.el8.

Note there are 2 kinds of type transitions: for a given filename and for a general one, wildcards or regexps are not supported.

In timedatex, firstly localtime.NNNNNN is created:

	if (snprintf(tmp, sizeof tmp, "%s.%06u", LOCALTIME_PATH, g_random_int()) >= sizeof tmp)
		goto error;

	if (symlink(link, tmp))
		goto error

This is when the general rule applies:
type_transition timedatex_t etc_t:file locale_t;

Then set_localtime_file_context() is called, but is denied access to /etc/selinux/targeted/contexts/; in permissive mode, even more denials are reported.

Eventually, the temporary file is renamed:

	if (rename(tmp, LOCALTIME_PATH)) {
		unlink(tmp);
		goto error;
	}

Rename does not change extended attributes, hence keeps the context.

As a result, I think calling set_localtime_file_context() can be omited. If the decision on your side needs to be considered or tested, we can create dontaudit rule in selinux-policy right away and remove it later.

Your explanation makes sense to me. I can disable that code in timedatex, but it may take some time before we can make an update of the component. Currently there is nothing planned. If you need it soon, it's probably better to disable auditing of the access.

Agreed. Note also the same applies for Fedora 31 and newer.

For the record, this is the right transition which applies to a symlink with unpredictable filename:
type_transition timedatex_t etc_t:lnk_file locale_t;

A policy PR has been sent for review:
https://github.com/fedora-selinux/selinux-policy-contrib/pull/187

PR is merged.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1773