1803407 – SELinux policy for FreeRADIUS

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1803407 - SELinux policy for FreeRADIUS

Summary: SELinux policy for FreeRADIUS

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	8.2
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-02-15 23:59 UTC by Terry Burton
Modified:	2020-11-04 21:08 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-11-04 01:56:06 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2020:4528	0	None	None	None	2020-11-04 01:56:32 UTC

Description Terry Burton 2020-02-15 23:59:19 UTC

Upstream FreeRADIUS ships packages that include a systemd unit file that invokes security features such as NoNewPriviliges and private mounts (/etc, /run, /tmp, ...).

These features require SELinux policy changes to the radiusd module in order for the daemon to be successfully launched.

Changes to support this have already been included in the Fedora selinux-policy-contrib repo:

https://github.com/fedora-selinux/selinux-policy-contrib/commit/013aa7aa580945d14d3c213a5b0d5643621fb395

It would be useful if this could be cherry-picked into supported RHEL releases.

All versions of RHEL affected.

Comment 1 Milos Malik 2020-02-16 20:36:08 UTC

Once are following lines added to the radiusd.service file:

NoNewPrivileges=true
RuntimeDirectory=radiusd
PrivateTmp=true
ReadOnlyDirectories=/etc/raddb/
ReadWriteDirectories=/var/log/radius/

the radiusd service does not start in enforcing mode and triggers following SELinux denials:

----
type=PROCTITLE msg=audit(02/16/2020 15:31:50.658:331) : proctitle=(chown) 
type=PATH msg=audit(02/16/2020 15:31:50.658:331) : item=0 name=/run/systemd/unit-root/etc/raddb inode=41943360 dev=fd:01 mode=dir,755 ouid=root ogid=radiusd rdev=00:00 obj=system_u:object_r:radiusd_etc_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/16/2020 15:31:50.658:331) : cwd=/ 
type=SYSCALL msg=audit(02/16/2020 15:31:50.658:331) : arch=x86_64 syscall=mount success=no exit=EACCES(Permission denied) a0=0x55a919c86e40 a1=0x55a919c86e40 a2=0x0 a3=MS_BIND|MS_REC items=1 ppid=1 pid=5422 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(chown) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(02/16/2020 15:31:50.658:331) : avc:  denied  { mounton } for  pid=5422 comm=(chown) path=/run/systemd/unit-root/etc/raddb dev="vda1" ino=41943360 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:radiusd_etc_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(02/16/2020 15:31:50.671:332) : proctitle=(radiusd) 
type=PATH msg=audit(02/16/2020 15:31:50.671:332) : item=0 name=/run/systemd/unit-root/etc/raddb inode=41943360 dev=fd:01 mode=dir,755 ouid=root ogid=radiusd rdev=00:00 obj=system_u:object_r:radiusd_etc_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/16/2020 15:31:50.671:332) : cwd=/ 
type=SYSCALL msg=audit(02/16/2020 15:31:50.671:332) : arch=x86_64 syscall=mount success=no exit=EACCES(Permission denied) a0=0x55a919bf1ea0 a1=0x55a919bf1ea0 a2=0x0 a3=MS_BIND|MS_REC items=1 ppid=1 pid=5424 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(radiusd) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(02/16/2020 15:31:50.671:332) : avc:  denied  { mounton } for  pid=5424 comm=(radiusd) path=/run/systemd/unit-root/etc/raddb dev="vda1" ino=41943360 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:radiusd_etc_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(02/16/2020 15:31:50.671:333) : proctitle=(radiusd) 
type=PATH msg=audit(02/16/2020 15:31:50.671:333) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=6305477 dev=fd:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(02/16/2020 15:31:50.671:333) : item=0 name=/usr/sbin/radiusd inode=7134612 dev=fd:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:radiusd_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/16/2020 15:31:50.671:333) : cwd=/ 
type=EXECVE msg=audit(02/16/2020 15:31:50.671:333) : argc=2 a0=/usr/sbin/radiusd a1=-C 
type=SYSCALL msg=audit(02/16/2020 15:31:50.671:333) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x55a919cd3830 a1=0x55a919c0ba70 a2=0x55a919be6270 a3=0x0 items=2 ppid=1 pid=5424 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=radiusd exe=/usr/sbin/radiusd subj=system_u:system_r:init_t:s0 key=(null) 
type=SELINUX_ERR msg=audit(02/16/2020 15:31:50.671:333) : op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:radiusd_t:s0 
type=AVC msg=audit(02/16/2020 15:31:50.671:333) : avc:  denied  { nnp_transition } for  pid=5424 comm=(radiusd) scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:radiusd_t:s0 tclass=process2 permissive=0 
----
type=PROCTITLE msg=audit(02/16/2020 15:31:50.674:334) : proctitle=/usr/sbin/radiusd -C 
type=OBJ_PID msg=audit(02/16/2020 15:31:50.674:334) : opid=5424 oauid=unset ouid=root oses=-1 obj=system_u:system_r:init_t:s0 ocomm=radiusd 
type=SYSCALL msg=audit(02/16/2020 15:31:50.674:334) : arch=x86_64 syscall=ptrace success=no exit=EACCES(Permission denied) a0=PTRACE_ATTACH a1=0x1530 a2=0x0 a3=0x0 items=0 ppid=5424 pid=5425 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=radiusd exe=/usr/sbin/radiusd subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(02/16/2020 15:31:50.674:334) : avc:  denied  { ptrace } for  pid=5425 comm=radiusd scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=process permissive=0 
----
type=PROCTITLE msg=audit(02/16/2020 15:31:50.691:335) : proctitle=(radiusd) 
type=PATH msg=audit(02/16/2020 15:31:50.691:335) : item=1 name=/var/log/radius/radius.log inode=39846219 dev=fd:01 mode=file,640 ouid=radiusd ogid=radiusd rdev=00:00 obj=system_u:object_r:radiusd_log_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(02/16/2020 15:31:50.691:335) : item=0 name=/var/log/radius/ inode=39846218 dev=fd:01 mode=dir,700 ouid=radiusd ogid=radiusd rdev=00:00 obj=system_u:object_r:radiusd_log_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/16/2020 15:31:50.691:335) : cwd=/ 
type=SYSCALL msg=audit(02/16/2020 15:31:50.691:335) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x55770c72a630 a2=O_WRONLY|O_CREAT|O_APPEND a3=0x1a0 items=2 ppid=1 pid=5424 auid=unset uid=root gid=radiusd euid=root suid=root fsuid=root egid=radiusd sgid=radiusd fsgid=radiusd tty=(none) ses=unset comm=radiusd exe=/usr/sbin/radiusd subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(02/16/2020 15:31:50.691:335) : avc:  denied  { append } for  pid=5424 comm=radiusd name=radius.log dev="vda1" ino=39846219 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:radiusd_log_t:s0 tclass=file permissive=0
----

# rpm -qa selinux\* freeradius\* | sort
freeradius-3.0.17-7.module+el8.2.0+4847+336970e8.x86_64
selinux-policy-3.14.3-38.el8.noarch
selinux-policy-targeted-3.14.3-38.el8.noarch
#

Comment 2 Lukas Vrabec 2020-02-16 20:40:22 UTC

Fixes from Fedora: 

commit 013aa7aa580945d14d3c213a5b0d5643621fb395
Author: Terry Burton <tez.uk>
Date:   Fri Feb 14 18:00:28 2020 +0000

    Update radiusd policy
    
    Allow SELinux Domain trasition from systemd into confined domain with NoNewPrivileges
    
    Allow systemd to use dir with file contexts radiusd_etc_t, radiusd_log_t and
    radiusd_var_run_t as mount points
    
    Upstream FreeRADIUS systemd unit has NNP and private mount spaces:
    
    NoNewPrivileges=true
    RuntimeDirectory=radiusd
    PrivateTmp=true
    ReadOnlyDirectories=/etc/raddb/
    ReadWriteDirectories=/var/log/radius/
    
    Fedora will likely adopt this.

Comment 15 errata-xmlrpc 2020-11-04 01:56:06 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4528

Note You need to log in before you can comment on or make changes to this bug.