1809000 – the rkt-metadata service triggers SELinux denials

Bug 1809000 - the rkt-metadata service triggers SELinux denials

Summary: the rkt-metadata service triggers SELinux denials

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	32
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Patrik Koncity
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-03-02 08:50 UTC by Milos Malik
Modified:	2020-10-05 17:32 UTC (History)
CC List:	7 users (show)
Fixed In Version:	selinux-policy-3.14.5-44.fc32
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-10-05 17:32:37 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Milos Malik 2020-03-02 08:50:46 UTC

Description of problem:
 * the rkt-metadata service starts successfully, but some denials are triggered

Version-Release number of selected component (if applicable):
rkt-1.30.0-3.20190512git0c87656.fc32.x86_64
selinux-policy-3.14.5-28.fc32.noarch
selinux-policy-targeted-3.14.5-28.fc32.noarch

How reproducible:
 * always

Steps to Reproduce:
1. get a Fedora 32 (targeted policy is active)
2. start the rkt-metadata service
3. search for SELinux denials

Actual results (enforcing mode):
----
type=PROCTITLE msg=audit(03/02/2020 03:43:03.286:417) : proctitle=/usr/bin/rkt metadata-service 
type=PATH msg=audit(03/02/2020 03:43:03.286:417) : item=0 name=/sys/kernel/mm/transparent_hugepage/hpage_pmd_size inode=2540 dev=00:16 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(03/02/2020 03:43:03.286:417) : cwd=/ 
type=SYSCALL msg=audit(03/02/2020 03:43:03.286:417) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x16393e0 a2=O_RDONLY a3=0x0 items=1 ppid=1 pid=2218 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rkt exe=/usr/bin/rkt subj=system_u:system_r:rkt_t:s0 key=(null) 
type=AVC msg=audit(03/02/2020 03:43:03.286:417) : avc:  denied  { read } for  pid=2218 comm=rkt name=hpage_pmd_size dev="sysfs" ino=2540 scontext=system_u:system_r:rkt_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 
----

Expected results:
 * no SELinux denials

Comment 1 Milos Malik 2020-03-02 12:40:39 UTC

SELinux denials caught in permissive mode:
----
type=PROCTITLE msg=audit(03/02/2020 07:39:59.753:680) : proctitle=/usr/bin/rkt metadata-service 
type=PATH msg=audit(03/02/2020 07:39:59.753:680) : item=0 name=/sys/kernel/mm/transparent_hugepage/hpage_pmd_size inode=2540 dev=00:16 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(03/02/2020 07:39:59.753:680) : cwd=/ 
type=SYSCALL msg=audit(03/02/2020 07:39:59.753:680) : arch=x86_64 syscall=openat success=yes exit=4 a0=0xffffff9c a1=0x16393e0 a2=O_RDONLY a3=0x0 items=1 ppid=1 pid=18112 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rkt exe=/usr/bin/rkt subj=system_u:system_r:rkt_t:s0 key=(null) 
type=AVC msg=audit(03/02/2020 07:39:59.753:680) : avc:  denied  { open } for  pid=18112 comm=rkt path=/sys/kernel/mm/transparent_hugepage/hpage_pmd_size dev="sysfs" ino=2540 scontext=system_u:system_r:rkt_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1 
type=AVC msg=audit(03/02/2020 07:39:59.753:680) : avc:  denied  { read } for  pid=18112 comm=rkt name=hpage_pmd_size dev="sysfs" ino=2540 scontext=system_u:system_r:rkt_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1 
----

Comment 2 Patrik Koncity 2020-09-01 11:41:38 UTC

PR: https://github.com/fedora-selinux/selinux-policy-contrib/pull/219

Comment 3 Zdenek Pytela 2020-09-02 09:34:07 UTC

Merged and backported to F32.
commit cabd292137b71c97348eb499c8089aaf1f41a4a2 (HEAD -> rawhide, upstream/rawhide)
Author: Patrik Koncity <pkoncity>
Date:   Fri Mar 13 15:59:18 2020 +0100

    Update rkt policy to allow rkt_t domain to read sysfs filesystem
    
    rkt_t domain need to read size of a transparent hugepage which found in hpage_pmd_size
    to optimize memory allocation for rkt
    
    Adding macro dev_read_sysfs(rkt_t) which allow to read files in sysfs_t domain
    
    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1809000

Comment 4 Fedora Update System 2020-10-02 07:03:44 UTC

FEDORA-2020-9896f80cf0 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-9896f80cf0

Comment 5 Fedora Update System 2020-10-03 02:09:02 UTC

FEDORA-2020-9896f80cf0 has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-9896f80cf0`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-9896f80cf0

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 6 Fedora Update System 2020-10-05 17:32:37 UTC

FEDORA-2020-9896f80cf0 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.