1822243 – SELinux prevents fuser (executed by tmpwatch) from stat()-ing files labeled nsfs_t

Bug 1822243 - SELinux prevents fuser (executed by tmpwatch) from stat()-ing files labeled nsfs_t

Summary: SELinux prevents fuser (executed by tmpwatch) from stat()-ing files labeled n...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	32
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Richard Fiľo
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-04-08 14:46 UTC by Milos Malik
Modified:	2020-06-11 22:57 UTC (History)
CC List:	7 users (show)
Fixed In Version:	selinux-policy-3.14.5-40.fc32
Clone Of:
Environment:
Last Closed:	2020-06-11 22:57:09 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Milos Malik 2020-04-08 14:46:12 UTC

Description of problem:

Version-Release number of selected component (if applicable):
psmisc-23.3-3.fc32.x86_64
selinux-policy-3.14.5-32.fc32.noarch
selinux-policy-devel-3.14.5-32.fc32.noarch
selinux-policy-doc-3.14.5-32.fc32.noarch
selinux-policy-minimum-3.14.5-32.fc32.noarch
selinux-policy-mls-3.14.5-32.fc32.noarch
selinux-policy-sandbox-3.14.5-32.fc32.noarch
selinux-policy-targeted-3.14.5-32.fc32.noarch
tmpwatch-2.11-16.fc32.x86_64

How reproducible:
 * always

Steps to Reproduce:
1. get a Fedora 31 or 32 machine (targeted policy is active)
# mkdir /tmp/test"
# touch /tmp/test/file"
# echo '* * * * * root /usr/sbin/tmpwatch -vds -m 0 /tmp/test' >> /etc/crontab"
# sleep 70
3. search for SELinux denials

Actual results:
----
type=PROCTITLE msg=audit(04/08/2020 16:31:01.859:1235) : proctitle=/usr/sbin/fuser -s . file 
type=PATH msg=audit(04/08/2020 16:31:01.859:1235) : item=0 name=/proc/819/fd/11 inode=4026531992 dev=00:04 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:nsfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(04/08/2020 16:31:01.859:1235) : cwd=/tmp/test 
type=SYSCALL msg=audit(04/08/2020 16:31:01.859:1235) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x7ffca2d7f7e0 a1=0x7ffca2d7f6c0 a2=0x7ffca2d7f6c0 a3=0x558d5bf398ab items=1 ppid=17736 pid=17737 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=fuser exe=/usr/sbin/fuser subj=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(04/08/2020 16:31:01.859:1235) : avc:  denied  { getattr } for  pid=17737 comm=fuser path=net:[4026531992] dev="nsfs" ino=4026531992 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=0 
----

Expected results:
 * no SELinux denials

Comment 2 Richard Fiľo 2020-05-29 14:53:58 UTC

I propose this fix: https://github.com/fedora-selinux/selinux-policy-contrib/pull/253

Link to scratch build: https://download.copr.fedorainfracloud.org/results/rfilo/Selinux-policy-f32/fedora-32-x86_64/01416484-selinux-policy/

Comment 3 Milos Malik 2020-05-29 15:18:02 UTC

It seems that there are no more SELinux denials in permissive mode:
----
type=PROCTITLE msg=audit(05/29/2020 11:15:01.974:315) : proctitle=/usr/sbin/fuser -s . file 
type=PATH msg=audit(05/29/2020 11:15:01.974:315) : item=0 name=/proc/510/fd/8 inode=4026531992 dev=00:04 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:nsfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/29/2020 11:15:01.974:315) : cwd=/tmp/test 
type=SYSCALL msg=audit(05/29/2020 11:15:01.974:315) : arch=x86_64 syscall=stat success=yes exit=0 a0=0x7ffcfc9964a0 a1=0x7ffcfc996380 a2=0x7ffcfc996380 a3=0x0 items=1 ppid=1054 pid=1055 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=fuser exe=/usr/sbin/fuser subj=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(05/29/2020 11:15:01.974:315) : avc:  denied  { getattr } for  pid=1055 comm=fuser path=net:[4026531992] dev="nsfs" ino=4026531992 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=1 
----

Tested on Fedora Rawhide.

Comment 4 Lukas Vrabec 2020-05-29 15:24:53 UTC

commit c12141fc25fa4d48b8d2d12e1fd4df235d85a046 (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Richard Filo <rfilo>
Date:   Fri May 29 12:21:11 2020 +0200

    Allow to getattr files on an nsfs filesystem
    
    fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1822243

https://github.com/fedora-selinux/selinux-policy-contrib/pull/253

Backported to F32.

Comment 5 Fedora Update System 2020-06-05 13:42:11 UTC

FEDORA-2020-ca8855e4de has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-ca8855e4de

Comment 6 Fedora Update System 2020-06-08 01:46:03 UTC

FEDORA-2020-ca8855e4de has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-ca8855e4de`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-ca8855e4de

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 7 Fedora Update System 2020-06-11 22:57:09 UTC

selinux-policy-3.14.5-40.fc32 has been pushed to the Fedora 32 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.