1874491 – SELinux prevents the fapolicyd process from writing to /run/dbus/system_bus_socket

Bug 1874491 - SELinux prevents the fapolicyd process from writing to /run/dbus/system_bus_socket

Summary: SELinux prevents the fapolicyd process from writing to /run/dbus/system_bus_s...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	fapolicyd
Sub Component:
Version:	33
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Radovan Sroka
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-09-01 13:39 UTC by Milos Malik
Modified:	2020-11-27 01:21 UTC (History)
CC List:	2 users (show)
Fixed In Version:	fapolicyd-1.0.1-1.fc34 fapolicyd-1.0.1-1.eln105 fapolicyd-1.0.1-1.fc32 fapolicyd-1.0.1-1.fc33
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-11-17 08:51:49 UTC
Type:	Bug
Dependent Products:

Attachments	(Terms of Use)

Description Milos Malik 2020-09-01 13:39:29 UTC

Description of problem:
 * the fapolicyd service runs OK but 1 SELinux denial is triggered

Version-Release number of selected component (if applicable):
fapolicyd-1.0-4.fc33.x86_64
fapolicyd-selinux-1.0-4.fc33.noarch

How reproducible:
 * always

Steps to Reproduce:
1. get a Fedora 33 machine (targeted policy is active)
2. start the fapolicyd service
3. search for SELinux denials

Actual results:
----
type=PROCTITLE msg=audit(09/01/2020 15:29:52.119:2483) : proctitle=/usr/sbin/fapolicyd 
type=PATH msg=audit(09/01/2020 15:29:52.119:2483) : item=0 name=/run/dbus/system_bus_socket inode=24817 dev=00:19 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:system_dbusd_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/01/2020 15:29:52.119:2483) : cwd=/ 
type=SOCKADDR msg=audit(09/01/2020 15:29:52.119:2483) : saddr={ saddr_fam=local path=/run/dbus/system_bus_socket } 
type=SYSCALL msg=audit(09/01/2020 15:29:52.119:2483) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0xa a1=0x56167d4f46f0 a2=0x1e a3=0x7ffc9ce8ec04 items=1 ppid=1 pid=21181 auid=unset uid=fapolicyd gid=fapolicyd euid=fapolicyd suid=fapolicyd fsuid=fapolicyd egid=fapolicyd sgid=fapolicyd fsgid=fapolicyd tty=(none) ses=unset comm=fapolicyd exe=/usr/sbin/fapolicyd subj=system_u:system_r:fapolicyd_t:s0 key=(null) 
type=AVC msg=audit(09/01/2020 15:29:52.119:2483) : avc:  denied  { write } for  pid=21181 comm=fapolicyd name=system_bus_socket dev="tmpfs" ino=24817 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=0 
----

Expected results:
 * no SELinux denials

Comment 1 Milos Malik 2020-09-01 13:41:17 UTC

Following SELinux denials appeared in permissive mode:
----
type=PROCTITLE msg=audit(09/01/2020 15:40:12.676:2532) : proctitle=/usr/sbin/fapolicyd 
type=PATH msg=audit(09/01/2020 15:40:12.676:2532) : item=0 name=/run/dbus/system_bus_socket inode=24817 dev=00:19 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:system_dbusd_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/01/2020 15:40:12.676:2532) : cwd=/ 
type=SOCKADDR msg=audit(09/01/2020 15:40:12.676:2532) : saddr={ saddr_fam=local path=/run/dbus/system_bus_socket } 
type=SYSCALL msg=audit(09/01/2020 15:40:12.676:2532) : arch=x86_64 syscall=connect success=yes exit=0 a0=0xa a1=0x5621e70666f0 a2=0x1e a3=0x7ffc37010fe4 items=1 ppid=1 pid=21273 auid=unset uid=fapolicyd gid=fapolicyd euid=fapolicyd suid=fapolicyd fsuid=fapolicyd egid=fapolicyd sgid=fapolicyd fsgid=fapolicyd tty=(none) ses=unset comm=fapolicyd exe=/usr/sbin/fapolicyd subj=system_u:system_r:fapolicyd_t:s0 key=(null) 
type=AVC msg=audit(09/01/2020 15:40:12.676:2532) : avc:  denied  { connectto } for  pid=21273 comm=fapolicyd path=/run/dbus/system_bus_socket scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 
type=AVC msg=audit(09/01/2020 15:40:12.676:2532) : avc:  denied  { write } for  pid=21273 comm=fapolicyd name=system_bus_socket dev="tmpfs" ino=24817 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1 
----
type=USER_AVC msg=audit(09/01/2020 15:40:12.677:2533) : pid=611 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=1  exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?' 
----

Comment 2 Milos Malik 2020-10-08 15:36:55 UTC

Test coverage for this bug exists in a form of PR:
 * https://src.fedoraproject.org/tests/selinux/pull-request/117

The PR waits for review.

Comment 3 Fedora Update System 2020-11-17 08:51:49 UTC

FEDORA-2020-580dc8d3ba has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 4 Fedora Update System 2020-11-17 08:55:40 UTC

FEDORA-2020-e2dc088972 has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2020-e2dc088972

Comment 5 Fedora Update System 2020-11-17 08:57:48 UTC

FEDORA-2020-165e765d4e has been pushed to the Fedora ELN stable repository.
If problem still persists, please make note of it in this bug report.

Comment 6 Fedora Update System 2020-11-17 09:03:07 UTC

FEDORA-2020-daefd8b8f6 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-daefd8b8f6

Comment 7 Fedora Update System 2020-11-17 09:10:21 UTC

FEDORA-2020-6323ce5fcf has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-6323ce5fcf

Comment 8 Fedora Update System 2020-11-18 01:08:33 UTC

FEDORA-2020-e2dc088972 has been pushed to the Fedora 33 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-e2dc088972`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-e2dc088972

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 9 Fedora Update System 2020-11-18 01:25:46 UTC

FEDORA-2020-daefd8b8f6 has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-daefd8b8f6`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-daefd8b8f6

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 10 Fedora Update System 2020-11-18 01:48:27 UTC

FEDORA-2020-6323ce5fcf has been pushed to the Fedora 31 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-6323ce5fcf`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-6323ce5fcf

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 11 Fedora Update System 2020-11-27 01:11:31 UTC

FEDORA-2020-daefd8b8f6 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 12 Fedora Update System 2020-11-27 01:21:19 UTC

FEDORA-2020-e2dc088972 has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.