1899548 – the rpmdb program triggers SELinux denials

Bug 1899548 - the rpmdb program triggers SELinux denials

Summary: the rpmdb program triggers SELinux denials

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	33
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-11-19 14:12 UTC by Milos Malik
Modified:	2021-03-04 14:32 UTC (History)
CC List:	8 users (show)
Fixed In Version:	selinux-policy-3.14.6-31.fc33
Clone Of:
Environment:
Last Closed:	2020-12-12 01:05:04 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1461313	0	high	CLOSED	Rebuilding of rpm db set wrong SELinux context	2023-02-01 00:52:31 UTC

Internal Links: 1836108 1906289

Description Milos Malik 2020-11-19 14:12:33 UTC

Description of problem:
 * if SELinux is enforcing then 'rpmdb --help' does not produce any output
 * if SELinux is permissive then 'rpmdb --help' prints its help message

Version-Release number of selected component (if applicable):
rpm-4.16.0-1.fc33.x86_64
selinux-policy-3.14.6-30.fc33.noarch
selinux-policy-targeted-3.14.6-30.fc33.noarch

How reproducible:
 * always

Steps to Reproduce:
1. get a Fedora 33 machine (targeted policy is active)
2. log in as root
3. # rpmdb --help
4. # rpmdb --exportdb >& /tmp/output

Actual results (enforcing mode):
 * no output
 * many SELinux denials

Expected results:
 * help message is printed
 * no SELinux denials appear

Comment 1 Milos Malik 2020-11-19 14:13:50 UTC

Following SELinux denials appear after removal of dontaudit rules:
----
type=PROCTITLE msg=audit(11/19/2020 15:10:54.932:1569) : proctitle=rpmdb --help 
type=PATH msg=audit(11/19/2020 15:10:54.932:1569) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=5621 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(11/19/2020 15:10:54.932:1569) : item=0 name=/usr/bin/rpmdb inode=9863 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:rpmdb_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(11/19/2020 15:10:54.932:1569) : cwd=/root 
type=EXECVE msg=audit(11/19/2020 15:10:54.932:1569) : argc=2 a0=rpmdb a1=--help 
type=SYSCALL msg=audit(11/19/2020 15:10:54.932:1569) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x557facb52890 a1=0x557faccfb2b0 a2=0x557faccf9420 a3=0x8 items=2 ppid=25604 pid=26021 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=3 comm=rpmdb exe=/usr/bin/rpmdb subj=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/19/2020 15:10:54.932:1569) : avc:  denied  { read write } for  pid=26021 comm=rpmdb path=/dev/pts/0 dev="devpts" ino=3 scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file permissive=0 
type=AVC msg=audit(11/19/2020 15:10:54.932:1569) : avc:  denied  { read write } for  pid=26021 comm=rpmdb path=/dev/pts/0 dev="devpts" ino=3 scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file permissive=0 
type=AVC msg=audit(11/19/2020 15:10:54.932:1569) : avc:  denied  { read write } for  pid=26021 comm=rpmdb path=/dev/pts/0 dev="devpts" ino=3 scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file permissive=0 
type=AVC msg=audit(11/19/2020 15:10:54.932:1569) : avc:  denied  { read write } for  pid=26021 comm=rpmdb path=/dev/pts/0 dev="devpts" ino=3 scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file permissive=0 
----

Comment 2 Milos Malik 2020-11-19 14:28:13 UTC

Following SELinux denials appear after running the 'rpmdb --exportdb >& /tmp/output' command in permissive mode:
----
type=PROCTITLE msg=audit(11/19/2020 15:23:23.377:1664) : proctitle=rpmdb --exportdb 
type=PATH msg=audit(11/19/2020 15:23:23.377:1664) : item=0 name=/var/lib/sss/mc/passwd inode=265511 dev=fc:02 mode=file,664 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sssd_public_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(11/19/2020 15:23:23.377:1664) : cwd=/root 
type=SYSCALL msg=audit(11/19/2020 15:23:23.377:1664) : arch=x86_64 syscall=openat success=yes exit=3 a0=0xffffff9c a1=0x55ddf588e6f0 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=25604 pid=26733 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=rpmdb exe=/usr/bin/rpmdb subj=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/19/2020 15:23:23.377:1664) : avc:  denied  { open } for  pid=26733 comm=rpmdb path=/var/lib/sss/mc/passwd dev="vda2" ino=265511 scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(11/19/2020 15:23:23.378:1665) : proctitle=rpmdb --exportdb 
type=SYSCALL msg=audit(11/19/2020 15:23:23.378:1665) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x3 a1=0x7ffccc823990 a2=0x7ffccc823990 a3=0x0 items=0 ppid=25604 pid=26733 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=rpmdb exe=/usr/bin/rpmdb subj=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/19/2020 15:23:23.378:1665) : avc:  denied  { getattr } for  pid=26733 comm=rpmdb path=/var/lib/sss/mc/passwd dev="vda2" ino=265511 scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(11/19/2020 15:23:23.378:1666) : proctitle=rpmdb --exportdb 
type=MMAP msg=audit(11/19/2020 15:23:23.378:1666) : fd=3 flags=MAP_SHARED 
type=SYSCALL msg=audit(11/19/2020 15:23:23.378:1666) : arch=x86_64 syscall=mmap success=yes exit=139980478590976 a0=0x0 a1=0x8d32e0 a2=PROT_READ a3=MAP_SHARED items=0 ppid=25604 pid=26733 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=rpmdb exe=/usr/bin/rpmdb subj=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/19/2020 15:23:23.378:1666) : avc:  denied  { map } for  pid=26733 comm=rpmdb path=/var/lib/sss/mc/passwd dev="vda2" ino=265511 scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(11/19/2020 15:23:23.379:1667) : proctitle=rpmdb --exportdb 
type=PATH msg=audit(11/19/2020 15:23:23.379:1667) : item=0 name=/var/lib/sss/pipes/nss inode=262651 dev=fc:02 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sssd_var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(11/19/2020 15:23:23.379:1667) : cwd=/root 
type=SOCKADDR msg=audit(11/19/2020 15:23:23.379:1667) : saddr={ saddr_fam=local path=/var/lib/sss/pipes/nss } 
type=SYSCALL msg=audit(11/19/2020 15:23:23.379:1667) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x4 a1=0x7ffccc823930 a2=0x6e a3=0x1 items=1 ppid=25604 pid=26733 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=rpmdb exe=/usr/bin/rpmdb subj=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/19/2020 15:23:23.379:1667) : avc:  denied  { connectto } for  pid=26733 comm=rpmdb path=/var/lib/sss/pipes/nss scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1 
type=AVC msg=audit(11/19/2020 15:23:23.379:1667) : avc:  denied  { write } for  pid=26733 comm=rpmdb name=nss dev="vda2" ino=262651 scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1 
----
type=PROCTITLE msg=audit(11/19/2020 15:23:23.381:1668) : proctitle=rpmdb --exportdb 
type=PATH msg=audit(11/19/2020 15:23:23.381:1668) : item=0 name=/run/dbus/system_bus_socket inode=45342 dev=00:19 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:system_dbusd_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(11/19/2020 15:23:23.381:1668) : cwd=/root 
type=SOCKADDR msg=audit(11/19/2020 15:23:23.381:1668) : saddr={ saddr_fam=local path=/run/dbus/system_bus_socket } 
type=SYSCALL msg=audit(11/19/2020 15:23:23.381:1668) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x6 a1=0x55ddf5890da0 a2=0x1e a3=0x7ffccc823574 items=1 ppid=25604 pid=26733 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=rpmdb exe=/usr/bin/rpmdb subj=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/19/2020 15:23:23.381:1668) : avc:  denied  { connectto } for  pid=26733 comm=rpmdb path=/run/dbus/system_bus_socket scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 
type=AVC msg=audit(11/19/2020 15:23:23.381:1668) : avc:  denied  { write } for  pid=26733 comm=rpmdb name=system_bus_socket dev="tmpfs" ino=45342 scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1 
----

Comment 3 Milos Malik 2020-11-19 14:58:13 UTC

Forgotten in the logs:
----
type=USER_AVC msg=audit(11/19/2020 15:23:23.383:1669) : pid=670 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=1  exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?' 
----

Comment 4 Zdenek Pytela 2020-11-19 15:49:31 UTC

I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy-contrib/pull/368

Given the https://bugzilla.redhat.com/show_bug.cgi?id=1461313#c73 comment, rpmdb does not need the access.
In case resolv.conf is a file, the access is dontaudited.
If it is a symlink, read access is allowed to the symlink, but the link target is dontaudited again.

Comment 5 Zdenek Pytela 2020-11-20 20:57:59 UTC

After merging the PR, rpmdb --help can write to the terminal. I can't see other denials either.

Comment 6 Milos Malik 2020-11-23 14:44:28 UTC

The other SELinux denials appear when the sssd service is running and when /etc/nsswitch.conf file contains line like these:

# grep -v ^# /etc/nsswitch.conf | grep sss
passwd:     sss files systemd
group:      sss files systemd
netgroup:   sss files
automount:  sss files
services:   sss files
shadow:     sss files
protocols:  sss files
rpc:        sss files
hosts:      sss files dns myhostname
aliases:    sss files nisplus
#

Comment 7 Milos Malik 2020-11-25 10:00:18 UTC

Test coverage for this bug exists in a form of PR:
 * https://src.fedoraproject.org/tests/selinux/pull-request/140

The PR waits for review.

Comment 8 Fedora Update System 2020-12-09 14:37:19 UTC

FEDORA-2020-aff0be81b3 has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2020-aff0be81b3

Comment 9 Fedora Update System 2020-12-11 00:04:27 UTC

FEDORA-2020-aff0be81b3 has been pushed to the Fedora 33 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-aff0be81b3`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-aff0be81b3

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 10 Fedora Update System 2020-12-12 01:05:04 UTC

FEDORA-2020-aff0be81b3 has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.