Bug 1902227
| Summary: | Device /dev/isst_interface is labeled with device_t which breaks STIG compliance | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Renaud Métrich <rmetrich> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 8.3 | CC: | lvrabec, mmalik, plautrba, ssekidde |
| Target Milestone: | rc | Keywords: | AutoVerified, Triaged |
| Target Release: | 8.4 | Flags: | pm-rhel:
mirror+
|
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
Cause:
The /dev/isst_interface had no particular label defined in the policy.
Consequence:
The generic device_t label was assigned which is not allowed by STIG.
Fix:
Define cpu_device_t type in the policy for /dev/isst_interface and an appropriate file transition.
Result:
The /dev/isst_interface file is now labeled as cpu_device_t.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-05-18 14:58:20 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Handle 0x0004, DMI type 4, 42 bytes
Processor Information
Socket Designation: CPU #000
Type: Central Processor
Family: Unknown
Manufacturer: GenuineIntel
ID: 54 06 05 00 FF FB AB 0F
Version: Intel(R) Xeon(R) Gold 6130 CPU @ 2.10GHz
Voltage: 3.3 V
External Clock: Unknown
Max Speed: 30000 MHz
Current Speed: 2100 MHz
Status: Populated, Enabled
Upgrade: ZIF Socket
L1 Cache Handle: 0x0054
L2 Cache Handle: 0x0094
L3 Cache Handle: Not Provided
Serial Number: Not Specified
Asset Tag: Not Specified
Part Number: Not Specified
Core Count: 1
Core Enabled: 1
Characteristics:
64-bit capable
Execute Protection
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 85
model name : Intel(R) Xeon(R) Gold 6130 CPU @ 2.10GHz
stepping : 4
microcode : 0x2006906
cpu MHz : 2095.078
cache size : 22528 KB
physical id : 0
siblings : 1
core id : 0
cpu cores : 1
apicid : 0
initial apicid : 0
fpu : yes
fpu_exception : yes
cpuid level : 13
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts mmx fxsr sse sse2 ss syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts nopl xtopology tsc_reliable nonstop_tsc cpuid pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt aes xsave avx f16c rdrand hypervisor lahf_lm 3dnowprefetch cpuid_fault pti ssbd ibrs ibpb stibp fsgsbase smep arat md_clear flush_l1d arch_capabilities
bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs itlb_multihit
bogomips : 4190.15
clflush size : 64
cache_alignment : 64
address sizes : 40 bits physical, 48 bits virtual
power management:
I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/518 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:1639 |
Description of problem: A customer running a system with "Intel Xeon Gold" CPU has device /dev/isst_interface labeled with "device_t". When applying STIG compliance, the rule "SV-86663r1_rule" fails ("All system device files must be correctly labeled to prevent unauthorized modification."). I know there is no RHEL8 STIG profile yet but this rule will likely exist. This /dev/isst_interface is set up by Interl Speed Select Interface kernel module (drivers/platform/x86/intel_speed_select_if/isst_if_common.c) and consumer is a binary named /usr/bin/intel-speed-select ("bin_t"). Since the device is used to control CPU stepping, I think the character device should be labeled with "cpu_device_t". Version-Release number of selected component (if applicable): selinux-policy-3.14.3-54.el8.noarch and Upstream policy (at least Fedora Rawhide) How reproducible: Always on customer system, I don't have the hardware to reproduce. Additional info: The module is a new feature of 8.3 kernel apparently, controlled by CONFIG_INTEL_SPEED_SELECT_INTERFACE=m option. Suggested fix: same context as "microcode" policy/modules/kernel/devices.if: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- filetrans_pattern($1, device_t, cpu_device_t, chr_file, "isst_interface") -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- .fc: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- /dev/isst_interface -c gen_context(system_u:object_r:cpu_device_t,s0) -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------