1926699 – avc denial for gpg-agent with systemd-run

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1926699 - avc denial for gpg-agent with systemd-run

Summary: avc denial for gpg-agent with systemd-run

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	8.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	8.0
Assignee:	Thomas Woerner
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-02-09 09:59 UTC by Kaleem
Modified:	2021-05-18 15:49 UTC (History)
CC List:	12 users (show)
Fixed In Version:	ipa-4.9.2-1
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-05-18 15:48:53 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Fedora Pagure	freeipa issue 8699	0	None	None	None	2021-02-09 11:38:54 UTC

Description Kaleem 2021-02-09 09:59:24 UTC

Description of problem:

One of our tests sets up the gpg-agent with systemd-run and following avc denial is seen during this.

[root@master ~]# ausearch -c '(pg-agent)' --raw
type=AVC msg=audit(1612858362.119:3279): avc:  denied  { execute } for  pid=36606 comm="(pg-agent)" name="gpg-agent" dev="vda3" ino=25171838 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:gpg_agent_exec_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1612858362.119:3279): arch=c000003e syscall=59 success=no exit=-13 a0=55c863542480 a1=55c8634443f0 a2=55c863649050 a3=7f31ae994bc0 items=0 ppid=1 pid=36606 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(pg-agent)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)ARCH=x86_64 SYSCALL=execve AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=PROCTITLE msg=audit(1612858362.119:3279): proctitle="(pg-agent)"
type=AVC msg=audit(1612863124.959:3500): avc:  denied  { execute } for  pid=37433 comm="(pg-agent)" name="gpg-agent" dev="vda3" ino=25171838 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:gpg_agent_exec_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1612863124.959:3500): arch=c000003e syscall=59 success=no exit=-13 a0=55c863542480 a1=55c8635008a0 a2=55c863696200 a3=7f31ae994bc0 items=0 ppid=1 pid=37433 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(pg-agent)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)ARCH=x86_64 SYSCALL=execve AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=PROCTITLE msg=audit(1612863124.959:3500): proctitle="(pg-agent)"
[root@master ~]#


Version-Release number of selected component (if applicable):
[root@master ~]# rpm -q selinux-policy gnupg2
selinux-policy-3.14.3-62.el8.noarch
gnupg2-2.2.20-2.el8.x86_64
[root@master ~]# 

How reproducible:
Alaways

Steps to Reproduce:
1. Execute following step
/bin/systemd-run --service-type=forking --setenv=GNUPGHOME=/tmp/tmpraace7xx/gnupg --setenv=LC_ALL=C.UTF-8 --setenv=LANGUAGE=C --unit=gpg-agent /usr/bin/gpg-agent --daemon --batch
2.
3.

Actual results:
setup of gpg-agent as service failed  and AVC denial seen

Expected results:
NO avc denial should be seen and setup of gpg-agent as service should be successful

Additional info:

Comment 1 Alexander Bokovoy 2021-02-09 10:39:03 UTC

# sesearch -s init_t -t gpg_agent_exec_t -A
allow domain file_type:blk_file map; [ domain_can_mmap_files ]:True
allow domain file_type:chr_file map; [ domain_can_mmap_files ]:True
allow domain file_type:file map; [ domain_can_mmap_files ]:True
allow domain file_type:lnk_file map; [ domain_can_mmap_files ]:True
allow init_t file_type:blk_file { getattr relabelfrom relabelto };
allow init_t file_type:chr_file { getattr relabelfrom relabelto };
allow init_t file_type:dir { getattr ioctl lock open read relabelfrom relabelto search };
allow init_t file_type:fifo_file { getattr relabelfrom relabelto };
allow init_t file_type:file { getattr relabelfrom relabelto };
allow init_t file_type:filesystem { getattr unmount };
allow init_t file_type:lnk_file { getattr relabelfrom relabelto };
allow init_t file_type:sock_file { getattr relabelfrom relabelto };
allow init_t non_security_file_type:dir { create getattr }; [ init_create_dirs ]:True
allow init_t non_security_file_type:dir { mounton setattr write }; [ init_create_dirs ]:True
allow init_t non_security_file_type:dir { read setattr }; [ init_create_dirs ]:True
allow init_t non_security_file_type:file mounton; [ init_create_dirs ]:True

Prior to https://pagure.io/freeipa/c/6fe573b3d953913bc94fd06c230703dac70f0e8d we ran this unconfined:

# sesearch -s unconfined_t -t gpg_agent_exec_t -A
allow domain file_type:blk_file map; [ domain_can_mmap_files ]:True
allow domain file_type:chr_file map; [ domain_can_mmap_files ]:True
allow domain file_type:file map; [ domain_can_mmap_files ]:True
allow domain file_type:lnk_file map; [ domain_can_mmap_files ]:True
allow files_unconfined_type file_type:blk_file { append audit_access create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr swapon unlink write };
allow files_unconfined_type file_type:chr_file { append audit_access create execute execute_no_trans getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr swapon unlink write };
allow files_unconfined_type file_type:dir { add_name append audit_access create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto remove_name rename reparent rmdir search setattr swapon unlink write };
allow files_unconfined_type file_type:fifo_file { append audit_access create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr swapon unlink write };
allow files_unconfined_type file_type:file execmod; [ selinuxuser_execmod ]:True
allow files_unconfined_type file_type:file { append audit_access create execute execute_no_trans getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr swapon unlink write };
allow files_unconfined_type file_type:filesystem { associate getattr mount quotaget quotamod relabelfrom relabelto remount transition unmount };
allow files_unconfined_type file_type:lnk_file { append audit_access create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr swapon unlink write };
allow files_unconfined_type file_type:service { disable enable reload start status stop };
allow files_unconfined_type file_type:sock_file { append audit_access create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr swapon unlink write };
allow unconfined_domain_type file_type:service { disable enable reload start status stop };
allow unconfined_t file_type:system module_load;
allow unconfined_usertype application_exec_type:file { execute execute_no_trans getattr ioctl lock map open read };

Zdenek, what would you suggest?

We can add SELinuxContext property to systemd-run command line to set a specific context but which to use here? Or may be we should allow to add the execute to init_t?

Comment 2 Alexander Bokovoy 2021-02-09 11:10:27 UTC

From IRC discussion: we can set SELinux context explicitly to system_u:system_r:initrc_t:s0:

 /bin/systemd-run --service-type=forking --property SELinuxContext=system_u:system_r:initrc_t:s0 --setenv=GNUPGHOME=/path/to/gnupg --setenv=LC_ALL=C.UTF-8 --setenv=LANGUAGE=C --unit=gpg-agent /usr/bin/gpg-agent --daemon --batch

Comment 3 Alexander Bokovoy 2021-02-09 11:38:55 UTC

Upstream issue: https://pagure.io/freeipa/issue/8699

Comment 4 Alexander Bokovoy 2021-02-09 11:45:28 UTC

PR: https://github.com/freeipa/freeipa/pull/5535

Comment 6 Florence Blanc-Renaud 2021-02-11 08:11:03 UTC

Fixed upstream
master:
https://pagure.io/freeipa/c/46b0746fe9b043edb55649f7993cdc5b20b70c12

Comment 7 Florence Blanc-Renaud 2021-02-11 11:46:22 UTC

Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/7ca2797eaca963fe94f7396353569f7f8ed6d09d

Comment 8 anuja 2021-02-17 11:27:54 UTC

Pre-verified using : 
ipa-server-4.9.2-1.module+el8.4.0+9973+3d202164.x86_64
Using compose : rhel-8.4.0-mbs/9973-1386-idm/

Test logs :
test_ipaserver/test_install/test_installutils.py::test_bare_insufficient_ram_with_ca PASSED [ 98%]
test_ipaserver/test_install/test_installutils.py::test_bare_ram_ok PASSED [ 99%]
test_ipaserver/test_install/test_service.py::test_format_seconds PASSED  [100%]
----------- generated html file: file:///home/cloud-user/report.html -----------
============== 160 passed, 4 skipped, 6 warnings in 30.85 seconds ==============

No AVC logged.

Comment 13 anuja 2021-02-19 09:34:16 UTC

Verified using nightly compose:
ipa-server-4.9.2-1.module+el8.4.0+9973+3d202164.x86_64

============================= test session starts ==============================
platform linux -- Python 3.6.8, pytest-3.10.1, py-1.10.0, pluggy-0.13.1 -- /usr/libexec/platform-python
cachedir: /home/cloud-user/.pytest_cache
metadata: {'Python': '3.6.8', 'Platform': 'Linux-4.18.0-287.el8.x86_64-x86_64-with-redhat-8.4-Ootpa', 'Packages': {'pytest': '3.10.1', 'py': '1.10.0', 'pluggy': '0.13.1'}, 'Plugins': {'metadata': '1.11.0', 'html': '1.22.1', 'multihost': '3.0', 'sourceorder': '0.5'}}
rootdir: /usr/lib/python3.6/site-packages/ipatests, inifile:
plugins: metadata-1.11.0, html-1.22.1, multihost-3.0, sourceorder-0.5
collecting ... collected 164 items

test_ipaserver/test_adtrust_mockup.py::TestNetbiosName::test_NetbiosName PASSED [  0%]
test_ipaserver/test_changepw.py::test_changepw::test_bad_options PASSED  [  1%]
test_ipaserver/test_changepw.py::test_changepw::test_invalid_auth PASSED [  1%]
test_ipaserver/test_changepw.py::test_changepw::test_pwpolicy_error PASSED [  2%]
test_ipaserver/test_changepw.py::test_changepw::test_pwpolicy_success PASSED [  3%]
...
...
test_ipaserver/test_install/test_installutils.py::test_gpg_encrypt PASSED [ 88%]
test_ipaserver/test_install/test_installutils.py::test_gpg_asymmetric PASSED [ 89%]
...
...
test_ipaserver/test_install/test_installutils.py::test_bare_insufficient_ram_with_ca PASSED [ 98%]
test_ipaserver/test_install/test_installutils.py::test_bare_ram_ok PASSED [ 99%]
test_ipaserver/test_install/test_service.py::test_format_seconds PASSED  [100%]

---------------- generated xml file: /home/cloud-user/junit.xml ----------------
----------- generated html file: file:///home/cloud-user/report.html -----------
============== 160 passed, 4 skipped, 6 warnings in 31.25 seconds ==============

No AVC logged.
Based on this marking bug as verified.

Comment 15 errata-xmlrpc 2021-05-18 15:48:53 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1846

Note You need to log in before you can comment on or make changes to this bug.