1944661 – AVC popping at fapolicyd start when fapolicyd tries to grab the RPM DB lock

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1944661 - AVC popping at fapolicyd start when fapolicyd tries to grab the RPM DB lock

Summary: AVC popping at fapolicyd start when fapolicyd tries to grab the RPM DB lock

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	fapolicyd
Sub Component:
Version:	8.3
Hardware:	All
OS:	Linux
Priority:	high
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Zoltan Fridrich
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1961311 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-03-30 12:36 UTC by Renaud Métrich
Modified:	2021-11-08 09:41 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-11-08 09:41:04 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	5917791	0	None	None	None	2021-03-31 06:38:51 UTC

Description Renaud Métrich 2021-03-30 12:36:00 UTC

Description of problem:

Starting fapolicyd on a system shows the following AVC:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
time->Tue Mar 30 13:50:08 2021
type=PROCTITLE msg=audit(1617105008.790:241): proctitle=2F7573722F7362696E2F6661706F6C69637964002D2D7065726D697373697665002D2D64656275672D64656E79
type=SYSCALL msg=audit(1617105008.790:241): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=55830f6c8980 a2=42 a3=1a4 items=0 ppid=1 pid=2209 auid=4294967295 uid=994 gid=991 euid=994 suid=994 fsuid=994 egid=991 sgid=991 fsgid=991 tty=(none) ses=4294967295 comm="fapolicyd" exe="/usr/sbin/fapolicyd" subj=system_u:system_r:fapolicyd_t:s0 key=(null)
type=AVC msg=audit(1617105008.790:241): avc:  denied  { write } for  pid=2209 comm="fapolicyd" name="rpm" dev="dm-0" ino=134 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir permissive=0
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

This happens because fapolicyd tries to open the RPM database, causing the lock file to be created (if it doesn't exist).


Version-Release number of selected component (if applicable):

fapolicyd-1.0-3.el8_3.4.x86_64


How reproducible:

Always

Steps to Reproduce:
1. Start fapolicyd as a service

Actual results:

AVC

Expected results:

No AVC or AVC hidden

Additional info:

Since fapolicyd is just reading the database, I think we can add a dontaudit rule:

# echo '(dontaudit fapolicyd_t rpm_var_lib_t (dir (write)))' > dontaudit-fapolicyd-rpmlock.cil
# semodule -i dontaudit-fapolicyd-rpmlock.cil

Comment 1 Dalibor Pospíšil 2021-09-08 22:24:06 UTC

*** Bug 1961311 has been marked as a duplicate of this bug. ***

Comment 2 Zoltan Fridrich 2021-11-01 12:36:38 UTC

(In reply to Renaud Métrich from comment #0)
> Description of problem:
> 
> Starting fapolicyd on a system shows the following AVC:
> -------- 8< ---------------- 8< ---------------- 8< ---------------- 8<
> --------
> time->Tue Mar 30 13:50:08 2021
> type=PROCTITLE msg=audit(1617105008.790:241):
> proctitle=2F7573722F7362696E2F6661706F6C69637964002D2D7065726D697373697665002
> D2D64656275672D64656E79
> type=SYSCALL msg=audit(1617105008.790:241): arch=c000003e syscall=257
> success=no exit=-13 a0=ffffff9c a1=55830f6c8980 a2=42 a3=1a4 items=0 ppid=1
> pid=2209 auid=4294967295 uid=994 gid=991 euid=994 suid=994 fsuid=994
> egid=991 sgid=991 fsgid=991 tty=(none) ses=4294967295 comm="fapolicyd"
> exe="/usr/sbin/fapolicyd" subj=system_u:system_r:fapolicyd_t:s0 key=(null)
> type=AVC msg=audit(1617105008.790:241): avc:  denied  { write } for 
> pid=2209 comm="fapolicyd" name="rpm" dev="dm-0" ino=134
> scontext=system_u:system_r:fapolicyd_t:s0
> tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir permissive=0
> -------- 8< ---------------- 8< ---------------- 8< ---------------- 8<
> --------
> 
> This happens because fapolicyd tries to open the RPM database, causing the
> lock file to be created (if it doesn't exist).
> 
> 
> Version-Release number of selected component (if applicable):
> 
> fapolicyd-1.0-3.el8_3.4.x86_64
> 
> 
> How reproducible:
> 
> Always
> 
> Steps to Reproduce:
> 1. Start fapolicyd as a service
> 
> Actual results:
> 
> AVC
> 
> Expected results:
> 
> No AVC or AVC hidden
> 
> Additional info:
> 
> Since fapolicyd is just reading the database, I think we can add a dontaudit
> rule:
> 
> # echo '(dontaudit fapolicyd_t rpm_var_lib_t (dir (write)))' >
> dontaudit-fapolicyd-rpmlock.cil
> # semodule -i dontaudit-fapolicyd-rpmlock.cil

I am trying to replicate this issue but I am not getting any avc. I tried this on a fresh rhel-8.6 and rhel-8.3 instance.
On rhel-8.3 I even have the same version of fapolicyd (fapolicyd-1.0-3.el8_3.4.x86_64), but no avc.

Do I understand correctly that this should trigger the avc?

# systemctl start fapolicyd
# ausearch -m avc -ts recent
<no matches>

Comment 3 Renaud Métrich 2021-11-08 07:28:56 UTC

This seems to be fixed with 8.4 (commit 8f1a028cebf6cdcea4e57acf26f77c438b9d4982, 1.0.2-2):

diff --git a/selinux.patch b/selinux.patch
[...]
+ optional_policy(`
+-        rpm_read_db(fapolicyd_t)        
++        rpm_read_db(fapolicyd_t)
++        allow fapolicyd_t rpm_var_lib_t:file { create };
++        allow fapolicyd_t rpm_var_lib_t:dir { add_name write };
+ ')


On 8.3 (fapolicyd-1.0-3.el8_3.4.x86_64), I can reproduce by starting the service after making sure no lock file is present in /var/lib/rpm:

# systemctl enable fapolicyd
# rm /var/lib/rpm/*.lock
# reboot

...

# ausearch -m avc,user_avc -ts boot -i
----
type=AVC msg=audit(11/08/2021 08:10:27.145:5) : avc:  denied  { write } for  pid=1067 comm=fapolicyd name=rpm dev="dm-0" ino=134 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir permissive=0 

Not sure we need a fix on 8.3 since 8.3 has no EUS.

Comment 4 Zoltan Fridrich 2021-11-08 09:41:04 UTC

As the necessary selinux rules are present and this is not an issue on rhel-8.6, I will close this bz as "NOTABUG".
So far there is no plan to fix this on rhel-8.3.

Note You need to log in before you can comment on or make changes to this bug.