1955547 – Allow nnp_transition for init_t -> install_t

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1955547 - Allow nnp_transition for init_t -> install_t

Summary: Allow nnp_transition for init_t -> install_t

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	8.5
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	beta
Target Release:	8.5
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:	1937404
Blocks:
TreeView+	depends on / blocked

Reported:	2021-04-30 11:07 UTC by Timothée Ravier
Modified:	2021-11-10 08:33 UTC (History)
CC List:	12 users (show)
Fixed In Version:	selinux-policy-3.14.3-70.el8
Doc Type:	No Doc Update
Doc Text:
Clone Of:	1937404
Environment:
Last Closed:	2021-11-09 19:43:05 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2021:4420	0	None	None	None	2021-11-09 19:43:42 UTC

Description Timothée Ravier 2021-04-30 11:07:14 UTC

+++ This bug was initially created as a clone of Bug #1937404 +++

In rpm-ostree we're trying to do more privilege separation; we added a new systemd unit rpm-ostree-countme.service that uses `DynamicUser=yes`.

However, it turns out that this breaks because we added a special `install_t` label:

```
-rwxr-xr-x. 3 root root system_u:object_r:install_exec_t:s0 127267552 Jan  1  1970 /usr/bin/rpm-ostree
```

Now, this works fine for a regular (privileged) domain transition for our service that starts as root.

But when trying with `DynamicUser=yes` but executing the same binary:

```
Mar 10 14:11:34 cosa-devsh audit[1276]: AVC avc:  denied  { nnp_transition } for  pid=1276 comm="(m-ostree)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:install_t:s0 tclass=process2 permissive=0
```

This then leaves the process running as `init_t`, which means we get denied trying to do HTTP:

```
Mar 10 14:11:34 cosa-devsh audit[1276]: AVC avc:  denied  { name_connect } for  pid=1276 comm="rpm-ostree" dest=443 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0
```

I think the immediate fix is to allow the nnp_transition so that this unprivileged process runs as `install_t`, the same as the main one.

But it'd be even better to not do any transition at all, i.e. in the `DynamicUser=yes` case we stay in `unconfined_service_t` to start (the systemd default).  I'm not quite sure how to do that without basically hacking up systemd to do a `setexeccon()` (something declarative like `SELinuxTransition=no` in a systemd unit file?)

--- Additional comment from Colin Walters on 2021-03-10 15:15:30 UTC ---

In the short term, we are probably going to work around this by shipping two binaries, like `/usr/bin/rpm-ostree` and `/usr/libexec/rpmostree-unprivileged-backend` or something, then the systemd unit execs the latter.

But having two labels means duplicating the binary on disk which is quite unfortunate.  (OSTree could use reflinks for this, but we can't hard require reflinks)

--- Additional comment from Timothée Ravier on 2021-03-11 15:14:49 UTC ---

We can set SELinuxContext=system_u:system_r:unconfined_service_t:s0 in the systemd unit but this gives us:

```
Mar 11 11:40:03 cosa-devsh audit[3454]: AVC avc:  denied  { entrypoint } for  pid=3454 comm="(m-ostree)" path="/usr/bin/rpm-ostree" dev="vda4" ino=2838494 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:object_r:install_exec_t:s0 tclass=file permissive=0
```

And I don't think we want to enable that.

Adding nnp_transition to scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:install_t:s0 sounds OK from a security perspective (I do not see how this could be exploited) so I will make a PR for that.

--- Additional comment from Zdenek Pytela on 2021-03-16 15:39:33 UTC ---

commit 3d3b616790d5826f73b259fc2a940a8e1efe98c1 (HEAD -> rawhide, upstream/rawhide)
Author: Timothée Ravier <travier>
Date:   Thu Mar 11 16:53:29 2021 +0100

    install_t: Allow NoNewPriv transition from systemd

    Enable a subset of rpm-ostree commands to run as part of a systemd
    service directly under an unprivilged user with DynamicUser.

    This will be used for the rpm-ostree-countme service.

    Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1937404

--- Additional comment from Fedora Update System on 2021-03-21 16:15:45 UTC ---

FEDORA-2021-9e2cb00123 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-9e2cb00123

--- Additional comment from Fedora Update System on 2021-03-22 01:17:29 UTC ---

FEDORA-2021-9e2cb00123 has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-9e2cb00123`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-9e2cb00123

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

--- Additional comment from Fedora Update System on 2021-03-25 01:24:31 UTC ---

FEDORA-2021-68c09eb43f has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-68c09eb43f`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-68c09eb43f

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

--- Additional comment from Fedora Update System on 2021-03-27 02:01:12 UTC ---

FEDORA-2021-15b81d905c has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-15b81d905c`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-15b81d905c

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

--- Additional comment from Fedora Update System on 2021-03-29 00:17:03 UTC ---

FEDORA-2021-15b81d905c has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 1 Timothée Ravier 2021-04-30 11:09:44 UTC

This is a request to backport or make sure that the policy already includes the following change in 8.5: https://github.com/fedora-selinux/selinux-policy/pull/642

Thanks!

Comment 2 Zdenek Pytela 2021-06-04 20:19:55 UTC

Needs to be backported:
Author: Timothée Ravier <travier>
Date:   Thu Mar 11 16:53:29 2021 +0100

    install_t: Allow NoNewPriv transition from systemd

Comment 4 Milos Malik 2021-06-10 17:49:23 UTC

When old selinux-policy is installed, following SELinux denials appear in enforcing mode:
----
type=PROCTITLE msg=audit(06/10/2021 11:53:31.621:320) : proctitle=/usr/bin/rpm-ostree countme 
type=PATH msg=audit(06/10/2021 11:53:31.621:320) : item=0 name=/lib64/ld-linux-x86-64.so.2 inode=9890 dev=fd:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(06/10/2021 11:53:31.621:320) : cwd=/ 
type=EXECVE msg=audit(06/10/2021 11:53:31.621:320) : argc=2 a0=/usr/bin/rpm-ostree a1=countme 
type=SYSCALL msg=audit(06/10/2021 11:53:31.621:320) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x55aa84bfea20 a1=0x55aa84bfea00 a2=0x55aa84c6bde0 a3=0x0 items=1 ppid=1 pid=6525 auid=unset uid=rpm-ostree gid=rpm-ostree euid=rpm-ostree suid=rpm-ostree fsuid=rpm-ostree egid=rpm-ostree sgid=rpm-ostree fsgid=rpm-ostree tty=(none) ses=unset comm=rpm-ostree exe=/usr/bin/rpm-ostree subj=system_u:system_r:init_t:s0 key=(null) 
type=SELINUX_ERR msg=audit(06/10/2021 11:53:31.621:320) : op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:install_t:s0 
type=AVC msg=audit(06/10/2021 11:53:31.621:320) : avc:  denied  { nnp_transition } for  pid=6525 comm=(m-ostree) scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:install_t:s0 tclass=process2 permissive=0 
----
type=PROCTITLE msg=audit(06/10/2021 11:53:31.660:321) : proctitle=/usr/bin/rpm-ostree countme 
type=SYSCALL msg=audit(06/10/2021 11:53:31.660:321) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x5645b8ef03d0 a2=O_RDONLY|O_CLOEXEC|O_PATH a3=0x0 items=0 ppid=1 pid=6525 auid=unset uid=rpm-ostree gid=rpm-ostree euid=rpm-ostree suid=rpm-ostree fsuid=rpm-ostree egid=rpm-ostree sgid=rpm-ostree fsgid=rpm-ostree tty=(none) ses=unset comm=rpm-ostree exe=/usr/bin/rpm-ostree subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(06/10/2021 11:53:31.660:321) : avc:  denied  { read } for  pid=6525 comm=rpm-ostree name=rpm-ostree-countme dev="vda1" ino=6970988 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0 
----

Tested in 1minutetip with selinux-policy = 3.14.3-68.el8.

Comment 5 Milos Malik 2021-06-10 17:50:58 UTC

When old selinux-policy is installed, the same SELinux denials appear in permissive mode:
----
type=PROCTITLE msg=audit(06/10/2021 13:46:35.690:329) : proctitle=(m-ostree) 
type=SYSCALL msg=audit(06/10/2021 13:46:35.690:329) : arch=x86_64 syscall=readlinkat success=yes exit=26 a0=0xffffff9c a1=0x55aa84b5d220 a2=0x55aa84be2930 a3=0x63 items=0 ppid=1 pid=6931 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(m-ostree) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(06/10/2021 13:46:35.690:329) : avc:  denied  { read } for  pid=6931 comm=(m-ostree) name=rpm-ostree-countme dev="vda1" ino=6970988 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=1 
----
type=PROCTITLE msg=audit(06/10/2021 13:46:35.913:330) : proctitle=(m-ostree) 
type=PATH msg=audit(06/10/2021 13:46:35.913:330) : item=0 name=/lib64/ld-linux-x86-64.so.2 inode=9890 dev=fd:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(06/10/2021 13:46:35.913:330) : cwd=/ 
type=EXECVE msg=audit(06/10/2021 13:46:35.913:330) : argc=2 a0=/usr/bin/rpm-ostree a1=countme 
type=SYSCALL msg=audit(06/10/2021 13:46:35.913:330) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x55aa84bfea20 a1=0x55aa84be2930 a2=0x55aa84b35c20 a3=0x0 items=1 ppid=1 pid=6931 auid=unset uid=rpm-ostree gid=rpm-ostree euid=rpm-ostree suid=rpm-ostree fsuid=rpm-ostree egid=rpm-ostree sgid=rpm-ostree fsgid=rpm-ostree tty=(none) ses=unset comm=rpm-ostree exe=/usr/bin/rpm-ostree subj=system_u:system_r:install_t:s0 key=(null) 
type=AVC msg=audit(06/10/2021 13:46:35.913:330) : avc:  denied  { nnp_transition } for  pid=6931 comm=(m-ostree) scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:install_t:s0 tclass=process2 permissive=1 
----

# ls -lZ /var/lib/rpm-ostree-countme
lrwxrwxrwx. 1 root root system_u:object_r:var_lib_t:s0 26 Jun 10 11:53 /var/lib/rpm-ostree-countme -> private/rpm-ostree-countme
#

Comment 13 errata-xmlrpc 2021-11-09 19:43:05 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4420

Note You need to log in before you can comment on or make changes to this bug.