1980560 – If init_t can read all file_type directories, it should be able to watch them as well

Bug 1980560 - If init_t can read all file_type directories, it should be able to watch them as well

Summary: If init_t can read all file_type directories, it should be able to watch them...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	34
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-07-08 20:56 UTC by Dusty Mabe
Modified:	2021-07-18 01:24 UTC (History)
CC List:	7 users (show)
Fixed In Version:	selinux-policy-34.14-1.fc34
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-07-18 01:24:14 UTC
Type:	Bug
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Dusty Mabe 2021-07-08 20:56:28 UTC

Description of problem:

We are seeing issues where init_t (systemd) is not able to watch directories. This makes path units pretty useless.

According to Dan Walsh: "If init_t can read all file_type directories, it should be able to watch them as well." https://github.com/containers/container-selinux/issues/135#issuecomment-867961079



Can we get selinux updated to allow systemd to watch directories so our path units will work again.

More context in:

https://github.com/coreos/fedora-coreos-tracker/issues/861
https://github.com/containers/container-selinux/issues/135



Version-Release number of selected component (if applicable):

```
[core@localhost ~]$ rpm -q selinux-policy container-selinux
selinux-policy-34.11-1.fc34.noarch
container-selinux-2.163.0-1.fc34.noarch
```


How reproducible:
Always

Steps to Reproduce:

spin up an FCOS machine with this butane config:


```
variant: fcos
version: 1.3.0
systemd:
  units:
    - name: tester.path
      enabled: true
      contents: |
        [Unit]
        Description=Watch for kube config
        [Path]
        PathExists=/etc/kubernetes/kubeconfig
        [Install]
        WantedBy=multi-user.target
    - name: tester.service
      enabled: false
      contents: |
        [Unit]
        Description=Watch for test config
        [Service]
        Type=oneshot
        RemainAfterExit=yes
        ExecStart=bash -c "echo tester: $(date)"
storage:
  directories:
    - path: /etc/kubernetes
passwd:
  users:
    - name: core
      ssh_authorized_keys:
		- "MY-PUBKEY"
```

Notice that after you log in you can't activate the path unit by creating /etc/kubernetes/kubeconfig and you'll see the following in the journal:

```
$ journalctl | grep -i avc | grep denied
Jul 08 20:50:34 localhost audit[1]: AVC avc:  denied  { watch } for  pid=1 comm="systemd" path="/etc/kubernetes" dev="sda4" ino=18874496 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kubernetes_file_t:s0 tclass=dir permissive=0
```

We don't have the same problem if we use some randomly directory  (i.e. `/etc/foobar/kubeconfig`).


Actual results:

Denied


Expected results:

Not denied


Additional info:

Comment 1 Zdenek Pytela 2021-07-09 06:57:38 UTC

I've opened a PR:
https://github.com/fedora-selinux/selinux-policy/pull/799

If there is no negative feedback, I'll merge it soon. I expect one objection it is not complete enough.

Comment 2 Dusty Mabe 2021-07-09 13:41:44 UTC

Thanks @zpytela. If there is a scratch build available somewhere I can try to test with it.

Comment 3 Zdenek Pytela 2021-07-09 14:14:37 UTC

PR
Show all checks -> build-rpm -> Details -> Artifacts -> rpms

Comment 4 Dusty Mabe 2021-07-09 14:31:07 UTC

Thanks.. Looks like it works great!

```
[core@localhost ~]$ journalctl | grep -i avc
[core@localhost ~]$ 
[core@localhost ~]$ systemctl status tester.service
○ tester.service - Watch for test config
     Loaded: loaded (/etc/systemd/system/tester.service; static)
     Active: inactive (dead)
TriggeredBy: ● tester.path
[core@localhost ~]$ 
[core@localhost ~]$ sudo journalctl -u tester.service -u tester.path -f & 
[1] 1200
[core@localhost ~]$ -- Journal begins at Fri 2021-07-09 14:28:17 UTC. --
Jul 09 14:28:26 localhost systemd[1]: Started Watch for kube config.

[core@localhost ~]$ 
[core@localhost ~]$ 
[core@localhost ~]$ sudo touch /etc/kubernetes/kubeconfig
[core@localhost ~]$ Jul 09 14:29:35 localhost.localdomain systemd[1]: Starting Watch for test config...
Jul 09 14:29:35 localhost.localdomain bash[1211]: tester: Fri Jul 9 14:29:35 UTC 2021
Jul 09 14:29:35 localhost.localdomain systemd[1]: Finished Watch for test config.

[core@localhost ~]$ journalctl | grep -i avc
[core@localhost ~]$ 
[core@localhost ~]$ rpm -q selinux-policy selinux-policy-targeted
selinux-policy-34.13-1.20210707_172609.3600bd4.fc35.noarch
selinux-policy-targeted-34.13-1.20210707_172609.3600bd4.fc35.noarch
```

Comment 5 Zdenek Pytela 2021-07-13 16:29:47 UTC

Merged.

Comment 6 Fedora Update System 2021-07-14 19:45:21 UTC

FEDORA-2021-119c2c9b63 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-119c2c9b63

Comment 7 Fedora Update System 2021-07-15 01:40:57 UTC

FEDORA-2021-119c2c9b63 has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-119c2c9b63`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-119c2c9b63

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 8 Dusty Mabe 2021-07-15 18:27:20 UTC

Looks good in my local tests. 👍

Comment 9 Fedora Update System 2021-07-18 01:24:14 UTC

FEDORA-2021-119c2c9b63 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.