1999090 – firewalld reports having dropped capabilities even when failing to do so

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1999090 - firewalld reports having dropped capabilities even when failing to do so

Summary: firewalld reports having dropped capabilities even when failing to do so

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	firewalld
Sub Component:
Version:	unspecified
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Eric Garver
QA Contact:	qe-baseos-daemons
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-08-30 12:04 UTC by Štěpán Němec
Modified:	2022-05-17 16:31 UTC (History)
CC List:	1 user (show)
Fixed In Version:	firewalld-1.0.0-4.el9
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-05-17 15:59:15 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1914945	1	None	None	None	2023-06-14 09:48:08 UTC
Red Hat Bugzilla	1989641	1	medium	CLOSED	SELinux is blocking firewalld from dropping linux capabilities	2023-05-30 08:33:26 UTC
Red Hat Issue Tracker	RHELPLAN-95581	0	None	None	None	2021-08-30 12:49:43 UTC
Red Hat Product Errata	RHBA-2022:3993	0	None	None	None	2022-05-17 15:59:17 UTC

Description Štěpán Němec 2021-08-30 12:04:37 UTC

Description of problem:
Even when SELinux prevents firewalld from dropping capabilities,
the daemon still reports "Dropped Linux capabilities" in the log,
same as in case of dropping capabilities successfully.

Version-Release number of selected component (if applicable):
firewalld-1.0.0-2.el9

How reproducible:
Always.

Steps to Reproduce:
1. Deny 'setcap' and 'setpcap' capabilities of firewalld, e.g. by installing selinux-policy < 34.1.14
2. run firewalld with --debug
3. observe that /var/log/firewalld contains "Dropped Linux capabilities to NET_ADMIN, NET_RAW." despite firewalld still running with full capabilities

Actual results on 1MT-RHEL-9.0.0-20210825.0-Beta:
[root@ci-vm-10-0-139-97 ~]# rpm -q selinux-policy
selinux-policy-34.1.13-1.el9.noarch

[root@ci-vm-10-0-139-97 ~]# rpm -q firewalld
firewalld-1.0.0-2.el9.noarch

[root@ci-vm-10-0-139-97 ~]# pscap | grep firewalld
1     3950  root        firewalld           full +

[root@ci-vm-10-0-139-97 ~]# journalctl -b | grep libcap
Aug 30 07:43:18 ci-vm-10-0-139-97.hosted.upshift.rdu2.redhat.com firewalld[3950]: libcap-ng used by "/usr/bin/python3.9" failed dropping bounding set in capng_apply

[root@ci-vm-10-0-139-97 ~]# journalctl -b | grep -E 'setcap|setpcap'
Aug 30 07:43:18 ci-vm-10-0-139-97.hosted.upshift.rdu2.redhat.com audit[3950]: AVC avc:  denied  { setpcap } for  pid=3950 comm="firewalld" capability=8  scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=capability permissive=0
Aug 30 07:43:18 ci-vm-10-0-139-97.hosted.upshift.rdu2.redhat.com audit[3950]: AVC avc:  denied  { setcap } for  pid=3950 comm="firewalld" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=process permissive=0

[root@ci-vm-10-0-139-97 ~]# grep capabilities /var/log/firewalld
2021-08-30 07:43:18 Dropped Linux capabilities to NET_ADMIN, NET_RAW.

Expected results:
log messages match reality

Comment 1 Eric Garver 2021-08-30 13:24:01 UTC

Did you make sure to purge the log before restarting firewalld? i.e. are sure the log is not leftover from before downgrading selinux-policy?

Comment 2 Eric Garver 2021-08-30 17:15:49 UTC

(In reply to Eric Garver from comment #1)
> Did you make sure to purge the log before restarting firewalld? i.e. are
> sure the log is not leftover from before downgrading selinux-policy?

Ignore this. Timestamps show it's relevant.

libcap-ng-python doesn't throw an exception in this case. We'll have to make changes to check the return code C-style. I _think_ libcap-ng-python will return a non-zero one in this case.

Comment 3 Eric Garver 2021-08-30 18:58:00 UTC

Upstream PR: https://github.com/firewalld/firewalld/pull/847

Comment 4 Eric Garver 2021-08-30 19:34:39 UTC

Upstream:

  36749f512bbc ("fix(firewalld): check capng_apply() return code")

Comment 6 Eric Garver 2021-11-22 14:27:05 UTC

https://gitlab.com/redhat/centos-stream/rpms/firewalld/-/merge_requests/7

Comment 7 Štěpán Němec 2021-11-22 17:15:22 UTC

Tested firewalld-1.0.0-4.el9.noarch from
https://centos.softwarefactory-project.io/logs/7/7/3b53f3916124e4fa948c85a9580f5e57e1e6ce6d/check/mock-build/60a21cf/repo/firewalld-1.0.0-4.el9/
[merge request link in comment 6]

firewalld log messages now reflect the actual success or failure in dropping capabilities:

[root@localhost ~]# rpm -qa selinux-policy\* firewalld\*
selinux-policy-34.1.13-1.el9.noarch
selinux-policy-targeted-34.1.13-1.el9.noarch
firewalld-filesystem-1.0.0-4.el9.noarch
firewalld-1.0.0-4.el9.noarch

[root@localhost ~]# sed -i -e 's/^\(FIREWALLD_ARGS=\).*$/\1--debug/' /etc/sysconfig/firewalld

[root@localhost ~]# systemctl start firewalld

[root@localhost ~]# pscap | grep firewalld
1     4511  root        firewalld           full +

[root@localhost ~]# journalctl -b | grep -E 'libcap|setcap|setpcap'
Nov 18 07:20:07 localhost.localdomain audit[4511]: AVC avc:  denied  { setpcap } for  pid=4511 comm="firewalld" capability=8  scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=capability permissive=0
Nov 18 07:20:07 localhost.localdomain firewalld[4511]: libcap-ng used by "/usr/bin/python3.9" failed dropping bounding set in capng_apply
Nov 18 07:20:07 localhost.localdomain audit[4511]: AVC avc:  denied  { setcap } for  pid=4511 comm="firewalld" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=process permissive=0

[root@localhost ~]# grep capabilities /var/log/firewalld
2021-11-18 07:22:18 libcap-ng failed to drop Linux capabilities.

[For comparison, after upgrading back to the current selinux-policy:]

[root@localhost ~]# rpm -qa selinux-policy\* firewalld\*
firewalld-filesystem-1.0.0-4.el9.noarch
firewalld-1.0.0-4.el9.noarch
selinux-policy-34.1.18-1.el9.noarch
selinux-policy-targeted-34.1.18-1.el9.noarch

[root@localhost ~]# systemctl restart firewalld

[root@localhost ~]# pscap | grep firewalld
1     5088  root        firewalld           net_admin, net_raw, sys_module +

[root@localhost ~]# grep capabilities /var/log/firewalld
2021-11-18 07:22:18 libcap-ng failed to drop Linux capabilities.
2021-11-22 11:58:16 Dropped Linux capabilities to NET_ADMIN, NET_RAW, SYS_MODULE.

Comment 13 errata-xmlrpc 2022-05-17 15:59:15 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: firewalld), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:3993

Note You need to log in before you can comment on or make changes to this bug.