2001599 – map AVC denial for /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2001599 - map AVC denial for /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit

Summary: map AVC denial for /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	8.5
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	8.6
Assignee:	Patrik Koncity
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-09-06 14:17 UTC by Karel Srot
Modified:	2022-05-10 16:23 UTC (History)
CC List:	9 users (show)
Fixed In Version:	selinux-policy-3.14.3-82.el8
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-05-10 15:15:05 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	pm-rhel: mirror+

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-96326	0	None	None	None	2021-09-06 14:18:08 UTC
Red Hat Product Errata	RHBA-2022:1995	0	None	None	None	2022-05-10 15:15:23 UTC

Description Karel Srot 2021-09-06 14:17:12 UTC

Description of problem:

The following AVC denial is reported when I run the test
/CoreOS/selinux-policy/Regression/pkcsslotd-and-similar

----
type=PROCTITLE msg=audit(09/06/2021 14:48:49.085:490) : proctitle=/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit 
type=MMAP msg=audit(09/06/2021 14:48:49.085:490) : fd=13 flags=MAP_SHARED 
type=SYSCALL msg=audit(09/06/2021 14:48:49.085:490) : arch=x86_64 syscall=mmap success=no exit=EACCES(Permission denied) a0=0x0 a1=0x14368 a2=PROT_READ|PROT_WRITE a3=MAP_SHARED items=0 ppid=44755 pid=44808 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dogtag-ipa-rene exe=/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit subj=system_u:system_r:certmonger_t:s0 key=(null) 
type=AVC msg=audit(09/06/2021 14:48:49.085:490) : avc:  denied  { map } for  pid=44808 comm=dogtag-ipa-rene path=/dev/shm/var.lib.opencryptoki.swtok dev="tmpfs" ino=50846 scontext=system_u:system_r:certmonger_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0 

I do not know if the denial has any impact on the respective process

Version-Release number of selected component (if applicable):
selinux-policy-3.14.3-79.el8.noarch
RHEL-8.5.0-20210906.n.0

How reproducible:
most likely regularly

Steps to Reproduce:
1. schedule the test mentioned above
2.
3.

Actual results:
AVC reported

Expected results:
no AVC reported

Additional info:

Comment 2 Karel Srot 2021-09-06 14:20:16 UTC

Please, switch to selinux-policy if this is not relevant to the policy shipped with IPA.

Comment 3 Alexander Bokovoy 2021-09-06 14:26:32 UTC

This is not relevant to IPA policy as the error happens from any application using softhsm tokens.

See, for example, RHEL 9 bug: https://bugzilla.redhat.com/show_bug.cgi?id=1977915 -- I think this one would be exactly as RHEL 9 bug.

Comment 4 Patrik Koncity 2021-09-08 16:56:14 UTC

Hi Karel, what is output of these two commands?

#ls -Z /dev/shm/var.lib.opencryptoki.swtok

# sesearch -A -s certmonger_t -t pkcs_slotd_tmpfs_t -c file -p map

Thank you,
Patrik

Comment 5 Karel Srot 2021-09-09 07:51:05 UTC

Hi Patrik
as indicated by the AVC denial the file has context user_tmp_t.
I have identified that this context is being assigned when the token is being initialized by a user.
OTOH, when I restart a service (e.g. ipsec or certmonger as it is happening in /CoreOS/selinux-policy/Regression/pkcsslotd-and-similar) the file context is pkcs_slotd_tmpfs_t.
According to the policy, there is no default context assigned

I have originally reported that the problem can be reproduced using the test mentioned above. This is not entirely true, the token has to be initiated by a user in order to get user_tmpfs_t context.
Please see the console log below.

selinux-policy-3.14.3-79.el8.noarch
# matchpathcon /dev/shm/var.lib.opencryptoki.swtok
/dev/shm/var.lib.opencryptoki.swtok	<<none>>

# rm /dev/shm/var.lib.opencryptoki.swtok
rm: remove regular file '/dev/shm/var.lib.opencryptoki.swtok'? y
# systemctl restart ipsec
# ls -Z /dev/shm/var.lib.opencryptoki.swtok
system_u:object_r:pkcs_slotd_tmpfs_t:s0 /dev/shm/var.lib.opencryptoki.swtok


### clear the file and reset token
# rm /dev/shm/var.lib.opencryptoki.swtok
rm: remove regular file '/dev/shm/var.lib.opencryptoki.swtok'? y
# find /var/lib/opencryptoki/ -type f -exec rm {} \;
### configure a new token
# /usr/sbin/pkcsconf -c 3 -u
Enter the SO PIN:           (enter 87654321)
Enter the new user PIN:     (enter e.g. 76543210)
Re-enter the new user PIN:  (enter e.g. 76543210)
# ls -Z /dev/shm/var.lib.opencryptoki.swtok
unconfined_u:object_r:user_tmp_t:s0 /dev/shm/var.lib.opencryptoki.swtok

### now reproduce the denial
# > /var/log/audit/audit.log 
# service certmonger restart
Redirecting to /bin/systemctl restart certmonger.service
# ausearch -m avc
----
time->Thu Sep  9 09:49:45 2021
type=PROCTITLE msg=audit(1631173785.780:775): proctitle="/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit"
type=MMAP msg=audit(1631173785.780:775): fd=13 flags=0x1
type=SYSCALL msg=audit(1631173785.780:775): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=14368 a2=3 a3=1 items=0 ppid=97613 pid=97633 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="dogtag-ipa-rene" exe="/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1631173785.780:775): avc:  denied  { map } for  pid=97633 comm="dogtag-ipa-rene" path="/dev/shm/var.lib.opencryptoki.swtok" dev="tmpfs" ino=316231 scontext=system_u:system_r:certmonger_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0

Comment 6 Patrik Koncity 2021-09-13 15:05:00 UTC

PR: https://github.com/fedora-selinux/selinux-policy/pull/870

Comment 8 Zdenek Pytela 2021-10-11 09:28:03 UTC

Commits to backport:
commit 00615a1f6dcc6cceae7754d354be900ce8e5d351 (HEAD -> rawhide, upstream/rawhide)
Author: Patrik Koncity <pkoncity>
Date:   Wed Sep 15 13:46:03 2021 +0200

    Removing pkcs_tmpfs_filetrans interface and edit pkcs policy files

commit 8d59262f30201769e013488acca91e12950d62b0
Author: Patrik Koncity <pkoncity>
Date:   Mon Sep 13 14:14:22 2021 +0200

    Allow login_userdomain named filetrans to pkcs_slotd_tmpfs_t domain

Comment 16 errata-xmlrpc 2022-05-10 15:15:05 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1995

Note You need to log in before you can comment on or make changes to this bug.