RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2026795 - SELinux policy (daemons) changes required for package: fido-device-onboard in RHEL 9.0
Summary: SELinux policy (daemons) changes required for package: fido-device-onboard in...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: selinux-policy
Version: 9.0
Hardware: Unspecified
OS: Linux
medium
medium
Target Milestone: rc
: 9.3
Assignee: Nobody
QA Contact: Milos Malik
URL:
Whiteboard:
: 2219647 (view as bug list)
Depends On: 2025978
Blocks: 1989923 1989930 2014410
TreeView+ depends on / blocked
 
Reported: 2021-11-25 20:26 UTC by Patrik Koncity
Modified: 2023-11-07 11:21 UTC (History)
11 users (show)

Fixed In Version: selinux-policy-38.1.17-1.el9
Doc Type: Enhancement
Doc Text:
Feature: fido-device-onboard Reason: Package fido-device-onboard has been added to RHEL 8.5.0 Result: SELinux policy confines additional services The selinux-policy packages have been updated, and therefore fido-device-onboard service is now confined by SELinux
Clone Of: 2025978
Environment:
Last Closed: 2023-11-07 08:52:15 UTC
Type: ---
Target Upstream Version:
Embargoed:
pm-rhel: mirror+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-103995 0 None None None 2021-11-25 20:30:39 UTC
Red Hat Product Errata RHBA-2023:6617 0 None None None 2023-11-07 08:52:31 UTC

Description Patrik Koncity 2021-11-25 20:26:27 UTC 
+++ This bug was initially created as a clone of Bug #2025978 +++

Package fido-device-onboard has been added to RHEL 8.5.0

Please make necessary changes for new package in the selinux-policy.

4 services, executing 4 distinct binaries from /usr/libexec/fdo/. Additionally note the srpm has the name "fido-device-onboard".
Comment 8 Nikola Knazekova 2023-03-29 08:12:40 UTC 
Hi Yi He,
I created initial SELinux policy for Fido-device-onboard, but we are not able to test it properly.

Can you please test it and attach AVC messages?
New SELinux policy with fdo module is available on copr:

# dnf copr enable nknazeko/fdo-selinux 
# dnf update selinux-policy

You can check if fdo module is installed with semodule command:
# semodule -l | grep fdo
fdo


Also before testing is useful to have enabled full auditing:

Open /etc/audit/rules.d/audit.rules file in an editor.

 1. Remove following line if it exists:

-a task,never

 2. Add following line at the end of the file:

-w /etc/shadow -p w

 3. Restart the audit daemon:

 # service auditd restart

Thank you

Nikola
Comment 9 Yi He 2023-03-30 02:51:19 UTC 
Verified on RHEL9.2, the FDO functions works as expected.

RPM installed:
[root@yih-92 rhel-edge]# rpm -qa fdo\* selinux\* | sort
fdo-admin-cli-0.4.7-3.el9.x86_64
fdo-client-0.4.7-3.el9.x86_64
fdo-init-0.4.7-3.el9.x86_64
fdo-manufacturing-server-0.4.7-3.el9.x86_64
fdo-owner-cli-0.4.7-3.el9.x86_64
fdo-owner-onboarding-server-0.4.7-3.el9.x86_64
fdo-rendezvous-server-0.4.7-3.el9.x86_64
selinux-policy-38.9-1.el9.471.noarch
selinux-policy-targeted-38.9-1.el9.471.noarch

[root@yih-92 rhel-edge]# semodule -l | grep fdo
fdo
Comment 10 Nikola Knazekova 2023-03-30 11:35:35 UTC 
Can you please check AVC messages? 

# ausearch -m avc -m user_avc -m selinux_err -i
Comment 13 Nikola Knazekova 2023-04-18 18:57:33 UTC 
Hi Yi He,

thank you for the AVC logs.

I have fixed the policy and created another copr build (version 38.11-1.fc39.57X).
Can you please test it again and attach AVC messages? 

Thank you,
Nikola
Comment 15 Yi He 2023-04-19 07:26:38 UTC 
Tested it on rhel9.2, fdo features works as expected.

[root@yih-rhel92 rhel-edge]# rpm -qa fdo\* selinux\* | sort
fdo-admin-cli-0.4.7-3.el9.x86_64
fdo-client-0.4.7-3.el9.x86_64
fdo-init-0.4.7-3.el9.x86_64
fdo-manufacturing-server-0.4.7-3.el9.x86_64
fdo-owner-cli-0.4.7-3.el9.x86_64
fdo-owner-onboarding-server-0.4.7-3.el9.x86_64
fdo-rendezvous-server-0.4.7-3.el9.x86_64
selinux-policy-38.11-1.el9.570.noarch
selinux-policy-targeted-38.11-1.el9.570.noarch

AVC log has been attached.
Comment 17 Nikola Knazekova 2023-04-26 17:28:09 UTC 
Hello!

Thank you for the attachment, I fixed it and created another copr build: selinux-poicy-38.13-1.el9.67x.

Can you please test it?

Nikola
Comment 18 Yi He 2023-04-28 03:37:14 UTC 
Verified with new build, fdo function works as expected. And with this build, the avc log is much shorter.

[root@yih-92 rhel-edge]# rpm -qa fdo\* selinux\* | sort
fdo-admin-cli-0.4.7-3.el9.x86_64
fdo-client-0.4.7-3.el9.x86_64
fdo-init-0.4.7-3.el9.x86_64
fdo-manufacturing-server-0.4.7-3.el9.x86_64
fdo-owner-cli-0.4.7-3.el9.x86_64
fdo-owner-onboarding-server-0.4.7-3.el9.x86_64
fdo-rendezvous-server-0.4.7-3.el9.x86_64
selinux-policy-38.13-1.el9.670.noarch
selinux-policy-targeted-38.13-1.el9.670.noarch

[root@yih-92 rhel-edge]# ausearch -m avc -m user_avc -m selinux_err -i
----
type=PROCTITLE msg=audit(04/27/2023 22:15:26.737:15028) : proctitle=/usr/libexec/fdo/fdo-serviceinfo-api-server 
type=PATH msg=audit(04/27/2023 22:15:26.737:15028) : item=0 name=/tmp/fdouser inode=17843235 dev=fc:04 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(04/27/2023 22:15:26.737:15028) : cwd=/etc/fdo/aio/work 
type=SYSCALL msg=audit(04/27/2023 22:15:26.737:15028) : arch=x86_64 syscall=openat success=yes exit=9 a0=AT_FDCWD a1=0x7ffc27084880 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=391967 pid=391981 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=fdo-serviceinfo exe=/usr/libexec/fdo/fdo-serviceinfo-api-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(04/27/2023 22:15:26.737:15028) : avc:  denied  { open } for  pid=391981 comm=fdo-serviceinfo path=/tmp/fdouser dev="vda4" ino=17843235 scontext=system_u:system_r:fdo_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=1
Comment 19 Nikola Knazekova 2023-05-02 16:00:15 UTC 
Hi,

nice, can you please retest it with version 38.14-1.fc39.671 ?
Comment 20 Yi He 2023-05-04 04:28:17 UTC 
Verified with new build, fdo function works as expected. 

[root@yih-92 rhel-edge]# rpm -qa fdo\* selinux\* | sort
fdo-admin-cli-0.4.7-3.el9.x86_64
fdo-client-0.4.7-3.el9.x86_64
fdo-init-0.4.7-3.el9.x86_64
fdo-manufacturing-server-0.4.7-3.el9.x86_64
fdo-owner-cli-0.4.7-3.el9.x86_64
fdo-owner-onboarding-server-0.4.7-3.el9.x86_64
fdo-rendezvous-server-0.4.7-3.el9.x86_64
selinux-policy-38.14-1.el9.671.noarch
selinux-policy-targeted-38.14-1.el9.671.noarch

[root@yih-92 rhel-edge]# ausearch -m avc -m user_avc -m selinux_err -i
----
type=PROCTITLE msg=audit(05/03/2023 22:53:56.077:20914) : proctitle=/usr/libexec/fdo/fdo-serviceinfo-api-server 
type=PATH msg=audit(05/03/2023 22:53:56.077:20914) : item=0 name=/tmp/fdouser inode=17843235 dev=fc:04 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(05/03/2023 22:53:56.077:20914) : cwd=/etc/fdo/aio/work 
type=SYSCALL msg=audit(05/03/2023 22:53:56.077:20914) : arch=x86_64 syscall=openat success=yes exit=9 a0=AT_FDCWD a1=0x7ffc709806b0 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=566949 pid=566966 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=fdo-serviceinfo exe=/usr/libexec/fdo/fdo-serviceinfo-api-server subj=system_u:system_r:fdo_t:s0 key=(null) 
type=AVC msg=audit(05/03/2023 22:53:56.077:20914) : avc:  denied  { open } for  pid=566966 comm=fdo-serviceinfo path=/tmp/fdouser dev="vda4" ino=17843235 scontext=system_u:system_r:fdo_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=1
Comment 21 Nikola Knazekova 2023-05-09 15:25:04 UTC 
Hi, 

thank you for the testing.

Do you know how is created /tmp/fdouser?
Comment 22 Yi He 2023-05-15 09:48:55 UTC 
Hi,

/tmp/fdouser has nothing to do with fido and selinux, nor this bug, you can ignore it.

I can explain how this file is created:
/tmp/fdouser is created in my test script, it will be copied to /etc/sudoers.d/fdouser in edge os during fdo onboarding, the purpose is to enable 'no password sudo' for fdouser.

Shell script to create it:
tee /tmp/fdouser > /dev/null << EOF
fdouser ALL=(ALL) NOPASSWD: ALL
EOF

Shell script to configure fido owner onboarding server to copy it:
sudo /usr/local/bin/yq -iy '.service_info.files |= [{path: "/etc/sudoers.d/fdouser", source_path: "/tmp/fdouser"}]' /etc/fdo/aio/configs/serviceinfo_api_server.yml
Comment 23 Nikola Knazekova 2023-05-15 15:39:51 UTC 
Hi, 

thank you very much for your help.
Comment 24 RHEL Program Management 2023-05-25 07:28:27 UTC 
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.
Comment 32 Xiaofeng Wang 2023-08-03 09:56:04 UTC 
Re-opened this bug because fdo-manufacturing-server and fdo-rendezvous-server have permission denied error in RHEL 9.3 with selinux-policy-38.1.18-1.el9.noarch.

The AVC log attached.
Comment 35 Xiaofeng Wang 2023-08-03 10:00:59 UTC 
*** Bug 2219647 has been marked as a duplicate of this bug. ***
Comment 39 idiez 2023-08-04 13:25:24 UTC 
We are also experiencing issues with the fdo-init RPM, which works on the dracut stage and needs to copy a file from /etc, to /bootmount.
Comment 40 Nikola Knazekova 2023-08-04 14:59:26 UTC 
Hi, 

please open new bug and attach there all SELinux denials.

Thank you,
Nikola
Comment 41 Xiaofeng Wang 2023-08-07 13:06:18 UTC 
Thanks! I open a new bug https://bugzilla.redhat.com/show_bug.cgi?id=2229722 and attached FDO server and client AVC log in the bug.
Comment 42 Peter Robinson 2023-08-08 10:22:26 UTC 
> please open new bug and attach there all SELinux denials.

This was previously in the VERIFIED state, it hasn't gone out and the changes here still fix things which need to go stable.
Comment 48 errata-xmlrpc 2023-11-07 08:52:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6617
Note You need to log in before you can comment on or make changes to this bug.