2041447 – SELinux denials with shorewall6-lite service

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2041447 - SELinux denials with shorewall6-lite service

Summary: SELinux denials with shorewall6-lite service

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	CentOS Stream
Hardware:	Unspecified
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	8.6
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-01-17 11:20 UTC by Oliver Freyermuth
Modified:	2022-05-10 16:24 UTC (History)
CC List:	6 users (show)
Fixed In Version:	selinux-policy-3.14.3-87.el8
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-05-10 15:15:49 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	pm-rhel: mirror+

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 954	None	Merged	Allow shorewall to access /var/lib/shorewall6-lite	2022-01-17 11:20:04 UTC
Red Hat Issue Tracker	RHELPLAN-108311	None	None	None	2022-01-17 11:21:07 UTC
Red Hat Product Errata	RHBA-2022:1995	None	None	None	2022-05-10 15:16:09 UTC

Description Oliver Freyermuth 2022-01-17 11:20:05 UTC

Description of problem:
Trying to start the shorewall6-lite service with SELinux in en


Version-Release number of selected component (if applicable):
3.14.3-80.el8_5.2

How reproducible:
Always. 

Steps to Reproduce:
1. Configure shorewall6. 
2. Start shorewall6-lite service. 

Actual results:
Starting fails with permission denied (SELinux denial):
type=AVC msg=audit(1637837574.772:19965): avc:  denied  { getattr } for  pid=1440315 comm="shorewall" path="/var/lib/shorewall6-lite/firewall.conf" dev="md125" ino=679 scontext=system_u:system_r:shorewall_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1637837574.791:19966): avc:  denied  { getattr } for  pid=1440315 comm="shorewall" path="/var/lib/shorewall6-lite/firewall" dev="md125" ino=590 scontext=system_u:system_r:shorewall_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0
type=AVC msg=audit(1637837574.791:19967): avc:  denied  { getattr } for  pid=1440315 comm="shorewall" path="/var/lib/shorewall6-lite/firewall" dev="md125" ino=590 scontext=system_u:system_r:shorewall_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0

Expected results:
Works. 

Additional info:
Already fixed upstream via:
https://github.com/fedora-selinux/selinux-policy/pull/954

Comment 1 Milos Malik 2022-01-17 11:37:09 UTC

Caught in enforcing mode:
----
type=PROCTITLE msg=audit(01/17/2022 06:33:24.784:338) : proctitle=/bin/sh /usr/sbin/shorewall -6l start 
type=PATH msg=audit(01/17/2022 06:33:24.784:338) : item=0 name=/var/lib/shorewall6-lite/firewall inode=1254942 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/17/2022 06:33:24.784:338) : cwd=/ 
type=SYSCALL msg=audit(01/17/2022 06:33:24.784:338) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x55c22217eb20 a1=0x7fffb7cd2130 a2=0x7fffb7cd2130 a3=0x10 items=1 ppid=1 pid=6720 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=shorewall exe=/usr/bin/bash subj=system_u:system_r:shorewall_t:s0 key=(null) 
type=AVC msg=audit(01/17/2022 06:33:24.784:338) : avc:  denied  { getattr } for  pid=6720 comm=shorewall path=/var/lib/shorewall6-lite/firewall dev="vda1" ino=1254942 scontext=system_u:system_r:shorewall_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=0 
----

# rpm -qa shorewall\* selinux-policy\* | sort
selinux-policy-3.14.3-86.el8.noarch
selinux-policy-targeted-3.14.3-86.el8.noarch
shorewall-5.2.2-4.el8.noarch
shorewall6-5.2.2-4.el8.noarch
shorewall6-lite-5.2.2-4.el8.noarch
shorewall-core-5.2.2-4.el8.noarch
# ls -ldZ /var/lib/shorewall*
drwxr-xr-x. 2 root root system_u:object_r:shorewall_var_lib_t:s0  6 Jan 12  2020 /var/lib/shorewall
drwxr-xr-x. 2 root root system_u:object_r:shorewall_var_lib_t:s0  6 Jan 12  2020 /var/lib/shorewall6
drwxr-xr-x. 2 root root system_u:object_r:var_lib_t:s0           22 Jan 17 06:33 /var/lib/shorewall6-lite
# restorecon -Rv /var/lib/
# 

Easily reproducible after installation of above-mentioned packages and the following command:

# touch /var/lib/shorewall6-lite/firewall

Comment 2 Milos Malik 2022-01-17 11:41:51 UTC

Caught in permissive mode:
----
type=PROCTITLE msg=audit(01/17/2022 06:38:07.199:343) : proctitle=/bin/sh /usr/sbin/shorewall -6l start 
type=PATH msg=audit(01/17/2022 06:38:07.199:343) : item=0 name=/var/lib/shorewall6-lite/firewall inode=1254942 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/17/2022 06:38:07.199:343) : cwd=/ 
type=SYSCALL msg=audit(01/17/2022 06:38:07.199:343) : arch=x86_64 syscall=stat success=yes exit=0 a0=0x55eb85c47b20 a1=0x7ffccb580b20 a2=0x7ffccb580b20 a3=0x10 items=1 ppid=1 pid=6779 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=shorewall exe=/usr/bin/bash subj=system_u:system_r:shorewall_t:s0 key=(null) 
type=AVC msg=audit(01/17/2022 06:38:07.199:343) : avc:  denied  { getattr } for  pid=6779 comm=shorewall path=/var/lib/shorewall6-lite/firewall dev="vda1" ino=1254942 scontext=system_u:system_r:shorewall_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file permissive=1 
----

I believe that 1 file context pattern (which would match the /var/lib/shorewall6-lite location) is missing:

# semanage fcontext -l | grep /var/lib/shorewall
/var/lib/shorewall(/.*)?                           all files          system_u:object_r:shorewall_var_lib_t:s0 
/var/lib/shorewall-lite(/.*)?                      all files          system_u:object_r:shorewall_var_lib_t:s0 
/var/lib/shorewall6(/.*)?                          all files          system_u:object_r:shorewall_var_lib_t:s0 
#

All shorewall* packages come from the EPEL repository.

Comment 3 Oliver Freyermuth 2022-01-17 12:01:45 UTC

(In reply to Milos Malik from comment #2)
> I believe that 1 file context pattern (which would match the
> /var/lib/shorewall6-lite location) is missing:

Indeed, this is exactly the pattern the linked PR adds. 
For reference, here's the direct link to the commit:
https://github.com/fedora-selinux/selinux-policy/commit/9f1eb5d72ed0e9c0859cf6240ac8eace9e3e1c80

Comment 4 Zdenek Pytela 2022-01-17 15:45:35 UTC

Needs to be backported:
commit 9f1eb5d72ed0e9c0859cf6240ac8eace9e3e1c80
Author: Oliver Freyermuth <freyermuth.de>
Date:   Thu Nov 25 11:53:15 2021 +0100

    Label /var/lib/shorewall6-lite with shorewall_var_lib_t

Comment 18 errata-xmlrpc 2022-05-10 15:15:49 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1995

Note You need to log in before you can comment on or make changes to this bug.