Bug 2084077 - SELinux prevents portablectl detach [NEEDINFO]
Summary: SELinux prevents portablectl detach
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 35
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-05-11 10:32 UTC by Sam Thursfield
Modified: 2022-05-13 09:34 UTC (History)
19 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
mmalik: needinfo? (ssssam)


Attachments (Terms of Use)

Description Sam Thursfield 2022-05-11 10:32:07 UTC
Description of problem:

Detaching a filesystem-based Portable Service does not work:

```
[I] sam@ausecuma ~/s/portable-walkthrough (main)> sudo portablectl attach /opt/serialosc
(Matching unit files with prefix 'serialosc'.)
Created directory /etc/systemd/system.attached/serialosc.service.d.
Written /etc/systemd/system.attached/serialosc.service.d/20-portable.conf.
Created symlink /etc/systemd/system.attached/serialosc.service.d/10-profile.conf → /usr/lib/systemd/portable/profile/default/service.conf.
Copied /opt/serialosc/usr/local/lib/systemd/system/serialosc.service → /etc/systemd/system.attached/serialosc.service.
Created symlink /etc/portables/serialosc → /opt/serialosc.
[I] sam@ausecuma ~/s/portable-walkthrough (main)> sudo portablectl detach /opt/serialosc
DetachImage failed: Access denied
```

Disabling SELinux with `setenforce 0` works around the issue.

Relevant audit.log entry appears to be this:

```
type=USER_AVC msg=audit(1652264980.399:749): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=0 path="/etc/systemd/system.attached/serialosc.service" cmdline="/usr/lib/systemd/systemd-portabled" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=service permissive=0  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'^]UID="root" AUID="unset" AUID="root" UID="root" GID="root" SAUID="root"
```

Related issue: https://bugzilla.redhat.com/show_bug.cgi?id=1922580 - I have confirmed that this bug is also still present in Fedora 35.

Version-Release number of selected component (if applicable):

> portablectl --version
systemd 249 (v249.11-2.fc35)
+PAM +AUDIT +SELINUX -APPARMOR +IMA +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified


How reproducible: always.


Steps to Reproduce:
1. Attach a portable service from filesystem (if you try to attach an image, you will hit https://bugzilla.redhat.com/show_bug.cgi?id=1922580)
2. Try to detach it.

Actual results:

Access denied error.

Expected results:

Service is detached.

Comment 1 Milos Malik 2022-05-13 09:32:35 UTC
I would like you to test a workaround.

My assumptions are:
1) SELinux label on the systemd-portabled file was not changed:

# ls -Z /usr/lib/systemd/systemd-portabled
system_u:object_r:init_exec_t:s0 /usr/lib/systemd/systemd-portabled
#

2) After starting the systemd-portabled service, the systemd-portabled process runs as init_t:

system_u:system_r:init_t:s0     root        1448       1  0 05:22 ?        00:00:00 /usr/lib/systemd/systemd-portabled

The workaround consists of the following commands:

# chcon -t usr_t /usr/lib/systemd/systemd-portabled
# systemctl restart systemd-portabled

Purpose of the workaround is to run the systemd-portabled service as unconfined_service_t (instead of init_t) and see if that helps.

Does the portablectl command mentioned above work now?

Thank you.

Comment 2 Milos Malik 2022-05-13 09:34:58 UTC
Why a workaround? Because SELinux policy currently does not provide any special policy for the systemd-portabled program.


Note You need to log in before you can comment on or make changes to this bug.