RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2088441 - /usr/lib/systemd/systemd-socket-proxyd is not labeled appropriately, making the tool unusable
Summary: /usr/lib/systemd/systemd-socket-proxyd is not labeled appropriately, making t...
Keywords:
Status: CLOSED ERRATA
Alias: None
Deadline: 2022-10-24
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.6
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: 8.8
Assignee: Zdenek Pytela
QA Contact: Milos Malik
Jan Fiala
URL:
Whiteboard:
Depends On:
Blocks: 2141606
TreeView+ depends on / blocked
 
Reported: 2022-05-19 12:59 UTC by Renaud Métrich
Modified: 2023-05-16 11:00 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.14.3-113.el8
Doc Type: Enhancement
Doc Text:
.New SELinux policy for `systemd-socket-proxyd` Because the `systemd-socket-proxyd` service requires particular resources usage, a new policy with the required rules was added to the `selinux-policy` packages. As a result, the service runs in its SELinux domain.
Clone Of:
: 2141606 (view as bug list)
Environment:
Last Closed: 2023-05-16 09:03:44 UTC
Type: Bug
Target Upstream Version:
Embargoed:
pm-rhel: mirror+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-122590 0 None None None 2022-05-19 13:13:26 UTC
Red Hat Knowledge Base (Solution) 6960340 0 None None None 2022-05-23 07:27:21 UTC
Red Hat Product Errata RHBA-2023:2965 0 None None None 2023-05-16 09:04:03 UTC

Description Renaud Métrich 2022-05-19 12:59:27 UTC 
Description of problem:

We have a customer trying to use /usr/lib/systemd/systemd-socket-proxyd functionality. The tool is supposed to be able to connect to various sockets since it's supposed to act as a proxy.
Currently it's labeled with *init_exec_t*, hence executes in the context of the caller (systemd), *init_t*, which is hopefully not able to connect to the world.

From the manpage, the tool is supposed to be used as a service ExecStart command.
We need to create a new label for this tool and appropriate transition so that connection to sockets is possible.

Version-Release number of selected component (if applicable):

systemd-239

How reproducible:

Always

Steps to Reproduce:
1. Install telnet-server and nmap-ncat

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# yum -y install telnet-server nmap-ncat
# systemctl start telnet.socket
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

2. Create a proxy-to-telnet socket (/etc/systemd/system/proxy-to-telnet.socket)

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
[Socket]
ListenStream=80

[Install]
WantedBy=sockets.target
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

3. Create a proxy-to-telnet service (/etc/systemd/system/proxy-to-telnet.service)

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
[Unit]
Requires=proxy-to-telnet.socket
After=proxy-to-telnet.socket

[Service]
ExecStart=/usr/lib/systemd/systemd-socket-proxyd 127.0.0.1:23
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

4. Start the socket and try connecting to it

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# systemctl daemon-reload
# ncat -t localhost 80
--> "hangs"
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Actual results:

AVC:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# ausearch -i -m avc,user_avc -ts recent
----
type=PROCTITLE msg=audit(05/19/2022 14:58:13.294:365) : proctitle=/usr/lib/systemd/systemd-socket-proxyd 127.0.0.1:23 
type=SYSCALL msg=audit(05/19/2022 14:58:13.294:365) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0xa a1=0x55e03db88af0 a2=0x10 a3=0x0 items=0 ppid=1 pid=11666 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-socket- exe=/usr/lib/systemd/systemd-socket-proxyd subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(05/19/2022 14:58:13.294:365) : avc:  denied  { name_connect } for  pid=11666 comm=systemd-socket- dest=23 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:telnetd_port_t:s0 tclass=tcp_socket permissive=0 
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Expected results:

Telnet connection happening

Additional info:

The workaround is to wrap the call in a shell script stored on /usr/local/bin so that, due to the script being labeled with *bin_t*, a transition to *unconfined_service_t* happens:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# cat /usr/local/bin/systemd-socket-proxyd:
#!/bin/sh
exec /usr/lib/systemd/systemd-socket-proxyd $*
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Example Service (/etc/systemd/system/proxy-to-telnet.service):
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
[Unit]
Requires=proxy-to-telnet.socket
After=proxy-to-telnet.socket

[Service]
ExecStart=/usr/local/bin/systemd-socket-proxyd 127.0.0.1:23
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
Comment 2 Renaud Métrich 2022-05-24 14:18:38 UTC 
We now need to sync with systemd to find an appropriate context. Something similar to what squid can do probably.
Comment 5 Zdenek Pytela 2022-09-22 17:26:00 UTC 
Commit to backport:
commit ea2da5e990b89f95cbfdebdda0b932e8c860c49d (HEAD -> rawhide, upstream/rawhide)
Author: (GalaxyMaster) <galaxy4public.github.com>
Date:   Mon Nov 9 00:50:12 2020 +1100

    added policy for systemd-socket-proxyd
Comment 44 errata-xmlrpc 2023-05-16 09:03:44 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2965
Note You need to log in before you can comment on or make changes to this bug.