RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2111206 - Support all init_t <=> install_t operations that also work with init_t <=> unconfined_t
Summary: Support all init_t <=> install_t operations that also work with init_t <=> un...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: selinux-policy
Version: CentOS Stream
Hardware: Unspecified
OS: Linux
low
medium
Target Milestone: rc
: 9.1
Assignee: Nikola Knazekova
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On: 2110012
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-07-26 17:31 UTC by Colin Walters
Modified: 2022-11-15 12:58 UTC (History)
14 users (show)

Fixed In Version: selinux-policy-34.1.39-1.el9
Doc Type: Bug Fix
Doc Text:
Cause: Missing SELinux policy rules in init leads to denials Consequence: Failling tests Fix: Allow systemd work with install_t unix stream sockets Result: No AVC
Clone Of: 2110012
Environment:
Last Closed: 2022-11-15 11:13:54 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-129143 0 None None None 2022-07-26 17:42:15 UTC
Red Hat Product Errata RHBA-2022:8283 0 None None None 2022-11-15 11:14:02 UTC

Description Colin Walters 2022-07-26 17:31:38 UTC 
+++ This bug was initially created as a clone of Bug #2110012 +++

This is a request to backport the policy fixes to RHEL 9.1.

I'm trying to reopen and re-land this change: https://github.com/coreos/rpm-ostree/pull/2932
which causes rpm-ostreed to be directly systemd socket activated, which will allow us to drop a  big pile of workarounds for previous bugs in the DBus design.

However, this is denied by policy:

Jul 22 17:54:36 cosa-devsh audit[1]: AVC avc:  denied  { create } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:install_t:s0 tclass=unix_stream_socket permissive=1
Jul 22 17:54:36 cosa-devsh audit[1]: AVC avc:  denied  { setopt } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:install_t:s0 tclass=unix_stream_socket permissive=1
Jul 22 17:54:36 cosa-devsh audit[1]: AVC avc:  denied  { bind } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:install_t:s0 tclass=unix_stream_socket permissive=1
Jul 22 17:54:36 cosa-devsh audit[1]: AVC avc:  denied  { listen } for  pid=1 comm="systemd" path="/run/rpm-ostree/client.sock" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:install_t:s0 tclass=unix_stream_socket permissive=1

I keep running into small things like this; please make install_t a strict superset of unconfined_t (i.e. it should just be unconfined_t + mac_admin).

--- Additional comment from Colin Walters on 2022-07-22 20:38:04 UTC ---

Alternatively, perhaps what I may try to do in the future is have rpm-ostree fork a child process copy of itself that is wrapped with e.g. `runcon -t install_t` or so, but that would require changing the policy to drop the install_exec_t for /usr/bin/rpm-ostree which would break older versions, unless we can figure out a way to do this compatibly.

--- Additional comment from Zdenek Pytela on 2022-07-25 13:47:03 UTC ---

Should work in rawhide already:
rawhide# sesearch -A -s init_t -t install_t -c unix_stream_socket -p bind,create,listen,setopt
allow init_t install_t:unix_stream_socket { accept append bind connect connectto create getattr getopt ioctl listen lock read setattr setopt shutdown write };
rawhide# rpm -q selinux-policy
selinux-policy-37.7-1.fc37.noarch

Also note install_t is an unconfined domain, most of possible permissions are already allowed, IPC are one of the exceptions.

--- Additional comment from Colin Walters on 2022-07-25 15:32:46 UTC ---

Thanks!  I'd be nice to ship this in RHEL 9.1 if at all possible; anything I can do to help with that?
I think potentially we can avoid depending on this in F36 lifetime.

--- Additional comment from Zdenek Pytela on 2022-07-26 16:43:29 UTC ---

(In reply to Colin Walters from comment #3)
> Thanks!  I'd be nice to ship this in RHEL 9.1 if at all possible; anything I
> can do to help with that?
> I think potentially we can avoid depending on this in F36 lifetime.

Please clone the bz for RHEL 9 then, but note it is quite late in the development cycle.
Comment 9 errata-xmlrpc 2022-11-15 11:13:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:8283
Note You need to log in before you can comment on or make changes to this bug.