Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2111206

Summary: Support all init_t <=> install_t operations that also work with init_t <=> unconfined_t
Product: Red Hat Enterprise Linux 9 Reporter: Colin Walters <walters>
Component: selinux-policyAssignee: Nikola Knazekova <nknazeko>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: low    
Version: CentOS StreamCC: apeetham, bstinson, dwalsh, extras-qa, grepl.miroslav, jwboyer, lvrabec, mmalik, nknazeko, omosnace, pkoncity, ssekidde, vmojzis, zpytela
Target Milestone: rcKeywords: Triaged
Target Release: 9.1Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-34.1.39-1.el9 Doc Type: Bug Fix
Doc Text:
Cause: Missing SELinux policy rules in init leads to denials Consequence: Failling tests Fix: Allow systemd work with install_t unix stream sockets Result: No AVC
 Story Points: ---
Clone Of: 2110012 Environment:
Last Closed: 2022-11-15 11:13:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2110012    
Bug Blocks:    

Description Colin Walters 2022-07-26 17:31:38 UTC 
+++ This bug was initially created as a clone of Bug #2110012 +++

This is a request to backport the policy fixes to RHEL 9.1.

I'm trying to reopen and re-land this change: https://github.com/coreos/rpm-ostree/pull/2932
which causes rpm-ostreed to be directly systemd socket activated, which will allow us to drop a  big pile of workarounds for previous bugs in the DBus design.

However, this is denied by policy:

Jul 22 17:54:36 cosa-devsh audit[1]: AVC avc:  denied  { create } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:install_t:s0 tclass=unix_stream_socket permissive=1
Jul 22 17:54:36 cosa-devsh audit[1]: AVC avc:  denied  { setopt } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:install_t:s0 tclass=unix_stream_socket permissive=1
Jul 22 17:54:36 cosa-devsh audit[1]: AVC avc:  denied  { bind } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:install_t:s0 tclass=unix_stream_socket permissive=1
Jul 22 17:54:36 cosa-devsh audit[1]: AVC avc:  denied  { listen } for  pid=1 comm="systemd" path="/run/rpm-ostree/client.sock" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:install_t:s0 tclass=unix_stream_socket permissive=1

I keep running into small things like this; please make install_t a strict superset of unconfined_t (i.e. it should just be unconfined_t + mac_admin).

--- Additional comment from Colin Walters on 2022-07-22 20:38:04 UTC ---

Alternatively, perhaps what I may try to do in the future is have rpm-ostree fork a child process copy of itself that is wrapped with e.g. `runcon -t install_t` or so, but that would require changing the policy to drop the install_exec_t for /usr/bin/rpm-ostree which would break older versions, unless we can figure out a way to do this compatibly.

--- Additional comment from Zdenek Pytela on 2022-07-25 13:47:03 UTC ---

Should work in rawhide already:
rawhide# sesearch -A -s init_t -t install_t -c unix_stream_socket -p bind,create,listen,setopt
allow init_t install_t:unix_stream_socket { accept append bind connect connectto create getattr getopt ioctl listen lock read setattr setopt shutdown write };
rawhide# rpm -q selinux-policy
selinux-policy-37.7-1.fc37.noarch

Also note install_t is an unconfined domain, most of possible permissions are already allowed, IPC are one of the exceptions.

--- Additional comment from Colin Walters on 2022-07-25 15:32:46 UTC ---

Thanks!  I'd be nice to ship this in RHEL 9.1 if at all possible; anything I can do to help with that?
I think potentially we can avoid depending on this in F36 lifetime.

--- Additional comment from Zdenek Pytela on 2022-07-26 16:43:29 UTC ---

(In reply to Colin Walters from comment #3)
> Thanks!  I'd be nice to ship this in RHEL 9.1 if at all possible; anything I
> can do to help with that?
> I think potentially we can avoid depending on this in F36 lifetime.

Please clone the bz for RHEL 9 then, but note it is quite late in the development cycle.
Comment 9 errata-xmlrpc 2022-11-15 11:13:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:8283