2128833 – Please add policy for booth daemon

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2128833 - Please add policy for booth daemon

Summary: Please add policy for booth daemon

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	9.0
Hardware:	Unspecified
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Nobody
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-09-21 15:45 UTC by Jan Friesse
Modified:	2023-11-07 11:22 UTC (History)
CC List:	3 users (show)
Fixed In Version:	selinux-policy-38.1.17-1.el9
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-11-07 08:52:15 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-134620	0	None	None	None	2022-09-21 15:48:45 UTC
Red Hat Product Errata	RHBA-2023:6617	0	None	None	None	2023-11-07 08:52:31 UTC

Description Jan Friesse 2022-09-21 15:45:32 UTC

Description of problem:
Booth daemon doesn't have any selinux policy so it is running as a unconfined_service_t service - found during solving of https://issues.redhat.com/browse/RHELPLAN-130860

Version-Release number of selected component (if applicable):
All

How reproducible:
100%

Steps to Reproduce:
1. Run booth daemon

Actual results:
Booth is running as a unconfined_service_t

Expected results:
Booth is not running as a unconfined_service_t

Additional info:
Booth is quite different from other daemons - so it will probably need its own policy in https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/contrib/rhcs.fc .

Configuration:
High level config is described in https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_high_availability_clusters/assembly_configuring-multisite-cluster-configuring-and-managing-high-availability-clusters. Low level it is enough to create booth.conf and run 'boothd daemon -SD'

Expected functionality:
Boothd binary is used as a:
- Arbitrator - daemon executed via systemd
- Site - daemon executed via pacemaker
- Client - used to grant/list/revoke tickets - connecting via TCP to local (or remote) daemon

Booth must be able to:
- bind/listen/connectto a port (default 9929, but it is expected to be configured also to different one) for both TCP and UDP
- send/recv UDP/TCP packets
- exec arbitrary binary - it is communicating with pacemaker using crm_ticket command and allows before-acquire-handler functionality
- write lock file (/var/run/booth/booth.pid by default)
- read config file (/etc/booth/booth.conf and optionally /etc/booth/authfile, but both can and are expected to be changed (there is even systemd 'booth@' service using /etc/booth/%i.conf which also changes name of lock file)

In constrast of other rhcs daemons (like corosync/pcmk) it is not using libqb ipc (so no /dev/shm/ files created).

Please ask me more questions if you are unsure if other system calls are expected.

Comment 1 Nikola Knazekova 2022-10-31 19:12:38 UTC

Hi Jan,

I created initial SELinux policy for Booth, but I am not able to test it properly.

Can you please test it and attach AVC messages?
New SELinux policy with boothd module is available on copr:

# dnf copr enable nknazeko/boothd-selinux 
# dnf update selinux-policy


Also before testing is useful to have enabled full auditing:

Open /etc/audit/rules.d/audit.rules file in an editor.

 1. Remove following line if it exists:

-a task,never

 2. Add following line at the end of the file:

-w /etc/shadow -p w

 3. Restart the audit daemon:

 # service auditd restart


Draft Pull Request is available here: https://github.com/fedora-selinux/selinux-policy/pull/1451/files

Thank you

Nikola

Comment 2 Jan Friesse 2022-11-01 11:26:11 UTC

Hi Nikola,
thanks, I will try to give it a shot hopefully later this week and let you know.

Comment 7 Nikola Knazekova 2022-11-21 22:17:11 UTC

Hi Jan,

thank you very much for detailed description and logs.

I made another copr build (37.14-1.fc38.10) with new fixes.

Can you please test it again and attach logs here? 

Thank you.

Nikola

Comment 17 Zdenek Pytela 2023-02-21 11:21:32 UTC

Could you try the following local module:

# cat local_boothd.cil
(allow boothd_t boothd_t (tcp_socket (read,write)))
(allow boothd_t boothd_t (udp_socket (write)))

# semodule -i local_boothd.cil

then reproduce in SELinux enforcing mode and check the service status and/or audit denials?

Comment 18 Jan Friesse 2023-02-21 15:18:52 UTC

# semodule -i local_boothd.cil
Failed to resolve permission read,write
Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/400/local_boothd/cil:1
Failed to resolve AST
semodule:  Failed!

Comment 21 Nikola Knazekova 2023-03-13 15:52:34 UTC

Hi Jan, 
I have fixed all AVC messages and created copr build ver 38.8-1.fc39.310, can you please test it?

Comment 22 Jan Friesse 2023-03-30 13:29:44 UTC

Nikola, I had too much work fixing other issue in different project and meanwhile selinux policy in rawhide got updated to newer version 38.9-1 - could you please send me updated build to test?

Comment 23 Nikola Knazekova 2023-03-31 13:26:24 UTC

Hi Jan, 
I understand, copr build is updated with version 38.10-1.fc39.410 
Thank you for your help.

Comment 24 Jan Friesse 2023-04-03 08:12:48 UTC

Hi Nikola,
thanks for updated package. I've tested with selinux-policy-38.10-1.fc39.410.noarch and haven't found any issue (= test passed successfully).

# semodule -DB
# semodule -l  | grep booth
boothd

(no local_boothd -> there should be no leftovers from previous testing)

# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today | grep -c booth
0

So I think policy is good to go for QE testing.

Regards,
  Honza

Comment 25 Nikola Knazekova 2023-04-03 13:38:54 UTC

Hi Honza,

thank you for the help,
Nikola

Comment 46 errata-xmlrpc 2023-11-07 08:52:15 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6617

Note You need to log in before you can comment on or make changes to this bug.