Bug 2156828 - crun is not whitelisted to run within fapolicyd
Summary: crun is not whitelisted to run within fapolicyd
Keywords:
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: fapolicyd
Version: 9.1
Hardware: x86_64
OS: Linux
unspecified
low
Target Milestone: rc
: ---
Assignee: Radovan Sroka
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-12-28 22:17 UTC by zkharitonov
Modified: 2023-08-16 14:19 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
View crun unable to run when fapolicyd is enabled (36.36 KB, image/png)
2022-12-28 22:17 UTC, zkharitonov
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-143348 0 None None None 2022-12-28 22:20:50 UTC
Red Hat Issue Tracker SECENGSP-4936 0 None None None 2022-12-28 22:20:53 UTC

Description zkharitonov 2022-12-28 22:17:38 UTC
Created attachment 1934786 [details]
View crun unable to run when fapolicyd is enabled

Description of problem:
crun is not whitelisted and unable to run within fapolicyd

Version-Release number of selected component (if applicable):
crun version 1.5
commit: 54ebb8ca8bf7e6ddae2eb919f5b82d1d96863dea
spec: 1.0.0

How reproducible:
Reproducible through running crun command while fapolicyd is enabled

Steps to Reproduce:
1. Ensure that fapolicyd is enabled by: systemctl status fapolicy
2. Run the crun command: crun
3. Observe that crun cannot run while fapolicyd is enabled
4. View attachment for additional information

Actual results:
Running crun is disabled when fapolicyd is enabled

Expected results:
Running crun should be successful when fapolicyd is enabled

Additional info:
View attached screenshot to view additional information

Comment 1 Radovan Sroka 2023-01-02 12:20:12 UTC
fapolicyd is blocking direct ld.so execution with ld_so pattern. 
crun 

I think workaround would be about adding a rule before pattern that allows crun from following deny:

rule=5 dec=deny_audit perm=execute auid=0 pid=5043 exe=/usr/bin/crun : path=/usr/lib64/ld-linux-x86-64.so.2 ftype=application/x-sharedlib trust=1


Long term solution could be something like exception list.


Note You need to log in before you can comment on or make changes to this bug.