2156828 – crun is not whitelisted to run within fapolicyd

Bug 2156828 - crun is not whitelisted to run within fapolicyd

Summary: crun is not whitelisted to run within fapolicyd

Keywords:
Status:	NEW
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	fapolicyd
Sub Component:
Version:	9.1
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Radovan Sroka
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-12-28 22:17 UTC by zkharitonov
Modified:	2023-08-16 14:19 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
View crun unable to run when fapolicyd is enabled (36.36 KB, image/png) 2022-12-28 22:17 UTC, zkharitonov	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-143348	0	None	None	None	2022-12-28 22:20:50 UTC
Red Hat Issue Tracker	SECENGSP-4936	0	None	None	None	2022-12-28 22:20:53 UTC

Description zkharitonov 2022-12-28 22:17:38 UTC

Created attachment 1934786 [details]
View crun unable to run when fapolicyd is enabled

Description of problem:
crun is not whitelisted and unable to run within fapolicyd

Version-Release number of selected component (if applicable):
crun version 1.5
commit: 54ebb8ca8bf7e6ddae2eb919f5b82d1d96863dea
spec: 1.0.0

How reproducible:
Reproducible through running crun command while fapolicyd is enabled

Steps to Reproduce:
1. Ensure that fapolicyd is enabled by: systemctl status fapolicy
2. Run the crun command: crun
3. Observe that crun cannot run while fapolicyd is enabled
4. View attachment for additional information

Actual results:
Running crun is disabled when fapolicyd is enabled

Expected results:
Running crun should be successful when fapolicyd is enabled

Additional info:
View attached screenshot to view additional information

Comment 1 Radovan Sroka 2023-01-02 12:20:12 UTC

fapolicyd is blocking direct ld.so execution with ld_so pattern. 
crun 

I think workaround would be about adding a rule before pattern that allows crun from following deny:

rule=5 dec=deny_audit perm=execute auid=0 pid=5043 exe=/usr/bin/crun : path=/usr/lib64/ld-linux-x86-64.so.2 ftype=application/x-sharedlib trust=1


Long term solution could be something like exception list.

Note You need to log in before you can comment on or make changes to this bug.