2157835 – rpm-plugin-ima tried to add IMA signature to directories (for efi-filesystem, nfs-utils)

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2157835 - rpm-plugin-ima tried to add IMA signature to directories (for efi-filesystem, nfs-utils)

Summary: rpm-plugin-ima tried to add IMA signature to directories (for efi-filesystem,...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	rpm
Sub Component:
Version:	9.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Packaging Maintenance Team
QA Contact:	Jan Blazek
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	2209135 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-01-03 07:24 UTC by Coiby
Modified:	2023-11-07 11:24 UTC (History)
CC List:	5 users (show)
Fixed In Version:	rpm-4.16.1.3-23.el9
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-11-07 08:52:54 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	pm-rhel: mirror+

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-143521	0	None	None	None	2023-01-03 07:25:23 UTC
Red Hat Product Errata	RHBA-2023:6623	0	None	None	None	2023-11-07 08:52:59 UTC

Description Coiby 2023-01-03 07:24:48 UTC

Description of problem:

After installing rpm-plugin-ima, nfs-utils and efi-filesystems failes to be reinstalled/upgraded,

    $ dnf install nfs-utils
      Upgrading        : nfs-utils-1:2.5.4-17.el9.x86_64                                                                                                                                     1/2 
    error: ima: could not apply signature on '/var/lib/nfs/rpc_pipefs': Operation not supported
    error: Plugin ima: hook fsm_file_prepare failed
    
    Error unpacking rpm package nfs-utils-1:2.5.4-17.el9.x86_64
      Verifying        : nfs-utils-1:2.5.4-17.el9.x86_64                                                                                                                                     1/2 
      Verifying        : nfs-utils-1:2.5.4-16.el9.x86_64                                                                                                                                     2/2 
    
    Error: Transaction failed
    
    $ dnf reinstall efi-filesystem -y
    
    error: ima: could not apply signature on '/boot/efi': Operation not supported
    error: Plugin ima: hook fsm_file_prepare failed
    
    Error unpacking rpm package efi-filesystem-6-2.el9_0.noarch
      Verifying        : efi-filesystem-6-2.el9_0.noarch                                                                                                                                     1/2 
      Verifying        : efi-filesystem-6-2.el9_0.noarch                                                                                                                                     2/2 
    
    Error: Transaction failed

Version-Release number of selected component (if applicable):

rpm-plugin-ima-4.16.1.3-22.el9

How reproducible:
always

Steps to Reproduce:
1. Install RHEL9 or use cloud image e.g. rhel-guest-image-9.2-20221205.2.x86_64.qcow2
2. dnf install rpm-plugin-ima
3. dnf install nfs-utils or dnf reinstall efi-filesystem

Actual results:

nfs-utils can't be upgraded and efi-filesystem can't be reinstalled.

Expected results:

nfs-utils and efi-flesystem can be upgraded/reinstalled and reinstalled package files have IMA signatures.

Additional info:

Comment 1 Panu Matilainen 2023-01-03 08:27:21 UTC

Yup, ENOTSUPP needs to be filtered in the IMA plugin, similarly to what we do with selinux.

Comment 2 Coiby 2023-01-06 02:14:15 UTC

(In reply to Panu Matilainen from comment #1)
> Yup, ENOTSUPP needs to be filtered in the IMA plugin, similarly to what we
> do with selinux.

I don't know what ENOTSUPP means. I just notice rpm-plugin-ima have successfully added signatures to other folders,
    [root@localhost ~]# getfattr -m security.ima -d /usr/lib/dracut
    # file: usr/lib/dracut
    security.ima=0sAwIE0zIESQBnMGUCMDOlu62KzrxD8Fb1iKqP0JQvJKS2cHH4SrkKncgClefQhsa5ogurUIuUTsXe9ZoQQAIxAOnIT2F8ZEEi2x3Y8pMeaZSMkz6/gwFptAaG065G9HzExkmwv5HBjuNImtqep2390A==
    
    [root@localhost ~]# getfattr -m security.ima -d /usr/bin
    # file: usr/bin
    security.ima=0sAwIE0zIESQBmMGQCMADWhM6S/RAmh37grWsMgfRtJEXQ6NHnn7tjn6x75tVaMBpJffTDuC3ZqvkHva222wIwZXoR/QDx7IjolZyzkaL2dkgey9M0D3GpHLMP2hmfSPgC284LQX6DYoLDLuElIzVu


But somehow /boot/efi and /var/lib/nfs/rpc_pipefs are special and can't be added signatures.

So I guess rpm-plugin-ima tries to add signatures to all folders. But there is completely no need to do so from the perspective of IMA as folders are not supported,

    [root@localhost ~]# evmctl ima_verify /usr/lib/dracut/
    Unsupported file type (0x4000)

Comment 3 Panu Matilainen 2023-01-09 08:45:45 UTC

Oh so there are at least two bugs in here: EFI fs does not support extended attributes at all so we should ignore the "not supported" errors from the FS. But in addition, rpm is IMA-signing directories and trying to apply signatures to them on install, so actually that makes three bugs in total.

Comment 4 Florian Festi 2023-01-09 14:49:13 UTC

The first issue is fixed upstream with https://github.com/rpm-software-management/rpm/commit/7db2efa95d859cebda2b095ffdffac42812bd6d9 which should also mitigate the third issue.

On first glance it looks like upstream might still generate signatures for directories. But that's something we might not need to fix in RHEL if rpm is no longer failing when encountering them.

Comment 6 Coiby 2023-01-25 07:42:42 UTC

(In reply to Panu Matilainen from comment #3)
> Oh so there are at least two bugs in here: EFI fs does not support extended
> attributes at all

Besides EFI fs, rpc_pipefs (pipe file system) doesn't support xattrs either.

> so we should ignore the "not supported" errors from the
> FS. 

Yeah, I checked the kernel source code and can confirm it returns ENOTSUPP for those not supported cases.

> But in addition, rpm is IMA-signing directories and trying to apply
> signatures to them on install, so actually that makes three bugs in total.

Yes, this is a different issue. And filtering ENOTSUPP doesn't work for this case.

Comment 7 Coiby 2023-01-25 07:47:28 UTC

(In reply to Florian Festi from comment #4)
> The first issue is fixed upstream with
> https://github.com/rpm-software-management/rpm/commit/
> 7db2efa95d859cebda2b095ffdffac42812bd6d9 which should also mitigate the
> third issue.

Good to know that!

> 
> On first glance it looks like upstream might still generate signatures for
> directories. But that's something we might not need to fix in RHEL if rpm is
> no longer failing when encountering them.

Btw, I'm not sure you mean Fedora when you say upstream. But unfortunately Fedora package files currently doesn't have IMA signatures after installing rpm-plugin-ima (https://bugzilla.redhat.com/show_bug.cgi?id=2076296#c4). Will EPEL packages file have IMA signatures after bz2076296 gets truly resolved?

Comment 8 Florian Festi 2023-01-25 12:02:17 UTC

Upstream in this case means RPM upstream. But the patch is in the rpm-4.18 release already and as such part of Fedora 37.

Comment 15 Yongcheng Yang 2023-05-24 08:35:36 UTC

*** Bug 2209135 has been marked as a duplicate of this bug. ***

Comment 20 errata-xmlrpc 2023-11-07 08:52:54 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (rpm bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6623

Note You need to log in before you can comment on or make changes to this bug.