2208162 – AVC denials caused by rebased pkcsslotd

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2208162 - AVC denials caused by rebased pkcsslotd

Summary: AVC denials caused by rebased pkcsslotd

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	8.9
Hardware:	Unspecified
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2159697
TreeView+	depends on / blocked

Reported:	2023-05-18 07:47 UTC by Karel Srot
Modified:	2023-11-14 17:57 UTC (History)
CC List:	4 users (show)
Fixed In Version:	selinux-policy-3.14.3-121.el8
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-11-14 15:47:52 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	pm-rhel: mirror+

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 1707	None	open	Update pkcsslotd policy for sandboxing	2023-05-25 09:59:38 UTC
Red Hat Issue Tracker	RHELPLAN-157566	None	None	None	2023-05-18 07:50:56 UTC
Red Hat Product Errata	RHBA-2023:7091	None	None	None	2023-11-14 15:48:09 UTC

Description Karel Srot 2023-05-18 07:47:29 UTC

Description of problem:

In bug 2159697 we are rebasing opencryptoki for RHEL-8.9 to the latest version.
However, this updated version is causing some AVC denials when trying to
unlink token related temporary files.

selinux-policy-3.14.3-120.el8.noarch
----
time->Wed May 17 09:21:26 2023
type=AVC msg=audit(1684329686.673:208): avc:  denied  { unlink } for  pid=1 comm="systemd" name="var.lib.opencryptoki.ep11tok" dev="tmpfs" ino=83543 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:pkcs_slotd_tmpfs_t:s0 tclass=file permissive=0
----
time->Wed May 17 09:21:26 2023
type=AVC msg=audit(1684329686.673:209): avc:  denied  { unlink } for  pid=1 comm="systemd" name="var.lib.opencryptoki.swtok" dev="tmpfs" ino=83541 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:pkcs_slotd_tmpfs_t:s0 tclass=file permissive=0
----
time->Wed May 17 09:21:26 2023
type=AVC msg=audit(1684329686.673:210): avc:  denied  { unlink } for  pid=1 comm="systemd" name="var.lib.opencryptoki.ccatok" dev="tmpfs" ino=83538 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:pkcs_slotd_tmpfs_t:s0 tclass=file permissive=0
----
time->Wed May 17 09:21:26 2023
type=AVC msg=audit(1684329686.673:211): avc:  denied  { unlink } for  pid=1 comm="systemd" name="var.lib.opencryptoki.lite" dev="tmpfs" ino=83536 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:pkcs_slotd_tmpfs_t:s0 tclass=file permissive=0
----
time->Wed May 17 09:21:26 2023
type=AVC msg=audit(1684329686.673:212): avc:  denied  { unlink } for  pid=1 comm="systemd" name="var.lib.opencryptoki.tpm.root" dev="tmpfs" ino=83524 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:pkcs_slotd_tmpfs_t:s0 tclass=file permissive=0

How reproducible:
always

Steps to Reproduce:
start pkcsslotd and initialize a token, basically any opencryptoki tests hits this issue

Actual results:
AVCs

Expected results:
No AVCs, actions permitted


Additional info:
We want to rebase opencryptoki also in RHEL-9.3 so most likely the same change would be needed there. We just don't have a build yet to have it confirmed.

Comment 2 Zdenek Pytela 2023-05-18 08:27:49 UTC

Karle,

It seems unusual systemd wants to handle tmpfs files.
Were there any related configuration changes made?
Did it start to happen right after the package update?
How does the triggering service look like?
Does RHEL 9 suffer from the same issue?

Comment 5 Karel Srot 2023-05-18 09:15:28 UTC

Hi Zdenek,
I think this is because now we are running pkcsslotd as a regular user and not root. This was accompanied with some unit file changes I guess. Could you please take a look at the service file inside opencryptoki-3.21.0-2.el8, maybe you find your answers there.

I did the same findings as Milos. Pasting here for completeness, although it is sort of duplicate.

# setenforce 0
# systemctl start pkcsslotd
# ausearch -m avc 
----
time->Thu May 18 05:05:03 2023
type=AVC msg=audit(1684400703.589:1104): avc:  denied  { unlink } for  pid=1 comm="systemd" name="var.lib.opencryptoki.swtok" dev="tmpfs" ino=42503 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:pkcs_slotd_tmpfs_t:s0 tclass=file permissive=1
----
time->Thu May 18 05:05:08 2023
type=PROCTITLE msg=audit(1684400708.895:1105): proctitle="/usr/sbin/pkcsslotd"
type=PATH msg=audit(1684400708.895:1105): item=0 name="/lib64/ld-linux-x86-64.so.2" inode=10411 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1684400708.895:1105): cwd="/"
type=EXECVE msg=audit(1684400708.895:1105): argc=1 a0="/usr/sbin/pkcsslotd"
type=SYSCALL msg=audit(1684400708.895:1105): arch=c000003e syscall=59 success=yes exit=0 a0=564d7765de10 a1=564d7765e570 a2=564d776179b0 a3=0 items=1 ppid=1 pid=10231 auid=4294967295 uid=994 gid=991 euid=994 suid=994 fsuid=994 egid=991 sgid=991 fsgid=991 tty=(none) ses=4294967295 comm="pkcsslotd" exe="/usr/sbin/pkcsslotd" subj=system_u:system_r:pkcs_slotd_t:s0 key=(null)
type=AVC msg=audit(1684400708.895:1105): avc:  denied  { nnp_transition } for  pid=10231 comm="(kcsslotd)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:pkcs_slotd_t:s0 tclass=process2 permissive=1
----
time->Thu May 18 05:05:08 2023
type=PROCTITLE msg=audit(1684400708.910:1106): proctitle="/usr/sbin/pkcsslotd"
type=CAPSET msg=audit(1684400708.910:1106): pid=10231 cap_pi=0 cap_pp=0 cap_pe=0 cap_pa=0
type=SYSCALL msg=audit(1684400708.910:1106): arch=c000003e syscall=126 success=yes exit=0 a0=55adee3d7774 a1=55adee3d777c a2=55adee3d777c a3=0 items=0 ppid=1 pid=10231 auid=4294967295 uid=994 gid=991 euid=994 suid=994 fsuid=994 egid=991 sgid=991 fsgid=991 tty=(none) ses=4294967295 comm="pkcsslotd" exe="/usr/sbin/pkcsslotd" subj=system_u:system_r:pkcs_slotd_t:s0 key=(null)
type=AVC msg=audit(1684400708.910:1106): avc:  denied  { setcap } for  pid=10231 comm="pkcsslotd" scontext=system_u:system_r:pkcs_slotd_t:s0 tcontext=system_u:system_r:pkcs_slotd_t:s0 tclass=process permissive=1

In permissive pkcsslotd is running as 
# ps -eZ | grep pkcsslotd
system_u:system_r:pkcs_slotd_t:s0 10232 ?        00:00:00 pkcsslotd
while in enforcing it is 
# ps -eZ | grep pkcsslotd
system_u:system_r:init_t:s0       10254 ?        00:00:00 pkcsslotd

With pkcsslotd running in the proper domain (in permissive) I didn't see AVCs reported in the original bug description.

Comment 6 Karel Srot 2023-05-18 09:16:58 UTC

So I guess it is actually the transition that's needs to be fixed/allowed.

Comment 10 Zdenek Pytela 2023-05-18 15:42:10 UTC

I took a bit deeper dive, here are my findings, feel free to correct me if I am wrong.

The pkcslotd service unit in the updated opencrcyptoki package utilizes numerous systemd features for sandboxing and securing. In particular, these directives require being backed by selinux-policy:

NoNewPrivileges=yes
CapabilityBoundingSet=~CAP_SETUID CAP_SETGID CAP_SETPCAP
User=pkcsslotd
RemoveIPC=yes

This module helped me (no tmpfs in my case, but my scenario may be incomplete):
(allow init_t pkcs_slotd_t (process2 (nnp_transition)))
(allow pkcs_slotd_t pkcs_slotd_t (process (setcap)))
(allow init_t pkcs_slotd_t (shm (destroy)))
1. To start the service in the correct domain
2. To start the service successfully, yet report problems
3. To start and stop the service without any issue

The cleanup is made by systemd (PID 1). Depending on which features were actually used, init_t needs to be able to
- remove shared memory files (*_tmpfs_t)
- remove semaphores
- remove msgq

My secondary finding is that pkcsslotd is probably the first service which uses some of the User/Group/DynamicUser/RemoveIPC settings and at the same time uses IPC objects which remain present after the service stops. First one in RHEL 8, RHEL 9, and even Fedora.

RemoveIPC=

    Takes a boolean parameter. If set, all System V and POSIX IPC objects owned by the user and group the processes of this unit are run as are removed when the unit is stopped. This setting only has an effect if at least one of User=, Group= and DynamicUser= are used. It has no effect on IPC objects owned by the root user. Specifically, this removes System V semaphores, as well as System V and POSIX shared memory segments and message queues. If multiple units use the same user or group the IPC objects are removed when the last of these units is stopped. This setting is implied if DynamicUser= is set.

NoNewPrivileges=

    Takes a boolean argument. If true, ensures that the service process and all its children can never gain new privileges through execve() (e.g. via setuid or setgid bits, or filesystem capabilities). This is the simplest and most effective way to ensure that a process and its children can never elevate privileges again. Defaults to false, but certain settings override this and ignore the value of this setting. This is the case when DynamicUser=, LockPersonality=, MemoryDenyWriteExecute=, PrivateDevices=, ProtectClock=, ProtectHostname=, ProtectKernelLogs=, ProtectKernelModules=, ProtectKernelTunables=, RestrictAddressFamilies=, RestrictNamespaces=, RestrictRealtime=, RestrictSUIDSGID=, SystemCallArchitectures=, SystemCallFilter=, or SystemCallLog= are specified. Note that even if this setting is overridden by them, systemctl show shows the original value of this setting. In case the service will be run in a new mount namespace anyway and SELinux is disabled, all file systems are mounted with MS_NOSUID flag. Also see No New Privileges Flag.

Comment 11 Karel Srot 2023-05-23 07:42:43 UTC

FYI, I have copied the bug for RHEL-9 as bug 2209235.

Comment 12 Zdenek Pytela 2023-05-23 18:46:52 UTC

I haven't managed to catch the denials with pkcs_slotd_tmpfs_t as reported, this is the needed policy:

(allow pkcs_slotd_t pkcs_slotd_t (capability (setgid setuid)))
(allow pkcs_slotd_t self (process (setcap)))
(allow init_t pkcs_slotd_t (process2 (nnp_transition)))
(allow init_t pkcs_slotd_t (shm (destroy)))
(filecon "/var/run/opencryptoki(/.*)?" any (system_u object_r pkcs_slotd_var_run_t ((s0) (s0))))

Karle,
Do you know which particular action triggers creating and removing the files like /dev/shm/var.lib.opencryptoki.lite, or if there is any other setup change needed?

Comment 13 Karel Srot 2023-05-24 06:58:57 UTC

(In reply to Zdenek Pytela from comment #12)
> I haven't managed to catch the denials with pkcs_slotd_tmpfs_t as reported,

Me neither (in permissive). Looking at the timestamp, I guess that comes from enforcing mode that was enabled earlier and I have accidentally copied it.

Comment 15 Zdenek Pytela 2023-05-25 09:07:12 UTC

(In reply to Karel Srot from comment #13)
> (In reply to Zdenek Pytela from comment #12)
> > I haven't managed to catch the denials with pkcs_slotd_tmpfs_t as reported,
> 
> Me neither (in permissive). Looking at the timestamp, I guess that comes
> from enforcing mode that was enabled earlier and I have accidentally copied
> it.

It does not matter from when the denials are, just need to know how it reproduces.
Allowing the shm-related denials makes sense, but I am unable to get to them with any combination of policy and opencryptoki, updated in different order etc.

Comment 16 Karel Srot 2023-05-25 10:03:44 UTC

It seems to be done because of the clean up I am doing between tests

# systemctl stop pkcsslotd
# find /var/lib/opencryptoki/ -type f -exec rm {} \; 
# rm -f /dev/shm/var.lib.opencryptoki.*
# systemctl start pkcsslotd
# ausearch -m avc -ts recent
----
time->Thu May 25 06:01:50 2023
type=AVC msg=audit(1685008910.761:321): avc:  denied  { unlink } for  pid=1 comm="systemd" name="var.lib.opencryptoki.swtok" dev="tmpfs" ino=39400 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:pkcs_slotd_tmpfs_t:s0 tclass=file permissive=0
----
time->Thu May 25 06:02:11 2023
type=PROCTITLE msg=audit(1685008931.677:322): proctitle="/usr/sbin/pkcsslotd"
type=PATH msg=audit(1685008931.677:322): item=0 name="/lib64/ld-linux-x86-64.so.2" inode=10411 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1685008931.677:322): cwd="/"
type=EXECVE msg=audit(1685008931.677:322): argc=1 a0="/usr/sbin/pkcsslotd"
type=SYSCALL msg=audit(1685008931.677:322): arch=c000003e syscall=59 success=yes exit=0 a0=56334e4cc070 a1=56334e41f480 a2=56334e559f30 a3=0 items=1 ppid=1 pid=6324 auid=4294967295 uid=994 gid=991 euid=994 suid=994 fsuid=994 egid=991 sgid=991 fsgid=991 tty=(none) ses=4294967295 comm="pkcsslotd" exe="/usr/sbin/pkcsslotd" subj=system_u:system_r:init_t:s0 key=(null)
type=SELINUX_ERR msg=audit(1685008931.677:322): op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:pkcs_slotd_t:s0
type=AVC msg=audit(1685008931.677:322): avc:  denied  { nnp_transition } for  pid=6324 comm="(kcsslotd)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:pkcs_slotd_t:s0 tclass=process2 permissive=0

Comment 17 Zdenek Pytela 2023-05-25 13:27:48 UTC

This permission is required in cases a token was initialized:
(allow init_t pkcs_slotd_tmpfs_t (file (unlink)))

I just dont understand why any IPC means are removed on the service *start* while it should be on stopping with RemoveIPC in place.

One more required for the update of a running service:
(allow pkcs_slotd_t pkcs_slotd_exec_t (file (execute_no_trans)))
which looks like reexec, but it was not sufficient and actually the service restart was needed - perhaps there will be some other adjustment needed on opencryptoki side?

# systemctl status pkcsslotd -l
● pkcsslotd.service - Daemon which manages cryptographic hardware tokens for the openCryptoki package
   Loaded: loaded (/usr/lib/systemd/system/pkcsslotd.service; disabled; vendor preset: disabled)
   Active: failed (Result: timeout) since Thu 2023-05-25 09:24:48 EDT; 1min 33s ago
 Main PID: 9321 (code=exited, status=0/SUCCESS)

May 25 09:23:18 ci-vm-10-0-139-159.hosted.upshift.rdu2.redhat.com systemd[1]: pkcsslotd.service: Succeeded.
May 25 09:23:18 ci-vm-10-0-139-159.hosted.upshift.rdu2.redhat.com systemd[1]: Stopped Daemon which manages cryptographic hardware tokens for the openCryptoki package.
May 25 09:23:18 ci-vm-10-0-139-159.hosted.upshift.rdu2.redhat.com systemd[1]: Starting Daemon which manages cryptographic hardware tokens for the openCryptoki package...
May 25 09:23:18 ci-vm-10-0-139-159.hosted.upshift.rdu2.redhat.com systemd[1]: pkcsslotd.service: Can't open PID file /run/pkcsslotd.pid (yet?) after start: No such file or directory
May 25 09:24:48 ci-vm-10-0-139-159.hosted.upshift.rdu2.redhat.com systemd[1]: pkcsslotd.service: start operation timed out. Terminating.
May 25 09:24:48 ci-vm-10-0-139-159.hosted.upshift.rdu2.redhat.com systemd[1]: pkcsslotd.service: Failed with result 'timeout'.
May 25 09:24:48 ci-vm-10-0-139-159.hosted.upshift.rdu2.redhat.com systemd[1]: Failed to start Daemon which manages cryptographic hardware tokens for the openCryptoki package.

So the complete policy now looks like this:

(filecon "/var/run/opencryptoki(/.*)?" any (system_u object_r pkcs_slotd_var_run_t ((s0) (s0))))
(allow pkcs_slotd_t pkcs_slotd_t (capability (setgid setuid)))
(allow pkcs_slotd_t pkcs_slotd_t (process (setcap)))
(allow pkcs_slotd_t pkcs_slotd_exec_t (file (execute_no_trans)))
(allow init_t pkcs_slotd_t (process2 (nnp_transition)))
(allow init_t pkcs_slotd_t (shm (destroy)))
(allow init_t pkcs_slotd_tmpfs_t (file (unlink)))
(allow httpd_t httpd_t (capability (ipc_owner)))

Comment 27 errata-xmlrpc 2023-11-14 15:47:52 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:7091

Note You need to log in before you can comment on or make changes to this bug.