Bug 2215454 - SELinux prevents file creation on overlays created by initramfs
Summary: SELinux prevents file creation on overlays created by initramfs
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 38
Hardware: x86_64
OS: Linux
high
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-06-16 05:15 UTC by Aidan Smith
Modified: 2023-07-18 01:24 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-38.21-1.fc38
Clone Of:
Environment:
Last Closed: 2023-07-18 01:24:23 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 1773 0 None open Permit kernel_t to change the user identity in object contexts 2023-07-03 08:58:51 UTC

Description Aidan Smith 2023-06-16 05:15:51 UTC
Since making the kernel_t domain confined, files/directories can no longer be created in an overlay merged root that was mounted by the initramfs.

Specifically, this commit introduced the behaviour: https://github.com/fedora-selinux/selinux-policy/commit/1e8688ea694393c9d918939322b72dfb44a01792
Attempting to do one of { create, relabelto, relabelfrom } on files/directories in a merged overlay results in denial messages like the following (eg. using /usr/bin/touch to create a file):

    avc: denied { create } for pid=.... comm="touch" name="testfile" scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file permissive=0

The output from audit2why for these denials is:

    Was caused by:
    #Constraint rule:
    #    constrain dir {create relabelfrom relabelto } ((u1 == u2 -Fail-) or (t1 == can_change_object_identity -Fail-)
    #    Possible cause is the source user (system_u) and target user (unconfined_u) are different

When I add back the unconfined_domain_noaudit(kernel_t) optional policy the problem does not occur. Also, any overlay mounts created from the real root system do not exhibit this behaviour. For cases where the target file's user is also system_u, the issue does not occur.

For context, in the system where I encountered this problem I have custom dracut scripts that create copy-on-write overlays for read-only directories in the real root (ie. the real root is a squashfs system). I can reproduce this on a regular Fedora 38 Workstation though. I suspect this issue stems from the switch-root happening between the initramfs and the real root, where systemd moves mounts over.

Reproducible: Always

Steps to Reproduce:
1. Include "overlay" module in initramfs
2. Boot with argument "rd.break=pre-pivot" to obtain shell in the initramfs before pivot-root occurs
3. Create overlay upper/work directories:
   mkdir /run/{fs,wk}
4. Mount an overlay over /sysroot/opt
   mount -t overlay -o lowerdir=/sysroot/opt,upperdir=/run/fs,workdir=/run/wk TEST /sysroot/opt
5. Exit the shell to continue booting
6. Once logged in, attempt to create a file in /opt
   touch /opt/testfile
7. Observe avc denial message in journal/audit.log
Actual Results:  
SELinux denies creation of the file

Expected Results:  
File is created

Comment 1 Nikola Knazekova 2023-06-30 11:41:14 UTC
Ondrej,

can you please look at it?

Comment 2 Ondrej Mosnáček 2023-07-03 08:58:52 UTC
This should fix it:
https://github.com/fedora-selinux/selinux-policy/pull/1773

Comment 3 Aidan Smith 2023-07-11 03:49:07 UTC
I patched that change into a local policy, and it looks like it fixed the problem; thanks for that!

Comment 4 Fedora Update System 2023-07-14 11:59:47 UTC
FEDORA-2023-2663818afd has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-2663818afd

Comment 5 Fedora Update System 2023-07-15 01:32:28 UTC
FEDORA-2023-2663818afd has been pushed to the Fedora 38 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-2663818afd`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-2663818afd

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 6 Fedora Update System 2023-07-18 01:24:23 UTC
FEDORA-2023-2663818afd has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.