2228245 – Missing execute_no_trans policy for nut stack: upsmon -> upssched -> script > upsmon

Bug 2228245 - Missing execute_no_trans policy for nut stack: upsmon -> upssched -> script > upsmon

Summary: Missing execute_no_trans policy for nut stack: upsmon -> upssched -> script >...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	38
Hardware:	Unspecified
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-08-01 19:58 UTC by Leon Fauster
Modified:	2023-08-12 04:22 UTC (History)
CC List:	8 users (show)
Fixed In Version:	selinux-policy-38.24-1.fc38
Clone Of:
Environment:
Last Closed:	2023-08-12 04:22:55 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 1811	0	None	open	Allow upsmon execute upsmon via a helper script	2023-08-02 09:03:58 UTC

Description Leon Fauster 2023-08-01 19:58:56 UTC

NUT UPS monitor (upsmon) - executes helper (upssched) and that executes via custom script the monitor again (upsmon) 

This seems not to be allowed ->  denied { execute_no_trans }


As an temp solution we installed a semodule with

allow nut_upsmon_t nut_upsmon_exec_t:file execute_no_trans;

Should this be included? 

Reproducible: Always

Steps to Reproduce:
1. Install nut-client 
2. Configure the client (nut-monitor) to use upssched 
3. grep upssch /etc/ups/upsmon.conf
   NOTIFYCMD /usr/sbin/upssched
4. Configure upssched to use the custom script (e.g. /usr/bin/upssched-cmd)
5. Add to the custom script "/usr/sbin/upsmon -c fsd" to force a shutdown 

Actual Results:  
type=AVC msg=audit(1690760021.301:222): avc:  denied  { execute_no_trans } for  pid=2267 comm="upssched-handle" path="/usr/sbin/upsmon" dev="dm-0" ino=27404 scontext=system_u:system_r:nut_upsmon_t:s0 tcontext=system_u:object_r:nut_upsmon_exec_t:s0 tclass=file permissive=1


Expected Results:  
upsmon should be able to exec "upsmon -c fsd" via upssched + script chain to shut the system down.

From the nut docs: 
"upsmon starts as root and forks an unprivileged process which does the actual
monitoring over the network. When a shutdown is necessary, a single
character is sent to the privileged process. It then calls the predefined
shutdown command. "

Therefore the "/usr/sbin/upsmon -c fsd" command (fsd = force shutdown)

Comment 1 Fedora Update System 2023-08-07 07:04:37 UTC

FEDORA-2023-a79a6bdd37 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-a79a6bdd37

Comment 2 Fedora Update System 2023-08-08 01:56:44 UTC

FEDORA-2023-a79a6bdd37 has been pushed to the Fedora 38 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-a79a6bdd37`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-a79a6bdd37

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 3 Fedora Update System 2023-08-12 04:22:55 UTC

FEDORA-2023-a79a6bdd37 has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.