2245935 – Selinux denial when using disk re-encryption with FDO

Bug 2245935 - Selinux denial when using disk re-encryption with FDO

Summary: Selinux denial when using disk re-encryption with FDO

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	39
Hardware:	Unspecified
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-10-24 16:13 UTC by Paul Whalen
Modified:	2023-11-21 02:48 UTC (History)
CC List:	12 users (show)
Fixed In Version:	selinux-policy-39.2-1.fc39
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-11-21 02:48:56 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 1926	0	None	open	Allow fido-device-onboard (FDO) read the crack database	2023-11-02 16:52:34 UTC

Description Paul Whalen 2023-10-24 16:13:21 UTC

When attempting to use fido-device-onboard(FDO) in Fedora 38/39, disk re-encryption fails with:

Oct 19 16:21:58 fedora-39-iot-custom fdo-client-linuxapp[1232]:  2023-10-19T16:21:58.175Z INFO  fdo_client_linuxapp::serviceinfo > Initiating disk re-encryption, disk-label: /dev/vda3, pin: tpm2, config: {}, reencrypt: true
Oct 19 16:21:58 fedora-39-iot-custom audit[1488]: AVC avc:  denied  { search } for  pid=1488 comm="pwmake" name="cracklib" dev="dm-1" ino=164196 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:crack_db_t:s0 tclass=dir permissive=0
Oct 19 16:21:58 fedora-39-iot-custom audit[1488]: SYSCALL arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7ffd0d8e1000 a2=0 a3=0 items=0 ppid=1477 pid=1488 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pwmake" exe="/usr/bin/pwmake" subj=system_u:>
Oct 19 16:21:58 fedora-39-iot-custom fdo-client-linuxapp[1232]:  2023-10-19T16:21:58.256Z ERROR fdo_client_linuxapp              > ServiceInfo failed, error: Error processing returned serviceinfo
Oct 19 16:21:58 fedora-39-iot-custom fdo-client-linuxapp[1232]: Caused by:
Oct 19 16:21:58 fedora-39-iot-custom fdo-client-linuxapp[1232]:     0: Error executing clevis
Oct 19 16:21:58 fedora-39-iot-custom fdo-client-linuxapp[1232]:     1: Error executing disk encryption for disk label /dev/vda3
Oct 19 16:21:58 fedora-39-iot-custom fdo-client-linuxapp[1232]:     2: Error rebinding clevis
Oct 19 16:21:58 fedora-39-iot-custom fdo-client-linuxapp[1232]:     3: Error binding clevis
Oct 19 16:21:58 fedora-39-iot-custom fdo-client-linuxapp[1232]:     4: Failed to bind clevis: ExitStatus(unix_wait_status(256)), stdout: , stderr:
Oct 19 16:21:58 fedora-39-iot-custom fdo-client-linuxapp[1232]:        /usr/share/cracklib/pw_dict.pwd.gz: Permission denied
Oct 19 16:21:58 fedora-39-iot-custom fdo-client-linuxapp[1232]:        /usr/share/cracklib/pw_dict.pwd.gz: Permission denied
Oct 19 16:21:58 fedora-39-iot-custom fdo-client-linuxapp[1232]:        /usr/share/cracklib/pw_dict.pwd.gz: Permission denied
Oct 19 16:21:58 fedora-39-iot-custom fdo-client-linuxapp[1232]:        Error: Password generation failed - required entropy too low for settings
Oct 19 16:21:58 fedora-39-iot-custom fdo-client-linuxapp[1232]:        Unable to generate a new key
Oct 19 16:21:58 fedora-39-iot-custom fdo-client-linuxapp[1232]:        Error adding new binding to /dev/vda3
Oct 19 16:21:58 fedora-39-iot-custom fdo-client-linuxapp[1232]:        
Oct 19 16:21:58 fedora-39-iot-custom kernel: audit: type=1400 audit(1697732518.253:194): avc:  denied  { search } for  pid=1488 comm="pwmake" name="cracklib" dev="dm-1" ino=164196 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:crack_db_t:s0 tclass=dir permissive=0
Oct 19 16:21:58 fedora-39-iot-custom kernel: audit: type=1300 audit(1697732518.253:194): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7ffd0d8e1000 a2=0 a3=0 items=0 ppid=1477 pid=1488 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pwmake" exe=">



Reproducible: Always

Steps to Reproduce:
1. Create a simplified-installer including clevis disk re-encryption 
2. Install new system, on reboot disk re-encryption fails.

Comment 1 Peter Robinson 2023-10-24 18:49:49 UTC

So looking at that log and breaking it down a little it looks like FDO, possibly through clevis, calls /usr/bin/pwmake (part of libpwquality) which links to libcrack which accesses the dictionaries.

I wonder if we can break this issue down a little more and work out the exact way the binaries are called and if it's pwmake being selinux denied on it's own, or fdo/clevis's access to call pwmake etc.

Comment 2 Zdenek Pytela 2023-11-02 16:44:23 UTC

Can you please try to reproduce with the following local module?
# cat local_fdo_crackdb.cil
(allow fdo_t crack_db_t (dir (getattr search open)))
(allow fdo_t crack_db_t (file (getattr open read ioctl lock)))

# semodule -i local_fdo_crackdb.cil

Comment 3 Zdenek Pytela 2023-11-02 16:49:15 UTC

pwmake is not SELinux confined, so it runs in the caller domain

f39# ls -lZ /usr/bin/pwmake
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 15912 Jul 19 20:00 /usr/bin/pwmake

Comment 4 Paul Whalen 2023-11-09 15:11:25 UTC

(In reply to Zdenek Pytela from comment #2)
> Can you please try to reproduce with the following local module?
> # cat local_fdo_crackdb.cil
> (allow fdo_t crack_db_t (dir (getattr search open)))
> (allow fdo_t crack_db_t (file (getattr open read ioctl lock)))
> 
> # semodule -i local_fdo_crackdb.cil

Thanks, Zdenek. Using that local module FDO re-encryption worked as expected.

Comment 5 Zdenek Pytela 2023-11-10 18:23:38 UTC

OK, merging the PR.

Comment 6 Fedora Update System 2023-11-15 09:19:05 UTC

FEDORA-2023-a2dacfbdcb has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-a2dacfbdcb

Comment 7 Fedora Update System 2023-11-16 04:13:25 UTC

FEDORA-2023-a2dacfbdcb has been pushed to the Fedora 39 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-a2dacfbdcb`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-a2dacfbdcb

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 8 Yi He 2023-11-20 02:11:38 UTC

Verified this bug with build https://koji.fedoraproject.org/koji/buildinfo?buildID=2320649, fixed, the fdo re-encryption works as expected.

Comment 9 Paul Whalen 2023-11-20 14:34:28 UTC

Thanks again, Zdenek. Could we also get this added to Fedora 38?

Comment 10 Zdenek Pytela 2023-11-20 15:59:40 UTC

I can do that.
https://github.com/fedora-selinux/selinux-policy/pull/1944

Comment 11 Fedora Update System 2023-11-21 02:48:56 UTC

FEDORA-2023-a2dacfbdcb has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.