Bug 2259679 - selinux-policy denies colord access to its database - name="mapping.db" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:colord_var_lib_t:s0
Summary: selinux-policy denies colord access to its database - name="mapping.db" scont...
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: All
OS: Linux
medium
high
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: openqa
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-01-22 17:44 UTC by Adam Williamson
Modified: 2024-01-29 16:24 UTC (History)
9 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2024-01-25 11:23:49 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 2006 0 None open Allow init_t nnp domain transition to policykit_t 2024-01-23 09:02:00 UTC

Description Adam Williamson 2024-01-22 17:44:32 UTC
In openQA testing, colord-1.4.7-1.fc40 failed due to its service (colord.service) failing to start up. The journal shows this:

Jan 22 09:23:44 fedora systemd[1]: Starting colord.service - Manage, Install and Generate Color Profiles...
Jan 22 09:23:44 fedora audit[1159]: AVC avc:  denied  { nnp_transition } for  pid=1159 comm="(colord)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:colord_t:s0 tclass=process2 permissive=0
Jan 22 09:23:44 fedora audit: SELINUX_ERR op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:colord_t:s0
Jan 22 09:23:44 fedora audit[1159]: AVC avc:  denied  { read write } for  pid=1159 comm="colord" name="mapping.db" dev="vda3" ino=170631 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:colord_var_lib_t:s0 tclass=file permissive=0
Jan 22 09:23:44 fedora audit[1159]: AVC avc:  denied  { read } for  pid=1159 comm="colord" name="mapping.db" dev="vda3" ino=170631 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:colord_var_lib_t:s0 tclass=file permissive=0
Jan 22 09:23:44 fedora colord[1159]: CdMain: failed to load mapping database: Can't open database: unable to open database file
Jan 22 09:23:44 fedora systemd[1]: colord.service: Main process exited, code=exited, status=1/FAILURE
Jan 22 09:23:44 fedora systemd[1]: colord.service: Failed with result 'exit-code'.
Jan 22 09:23:44 fedora systemd[1]: Failed to start colord.service - Manage, Install and Generate Color Profiles.

i.e. it's failing because it can't open its database due to an SELinux denial. Assigning to selinux-policy for now but we can move it to colord if this is a colord bug.

Comment 1 Adam Williamson 2024-01-22 17:45:21 UTC
Note the update is gated by the failed test so the issue isn't reproducible in regular Rawhide. You'd have to install the update manually to test. https://koji.fedoraproject.org/koji/search?terms=colord-1.4.7-1.fc40&type=build&match=exact

Comment 2 Milos Malik 2024-01-23 09:56:50 UTC
The following SELinux denials appear in enforcing mode:
----
type=PROCTITLE msg=audit(01/23/2024 04:54:50.985:586) : proctitle=/usr/libexec/colord 
type=PATH msg=audit(01/23/2024 04:54:50.985:586) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=139563 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(01/23/2024 04:54:50.985:586) : item=0 name=/usr/libexec/colord inode=203766 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:colord_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/23/2024 04:54:50.985:586) : cwd=/ 
type=EXECVE msg=audit(01/23/2024 04:54:50.985:586) : argc=1 a0=/usr/libexec/colord 
type=SYSCALL msg=audit(01/23/2024 04:54:50.985:586) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x55f24d7b4100 a1=0x55f24d7aaf30 a2=0x55f24c9b0f60 a3=0x55f24d7aae40 items=2 ppid=1 pid=1844 auid=unset uid=colord gid=colord euid=colord suid=colord fsuid=colord egid=colord sgid=colord fsgid=colord tty=(none) ses=unset comm=colord exe=/usr/libexec/colord subj=system_u:system_r:init_t:s0 key=(null) 
type=SELINUX_ERR msg=audit(01/23/2024 04:54:50.985:586) : op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:colord_t:s0 
type=AVC msg=audit(01/23/2024 04:54:50.985:586) : avc:  denied  { nnp_transition } for  pid=1844 comm=(colord) scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:colord_t:s0 tclass=process2 permissive=0 
----
type=PROCTITLE msg=audit(01/23/2024 04:54:50.989:587) : proctitle=/usr/libexec/colord 
type=PATH msg=audit(01/23/2024 04:54:50.989:587) : item=1 name=/var/lib/colord/mapping.db inode=262269 dev=fc:02 mode=file,644 ouid=colord ogid=colord rdev=00:00 obj=system_u:object_r:colord_var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(01/23/2024 04:54:50.989:587) : item=0 name=/var/lib/colord/ inode=262265 dev=fc:02 mode=dir,755 ouid=colord ogid=colord rdev=00:00 obj=system_u:object_r:colord_var_lib_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/23/2024 04:54:50.989:587) : cwd=/ 
type=SYSCALL msg=audit(01/23/2024 04:54:50.989:587) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x562d1647b02c a2=O_RDWR|O_CREAT|O_NOFOLLOW|O_CLOEXEC a3=0x1a4 items=2 ppid=1 pid=1844 auid=unset uid=colord gid=colord euid=colord suid=colord fsuid=colord egid=colord sgid=colord fsgid=colord tty=(none) ses=unset comm=colord exe=/usr/libexec/colord subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(01/23/2024 04:54:50.989:587) : avc:  denied  { read write } for  pid=1844 comm=colord name=mapping.db dev="vda2" ino=262269 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:colord_var_lib_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(01/23/2024 04:54:50.990:588) : proctitle=/usr/libexec/colord 
type=PATH msg=audit(01/23/2024 04:54:50.990:588) : item=0 name=/var/lib/colord/mapping.db inode=262269 dev=fc:02 mode=file,644 ouid=colord ogid=colord rdev=00:00 obj=system_u:object_r:colord_var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/23/2024 04:54:50.990:588) : cwd=/ 
type=SYSCALL msg=audit(01/23/2024 04:54:50.990:588) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x562d1647b02c a2=O_RDONLY|O_NOFOLLOW|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=1844 auid=unset uid=colord gid=colord euid=colord suid=colord fsuid=colord egid=colord sgid=colord fsgid=colord tty=(none) ses=unset comm=colord exe=/usr/libexec/colord subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(01/23/2024 04:54:50.990:588) : avc:  denied  { read } for  pid=1844 comm=colord name=mapping.db dev="vda2" ino=262269 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:colord_var_lib_t:s0 tclass=file permissive=0 
----

The denials appear after upgrade to the 1.4.7-1.fc40 version and restart of the colord service.

Comment 3 Milos Malik 2024-01-23 09:59:29 UTC
The following SELinux denial appeared in permissive mode:
----
type=PROCTITLE msg=audit(01/23/2024 04:58:21.754:592) : proctitle=/usr/libexec/colord 
type=PATH msg=audit(01/23/2024 04:58:21.754:592) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=139563 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(01/23/2024 04:58:21.754:592) : item=0 name=/usr/libexec/colord inode=203766 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:colord_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/23/2024 04:58:21.754:592) : cwd=/ 
type=EXECVE msg=audit(01/23/2024 04:58:21.754:592) : argc=1 a0=/usr/libexec/colord 
type=SYSCALL msg=audit(01/23/2024 04:58:21.754:592) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x55909e052b20 a1=0x55909e052a90 a2=0x55909d259020 a3=0x55909e05ff00 items=2 ppid=1 pid=1864 auid=unset uid=colord gid=colord euid=colord suid=colord fsuid=colord egid=colord sgid=colord fsgid=colord tty=(none) ses=unset comm=colord exe=/usr/libexec/colord subj=system_u:system_r:colord_t:s0 key=(null) 
type=AVC msg=audit(01/23/2024 04:58:21.754:592) : avc:  denied  { nnp_transition } for  pid=1864 comm=(colord) scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:colord_t:s0 tclass=process2 permissive=1 
----

Comment 4 Milos Malik 2024-01-23 10:02:47 UTC
# rpm -qa | grep color
color-filesystem-1-31.fc39.noarch
colord-libs-1.4.7-1.fc40.x86_64
colord-1.4.7-1.fc40.x86_64
# grep -i nonew /usr/lib/systemd/system/colord.service 
NoNewPrivileges=true
#

Comment 5 Adam Williamson 2024-01-23 16:32:15 UTC
NoNewPrivileges=true was added in https://github.com/hughsie/colord/commit/d7352455075f6a6eb32e7d256dadb436cbd15ae8 . Is it a problem? hughsie is already CCed.

Comment 6 Zdenek Pytela 2024-01-23 16:49:47 UTC
(In reply to Adam Williamson from comment #5)
> NoNewPrivileges=true was added in
> https://github.com/hughsie/colord/commit/
> d7352455075f6a6eb32e7d256dadb436cbd15ae8 . Is it a problem? hughsie is
> already CCed.

Not a problem, just needs an explicit rule, PR which adds it is already on github. We expect more reports like this given https://discussion.fedoraproject.org/t/f40-change-proposal-systemd-security-hardening-system-wide/96423
PrivateTmp is another example.
We will try to find a generic solution.

Comment 7 Milos Malik 2024-01-29 16:24:51 UTC
Test coverage for this bug exists in a form of PR:
 * https://src.fedoraproject.org/tests/selinux/pull-request/467

The PR waits for a review.


Note You need to log in before you can comment on or make changes to this bug.