Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing rules for bootupd on Fedora CoreOS Rawhide #2362

Closed
HuijingHei opened this issue Sep 25, 2024 · 8 comments · Fixed by #2397 or #2435
Closed

Missing rules for bootupd on Fedora CoreOS Rawhide #2362

HuijingHei opened this issue Sep 25, 2024 · 8 comments · Fixed by #2397 or #2435

Comments

@HuijingHei
Copy link

On Fedora CoreOS using Rawhide (using selinux-policy-41.18-1.fc42.noarch), get the following AVCs:

type=AVC msg=audit(1727251620.092:170): avc:  denied  { getattr } for  pid=1472 comm="bootupctl" path="/sysroot/.aleph-version.json" dev="vda4" ino=132 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1
type=AVC msg=audit(1727251620.092:171): avc:  denied  { read } for  pid=1472 comm="bootupctl" name=".aleph-version.json" dev="vda4" ino=132 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1
type=AVC msg=audit(1727251620.092:172): avc:  denied  { open } for  pid=1472 comm="bootupctl" path="/sysroot/.aleph-version.json" dev="vda4" ino=132 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=file permissive=1

And

type=AVC msg=audit(1727251620.089:166): avc:  denied  { search } for  pid=1475 comm="lsblk" name="udev" dev="tmpfs" ino=58 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1727251620.089:167): avc:  denied  { read } for  pid=1475 comm="lsblk" name="b252:0" dev="tmpfs" ino=1331 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1727251620.089:168): avc:  denied  { open } for  pid=1475 comm="lsblk" path="/run/udev/data/b252:0" dev="tmpfs" ino=1331 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1727251620.089:169): avc:  denied  { getattr } for  pid=1475 comm="lsblk" path="/run/udev/data/b252:0" dev="tmpfs" ino=1331 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1

We use lsblk in coreos/bootupd#729
This was referenced Sep 25, 2024
Closed
Merged
Closed
@travier
Copy link
Contributor

travier commented Oct 8, 2024

@zpytela Gentle ping here. We would appreciate if we could that in Fedora 41. Thanks

@secretmango secretmango mentioned this issue Oct 10, 2024
Open
@HuijingHei
Copy link
Author

Hi @zpytela , could you help to look at this when at your convenience? We need this for Fedora 41. Thanks!

@travier
Copy link
Contributor

travier commented Oct 21, 2024

I've filed: https://bugzilla.redhat.com/show_bug.cgi?id=2320395

@zpytela
Copy link
Contributor

zpytela commented Oct 22, 2024

All the denials are audited with permissive=1, i. e. all syscalls are allowed. Which service does not work properly?

zpytela added a commit to zpytela/selinux-policy that referenced this issue Oct 22, 2024
@zpytela
Allow bootupd read udev pid files
dd10943 
The commit addresses the following AVC denials:
type=AVC msg=audit(1727251620.089:166): avc:  denied  { search } for  pid=1475 comm="lsblk" name="udev" dev="tmpfs" ino=58 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1727251620.089:167): avc:  denied  { read } for  pid=1475 comm="lsblk" name="b252:0" dev="tmpfs" ino=1331 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1727251620.089:168): avc:  denied  { open } for  pid=1475 comm="lsblk" path="/run/udev/data/b252:0" dev="tmpfs" ino=1331 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1727251620.089:169): avc:  denied  { getattr } for  pid=1475 comm="lsblk" path="/run/udev/data/b252:0" dev="tmpfs" ino=1331 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1

Resolves: fedora-selinux#2362
@zpytela zpytela mentioned this issue Oct 22, 2024
Merged
@travier
Copy link
Contributor

travier commented Oct 22, 2024

bootupd_t is not in permissive mode by default in Fedora 41+. We turned the permissive mode to get the full logs.

@zpytela
Copy link
Contributor

zpytela commented Oct 22, 2024

I can't see my comment from yesterday where I asked which service created the /sysroot dir and files there as they are mislabeled.

Reading udev runtime files is allowed in the PR which refers to this issue.

@travier
Copy link
Contributor

travier commented Oct 22, 2024

/sysroot is a "special" directory on ostree based systems and is the "real" root of the actual root partition on the disk, thus the root_t label.

karuboniru pushed a commit to karuboniru/karuboniru-server that referenced this issue Oct 30, 2024
@travier
bootupd: Put in permissive until SELinux issues are fixed
c4e12e1 
See: coreos/bootupd#694
See: fedora-selinux/selinux-policy#2334
See: fedora-selinux/selinux-policy#2341
See: fedora-selinux/selinux-policy#2362
@travier travier mentioned this issue Nov 4, 2024
Open
zpytela added a commit to zpytela/selinux-policy that referenced this issue Nov 15, 2024
@zpytela
Update the bootupd policy
cfb9a34 
In particular, the following permissions were allowed:
- allow read files in /sysroot, which have root_t type
- allow read udev pid files in case lsblk was executed from bootupd
  so no transition to udev applied
- root_t as the default file context for /sysroot/.aleph-version.json

Resolves: rhbz#2320395
Resolves: fedora-selinux#2362
@zpytela zpytela mentioned this issue Nov 15, 2024
Merged
@zpytela
Copy link
Contributor

zpytela commented Nov 19, 2024

I am going to merge all open PRs now, although some may not be a complete solution, and create a build.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@zpytela @HuijingHei @travier