[Bug 1210121] New: SELinux possible missing policies for systemd-localed and systemd-hostnamed
http://bugzilla.opensuse.org/show_bug.cgi?id=1210121 Bug ID: 1210121 Summary: SELinux possible missing policies for systemd-localed and systemd-hostnamed Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: All OS: openSUSE Tumbleweed Status: NEW Severity: Minor Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: khanich.opensource@gmx.de QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- tested on: openSUSE microOS Raspberry Pi 4 On a fresh install of microOS, systemd-localed and systemd-hostnamed can only answer dbus calls via localectl and hostnamectl respectively if you run it as root yourself. If you let a script call them, localectl and hostnamectl time out and I get a USER_AVC that systemd-localed and systemd-hostnamed got blocked. If I add the policies "allow systemd_hostnamed_t initrc_t:dbus send_msg;" and "allow systemd_localed_t initrc_t:dbus send_msg;" respectively, this doesn't happen. So, my question is, if it is intended that hostnamed and localed can't answer or if that is unintended. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1210121 http://bugzilla.opensuse.org/show_bug.cgi?id=1210121#c2 --- Comment #2 from Kilian Hanich <khanich.opensource@gmx.de> --- Operating System: openSUSE MicroOS SELinux status, mode and policy name: SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 SELinux policy version and repository: Repository : openSUSE-Tumbleweed-Oss Name : selinux-policy Version : 20230321-1.2 Arch : noarch Vendor : openSUSE Installed Size : 24.7 KiB Installed : Yes (automatically) Status : up-to-date Source package : selinux-policy-20230321-1.2.src Upstream URL : https://github.com/fedora-selinux/selinux-policy.git Summary : SELinux policy configuration involved software: systemd-localed and systemd-hostnamed SELinux Audit log (example message): type=USER_AVC msg=audit(1680826154.899:138): pid=1058 uid=484 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.13 spid=1491 tpid=1538 scontext=system_u:system_r:systemd_localed_t:s0tcontext=system_u:system_r:initrc_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=484 hostname=? addr=? terminal=?' steps to reproduce: I have send a combustion setup for a test environment in the attachment. Start the unit via "systemctl start SetupUnit.service" after login. other important info: The failure of hostnamed only happens on some setups tho. After going through the whole setup it sometimes happens and sometimes it doesn't. But it always happens for localed. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1210121 http://bugzilla.opensuse.org/show_bug.cgi?id=1210121#c3 --- Comment #3 from Kilian Hanich <khanich.opensource@gmx.de> --- Created attachment 866195 --> http://bugzilla.opensuse.org/attachment.cgi?id=866195&action=edit combustion test setup -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1210121 http://bugzilla.opensuse.org/show_bug.cgi?id=1210121#c4 Johannes Segitz <jsegitz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |INVALID --- Comment #4 from Johannes Segitz <jsegitz@suse.com> --- Thanks for providing the script. The issue is that you have 6 ExecStart=/usr/bin/sh /usr/local/sbin/setup.sh in SetupUnit.service. Since you execute bash, not setup.sh, the service doesn't properly transition. Change that to 6 ExecStart=/usr/local/sbin/setup.sh and the error goes away -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1210121 http://bugzilla.opensuse.org/show_bug.cgi?id=1210121#c5 Kilian Hanich <khanich.opensource@gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|INVALID |FIXED --- Comment #5 from Kilian Hanich <khanich.opensource@gmx.de> --- Well, normally you can provide a shell with a script to execute by putting the path to it as the first parameter. I did this in my normal setup since I move the script in ExecStartPre to /tmp and execute it from there so it can delete itself after it's done and you can't execute something from /tmp directly because some other subsystem (I didn't bother to investigate which one) blocks it. I also can't just execute the script from /usr/local/sbin and then delete it directly since this causes it to error out. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com