[Bug 1231127] New: SELinux: health-checker change causes denial
https://bugzilla.suse.com/show_bug.cgi?id=1231127 Bug ID: 1231127 Summary: SELinux: health-checker change causes denial Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: fvogt@suse.com QA Contact: qa-bugs@suse.de CC: fcrozat@suse.com, iforster@suse.com Target Milestone: --- Found By: --- Blocker: --- With https://github.com/openSUSE/health-checker/pull/21/files, health-checker calls rpm --verifydb with a custom lock path because /usr/ is not writable. The modified check fails now because SELinux blocks rpm from writing to /run/rpmdb: type=AVC msg=audit(1727697272.028:122): avc: denied { open } for pid=2368 comm="rpmdb" path="/run/rpmdb" dev="tmpfs" ino=2281 scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0 type=AVC msg=audit(1727697272.028:123): avc: denied { open } for pid=2368 comm="rpmdb" path="/run/rpmdb" dev="tmpfs" ino=2281 scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1231127 Filippo Bonazzi <filippo.bonazzi@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |filippo.bonazzi@suse.com Assignee|security-team@suse.de |filippo.bonazzi@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1231127 https://bugzilla.suse.com/show_bug.cgi?id=1231127#c1 Filippo Bonazzi <filippo.bonazzi@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jsegitz@suse.com --- Comment #1 from Filippo Bonazzi <filippo.bonazzi@suse.com> --- Recap after discussion with Fabian. I provided a tentative solution in https://build.opensuse.org/package/show/home:fbonazzi:branches:security:SELi... The issue still occurs due to a weird call sequence when the /run/rpmdb lockfile is first created: it's created with the wrong type because apparently it's created by health-checker.service running as unconfined. I thought at least the rpm invocation would end up under rpmdb_t... Therefore my fix above does not actually work as it's not complete. Current state: 1. calling health-checker via systemd at boot works, but leaves the lockfile with the wrong label 2. calling health-checker via systemd-run at runtime works, with the existing lockfile having the wrong label, and leaves it with the wrong label 3. calling health-checker via the shell works, if the lockfile does not exist, and leaves the lockfile with the right label 4. the AVCs reported in this bug happen in step 3. when the lockfile already exists with the wrong label So it seems to me that we can do 1 of 2 things to fix this: 1. change health-checker so that it's run as confined by systemd (perhaps a dedicated domain? no idea) at least for the rpm invocation part 2. allow the named transition for /run/rpmdb for unconfined_t as well Adding Johannes to ask for a second opinion on why health-checker.service would end up running as unconfined, if that's intentional or if it's a good idea. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1231127 Cathy Hu <cathy.hu@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |cathy.hu@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1231127 Santiago Zarate <santiago.zarate@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |santiago.zarate@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com