[Bug 1208482] New: [SELinux] cockpit-ws motd handling causes AVCs
https://bugzilla.suse.com/show_bug.cgi?id=1208482 Bug ID: 1208482 Summary: [SELinux] cockpit-ws motd handling causes AVCs Classification: openSUSE Product: openSUSE Leap Micro Version: 5.4 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Base Assignee: security-team@suse.de Reporter: jsegitz@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- type=AVC msg=audit(1676883178.639:95): avc: denied { read } for pid=1349 comm="sshd" name="inactive.motd" dev="tmpfs" ino=1107 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0 Likely culprit: /usr/share/cockpit/motd/update-motd -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1208482 https://bugzilla.suse.com/show_bug.cgi?id=1208482#c1 --- Comment #1 from Johannes Segitz <jsegitz@suse.com> --- cat /usr/lib/tmpfiles.d/cockpit-tempfiles.conf C /run/cockpit/inactive.motd 0640 root root - /usr/share/cockpit/motd/inactive.motd f /run/cockpit/active.motd 0640 root root - L+ /run/cockpit/motd - - - - inactive.motd -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1208482 https://bugzilla.suse.com/show_bug.cgi?id=1208482#c2 Johannes Segitz <jsegitz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jsegitz@suse.com Assignee|security-team@suse.de |microos-bugs@suse.de --- Comment #2 from Johannes Segitz <jsegitz@suse.com> --- with this tempfiles.conf the AVC goes away d /run/cockpit/motd 0640 root root - - t /run/cockpit/motd - - - - security.selinux=system_u:object_r:etc_t:s0 C /run/cockpit/motd/inactive.motd 0640 root root - /usr/share/cockpit/motd/inactive.motd t /run/cockpit/motd/inactive.motd - - - - security.selinux=system_u:object_r:etc_t:s0 f /run/cockpit/motd/active.motd 0640 root root - t /run/cockpit/motd/active.motd - - - - security.selinux=system_u:object_r:etc_t:s0 L+ /run/cockpit/motd/motd - - - - inactive.motd t /run/cockpit/motd/motd - - - - security.selinux=system_u:object_r:etc_t:s0 The alternative would be just to label the directory and then have transitions based on the names. /usr/share/cockpit/motd/update-motd will also need updating for the changed path -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1208482 https://bugzilla.suse.com/show_bug.cgi?id=1208482#c3 Johannes Segitz <jsegitz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|microos-bugs@suse.de |jsegitz@suse.com --- Comment #3 from Johannes Segitz <jsegitz@suse.com> --- nah, don't use this. systemd-tmpfiles is SELinux aware, I can do it in the policy -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1208482 https://bugzilla.suse.com/show_bug.cgi?id=1208482#c4 --- Comment #4 from Johannes Segitz <jsegitz@suse.com> --- *** Bug 1208477 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1208482 https://bugzilla.suse.com/show_bug.cgi?id=1208482#c5 --- Comment #5 from Johannes Segitz <jsegitz@suse.com> --- Created attachment 865023 --> https://bugzilla.suse.com/attachment.cgi?id=865023&action=edit Patch for the SELinux module The policy module is part of cockpit itself. This is a patch that adds the necessary labeling rules. I also noticed that the module isn't enabled by the package itself. That doesn't seem to be intentional judging from the %post section. Please have a a look -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1208482 Johannes Segitz <jsegitz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|jsegitz@suse.com |microos-bugs@suse.de -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com