Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-1368

RFE: protect the system from hanging through protecting fapolicyd

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • fapolicyd-1.4.1-2.el10
    • None
    • Moderate
    • 1
    • rhel-security-selinux
    • ssg_security
    • 14
    • 2
    • QE ack
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • SELINUX 251119: 15
    • Enhancement
    • Hide
      Feature, enhancement: fapolicyd-hardening SELinux module is shipped in fapolicyd-selinux and enabled by default.
      Reason: When fapolicyd process is traced by ptrace() or receive SIGSTOP, the system hangs. With fapolicyd-hardening module installed, it's not possible to attach ptrace() to fapolicyd_t process.
      Result: The system does not hang when `strace` is run on fapolicyd.
      Show
      Feature, enhancement: fapolicyd-hardening SELinux module is shipped in fapolicyd-selinux and enabled by default. Reason: When fapolicyd process is traced by ptrace() or receive SIGSTOP, the system hangs. With fapolicyd-hardening module installed, it's not possible to attach ptrace() to fapolicyd_t process. Result: The system does not hang when `strace` is run on fapolicyd.
    • Proposed
    • None
    • 0

      Description of problem:

      When stracing fapolicyd or sending a SIGSTOP signal to fapolicyd, the system hangs and needs to be forcibly rebooted.

      Assuming SELinux is enabled and in Enforcing (which is the default), it should be very easy to avoid such system hang by protecting the process with some new rule such as below:
      -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
      (neverallow domain fapolicyd_t (process (sigstop ptrace)))
      -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

      Version-Release number of selected component (if applicable):

      fapolicyd-selinux-1.1.3-8.el8_7.1.noarch

      How reproducible:

      Always

      Steps to Reproduce:
      1. Send SIGSTOP as root/unconfined

      Actual results:

      System unusable until rebooted forcibly

      Expected results:

      Cannot send SIGSTOP

      Additional info:

      Unfortunately there seems to be something in SELinux that doesn't take "neverallow" rules into account.
      If I add such rule, "sesearch --neverallow" still doesn't list anything, weird:
      -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

      1. bunzip2 -c /var/lib/selinux/targeted/active/modules/400/protect_fapolicyd/cil
        (neverallow domain fapolicyd_t (process (sigstop ptrace)))

      --> rule is present and loaded in policy

      1. sesearch --neverallow
        --> nothing
                    • 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

              rhn-engineering-plautrba Petr Lautrbach
              rhn-support-rmetrich Renaud Métrich
              Milos Malik Milos Malik
              Mirek Jahoda Mirek Jahoda
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

                Created:
                Updated: