-
Bug
-
Resolution: Unresolved
-
Minor
-
None
-
rhel-8.7.0
-
Minor
-
sst_security_special_projects
-
ssg_security
-
False
-
-
If docs needed, set a value
-
-
All
Description of problem:
IMHO the rules added to enable dracut execution are too loose (/etc/fapolicyd/rules.d/20-dracut.rules):
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
allow perm=any uid=0 : dir=/var/tmp/
allow perm=any uid=0 trust=1 : all
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
I think there are 2 issues:
1. the "allow perm=any uid=0 : dir=/var/tmp/" rule is not needed at all, dracut executes fine (at least with default command "dracut -f") with just second rule
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
- cat /etc/fapolicyd/rules.d/20-dracut.rules
- Carve out an exception for dracut's initramfs building
#allow perm=any uid=0 : dir=/var/tmp/
allow perm=any uid=0 trust=1 : all
- systemctl restart fapolicyd
- dracut /tmp/initrd.img $(uname -r)
-
-
-
-
-
-
- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
-
-
-
-
-
-
2. the "allow perm=any uid=0 trust=1 : all" rule allows root user to execute any crafted program
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
- cat > hello.c << EOF
#include <stdio.h>
int main(int argc, char *argv[]) { printf("Hello!\n"); return 0; }EOF
- gcc -o hello hello.c
- ./hello
Hello!-
-
-
-
-
-
- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
-
-
-
-
-
-
I think if there is no other choice but this second rule, then a comment in the rules file should clearly mention that this opens the world for root user a lot more than just dracut.
Version-Release number of selected component (if applicable):
fapolicyd-1.1.3-8.el8_7.1.x86_64
How reproducible:
Always, see above.
