Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-15668

SELinux user generated by "sepolicy generate" fails completely

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • rhel-8.8.0
    • policycoreutils
    • None
    • None
    • Moderate
    • rhel-sst-security-selinux
    • ssg_security
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • Red Hat Enterprise Linux
    • None
    • None
    • None
    • None

      What were you trying to do that didn't work?

      A customer tries to create his own SELinux user through executing the following command:

      # sepolicy generate --term_user -n testuser
# ./testuser.sh
# useradd -Z testuser_u testuser

      Trying to login using ssh with that user, the corresponding user@<UID>.service unit fails in various ways:

      1. Initially there is an issue on PAM, executing by systemd's child that will become systemd-user (user@UID.service unit) 
        # systemctl status user@1000 --no-pager
[...]
Nov 06 15:02:32 vm-testuser8 systemd[6865]: pam_selinux(systemd-user:session): Unable to get valid context for…estuser
Nov 06 15:02:32 vm-testuser8 systemd[6865]: pam_selinux(systemd-user:session): conversation failed
[...]

        The root cause for this is an attempt to set an invalid context, as seen in the corresponding strace excerpt below:

        6865  [system_u:system_r:init_t:s0] 15:02:32.754827 write(7</sys/fs/selinux/context> [system_u:object_r:security_t:s0], "testuser_u:unconfined_r:unconfined_t:s0\0", 40) = -1 EINVAL (Invalid argument) <0.000025>

        Here above the process tries to move from system_u:system_r:init_t:s0 to testuser_u:unconfined_r:unconfined_t:s0 context, instead of trying to move to testuser_u:testuser_r:testuser_t:s0 context.
        This happens due to a bug in the testuser.sh generated script: it's missing the following statement on line 57 (would be a new line):

        57 system_r:init_t         testuser_r:testuser_t

        The fix consists in editing /etc/selinux/targeted/contexts/users/testuser_u to add the entry (because testuser.sh is not idempotent, you cannot run it multiple times until its end ...):

        # echo -e "system_r:init_t\t\ttestuser_r:testuser_t" >> /etc/selinux/targeted/contexts/users/testuser_u
      1. But this is not enough, more issues arise then 
        # systemctl status user@1000 --no-pager 
[...]
Nov 06 15:13:05 vm-testuser8 systemd[1]: user@1000.service: Failed with result 'protocol'.
Nov 06 15:13:05 vm-testuser8 systemd[1]: Failed to start User Manager for UID 1000.

        The strace shows the process cannot execute:

        7501  [system_u:system_r:init_t:s0] 15:14:35.516037 execve("/usr/lib/systemd/systemd" [system_u:object_r:init_exec_t:s0], ["/usr/lib/systemd/systemd", "--user"], ...) = -1 EACCES (Permission denied) <0.000484>
7501  [testuser_u:testuser_r:testuser_t:s0] 15:14:35.516648 --- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=NULL} ---
7501  [testuser_u:testuser_r:testuser_t:s0] 15:14:35.516744 +++ killed by SIGSEGV +++

        In fact, some rules are missing. If I compare with user_u user (actually user_t type), I see the following:

        # sesearch -A -s user_t -t init_exec_t
[...]
allow login_userdomain init_exec_t:file entrypoint;
allow user_t init_exec_t:file { execute execute_no_trans getattr ioctl map open read };
[...]

        whereas our new testuser_u user doesn't have this rule on "execute":

        # sesearch -A -s testuser_t -t init_exec_t
[...]
allow login_userdomain init_exec_t:file entrypoint;
[...]

        The fix consists in adding the missing rule to testuser.te generated file:

        init_domtrans(testuser_t)
      1. Unfortunately, this is not yet enough, more rules are missing, especially the ones to read /proc to be able to detect if there is a main systemd instance
        AVCs for missing rules are mostly hidden: 
        8367  [testuser_u:testuser_r:testuser_t:s0] 15:24:39.843032 openat(AT_FDCWD</>, "/proc/1/environ" [system_u:system_r:init_t:s0], O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied) <0.000002>
8367  [testuser_u:testuser_r:testuser_t:s0] 15:24:39.843047 openat(AT_FDCWD</>, "/proc/1/sched" [system_u:system_r:init_t:s0], O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied) <0.000002>
8367  [testuser_u:testuser_r:testuser_t:s0] 15:24:39.843062 openat(AT_FDCWD</>, "/proc/cmdline" [system_u:object_r:proc_t:s0], O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied) <0.000002>

      At this point I dropped the troubleshooting because it doesn't seem to ever end.

      Please provide the package NVR for which bug is seen:

      policycoreutils-devel-2.9-24.el8.x86_64

      How reproducible:

      Always, see description.

       

              vmojzis@redhat.com Vit Mojzis
              rhn-support-rmetrich Renaud Métrich
              Vit Mojzis Vit Mojzis
              Amith Kumar Peethambaran Amith Kumar Peethambaran
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated: