Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-22172

SELinux policy (daemons) changes required for package: rust-bootupd

    • selinux-policy-38.1.37-1.el9
    • None
    • None
    • 1
    • rhel-sst-security-selinux
    • ssg_security
    • 11
    • None
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • Yes
    • CY24Q2
    • Hide

      The bootupd service is confined by SELinux and does not run under the unconfined_service_t context anymore. The bootupd service with default configuration does not trigger any SELinux denials when started and/or running in enforcing mode.

      Show
      The bootupd service is confined by SELinux and does not run under the unconfined_service_t context anymore. The bootupd service with default configuration does not trigger any SELinux denials when started and/or running in enforcing mode.
    • Pass
    • Automated
    • Enhancement
    • Hide
      .The `bootupd` service is SELinux confined

      The `bootupd` service supports updating the bootloader, and therefore needs to be confined. This update to the SELinux policy adds additional rules, and as a result, the `bootupd` service runs in the `bootupd_t` SELinux domain.
      Show
      .The `bootupd` service is SELinux confined The `bootupd` service supports updating the bootloader, and therefore needs to be confined. This update to the SELinux policy adds additional rules, and as a result, the `bootupd` service runs in the `bootupd_t` SELinux domain.
    • Done
    • All
    • None

      Summary:

      bootupd is a daemon with a remote command line interface (bootupctl). It listens on /run/bootupd.sock. Although it does not expose any privilege escalating command, it is currently only exposed to root as a precaution, thus should probably only be reachable by the sysadm/staff domains.

      It requires privileges to remount /boot as RW as needed and update the content of /boot with files from /usr/lib/bootupd/updates/.
      $ ls -alhZ /usr/lib/bootupd/updates/
      total 4.0K
      drwxr-xr-x. 3 root root system_u:object_r:lib_t:s0 33 Jan 1 1970 .
      ...

      It also reads:
      $ ls -alhZ /sysroot/.coreos-aleph-version.json
      rw-rr-. 1 root root system_u:object_r:root_t:s0 195 Oct 14 02:07 /sysroot/.coreos-aleph-version.json

      Refer to https://bugzilla.redhat.com/show_bug.cgi?id=2044508 for further details.

      The service was confined in Fedora in https://github.com/fedora-selinux/selinux-policy/pull/1598, with 1 subsequent fix. There is a test available:

      /CoreOS/selinux-policy/Regression/bootupd-and-similar

              rhn-support-zpytela Zdenek Pytela
              rhn-support-zpytela Zdenek Pytela
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Jan Fiala Jan Fiala
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: