Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-36587

nodejs executables in /usr/lib/node_modules/npm/bin are not properly labeled

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Normal Normal
    • rhel-9.5
    • rhel-8.9.0, rhel-9.4
    • selinux-policy
    • None
    • selinux-policy-38.1.41-1.el9
    • None
    • Moderate
    • rhel-sst-security-selinux
    • ssg_security
    • 20
    • None
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Red Hat Enterprise Linux
    • None
    • Hide

      A newly created npm based service runs successfully in unconfined_service_t domain in enforcing mode. No SELinux denials are triggered during the start or run of the service.

      Show
      A newly created npm based service runs successfully in unconfined_service_t domain in enforcing mode. No SELinux denials are triggered during the start or run of the service.
    • Pass
    • Automated
    • Bug Fix
    • Hide
      .SELinux policy correctly labels `npm`

      Previously, the `npm` service executable was labeled with the generic `lib_t` SELinux type. As a consequence, `npm` could not be executed. In this update, the `npm` executable has been explicitly labeled in the SELinux policy with the `bin_t` type. As a result, the `npm` service starts successfully and runs in the `unconfined_service_t` domain.
      Show
      .SELinux policy correctly labels `npm` Previously, the `npm` service executable was labeled with the generic `lib_t` SELinux type. As a consequence, `npm` could not be executed. In this update, the `npm` executable has been explicitly labeled in the SELinux policy with the `bin_t` type. As a result, the `npm` service starts successfully and runs in the `unconfined_service_t` domain.
    • Done
    • None

      What were you trying to do that didn't work?

      A customer wrote a service that executes nodejs /usr/bin/npm start command.
      With RHEL8 and later, this fails because /usr/bin/npm is a symlink to /usr/lib/node_modules/npm/bin/npm-cli.js which is labeled with lib_t:

      # ls -lZ /usr/bin/npm /usr/lib/node_modules/npm/bin/npm-cli.js
lrwxrwxrwx. 1 root root system_u:object_r:bin_t:s0 38 Mar  5 07:14 /usr/bin/npm -> ../lib/node_modules/npm/bin/npm-cli.js
-rwxr-xr-x. 1 root root system_u:object_r:lib_t:s0 50 Aug  9  2023 /usr/lib/node_modules/npm/bin/npm-cli.js

      This hence prevents the transition from init_t to unconfined_service_t to occur, since there is no transition for lib_t context, which is the context of the target of the symlink /usr/bin/npm.

      IMHO this is a bug in the policy, every location under /usr/lib/ having /bin/ directory should be labeled with bin_t by default.
      Checking the policy, we can already see such locations, e.g.:

      /usr/lib/ccache/bin(/.*)?                          all files          system_u:object_r:bin_t:s0 
/usr/lib/debug/bin(/.*)?                           regular file       system_u:object_r:bin_t:s0 
/usr/lib/debug/usr/bin(/.*)?                       regular file       system_u:object_r:bin_t:s0 
/usr/lib/erlang/erts.*/bin(/.*)?                   all files          system_u:object_r:bin_t:s0 
/usr/lib/libreoffice(/.*)?/bin(/.*)?               all files          system_u:object_r:bin_t:s0 
/usr/lib/mailman/bin(/.*)?                         all files          system_u:object_r:bin_t:s0 
/usr/lib/news/bin(/.*)?                            all files          system_u:object_r:bin_t:s0 
/usr/lib/portage/bin(/.*)?                         all files          system_u:object_r:bin_t:s0 
/usr/lib/qt.*/bin(/.*)?                            all files          system_u:object_r:bin_t:s0 
/usr/lib/xen/bin(/.*)?                             all files          system_u:object_r:bin_t:s0

      There is even 2 specific locations for programs, but none for /bin/:

      /usr/lib/.*/program(/.*)?                          all files          system_u:object_r:bin_t:s0 
/usr/lib/.*/scripts(/.*)?                          all files          system_u:object_r:bin_t:s0

      IMHO a new generic rule similar to the ones above should be added to the policy, and specific ones (e.g. for "portage", "qt", etc.) removed and replaced by this one below:

      /usr/lib/.*/bin(/.*)?                          all files          system_u:object_r:bin_t:s0

      Please provide the package NVR for which bug is seen:

      selinux-policy-3.14.3-128.el8_9.1.noarch
      selinux-policy-38.1.35-2.el9_4.noarch

      How reproducible:

      Always

      Steps to reproduce

      1. Install nodejs
      2. Create a custom service starting nodejs 
        [Service]
ExecStart=/usr/bin/npm start
      3. Start the service

      Expected results

      Starts properly

      Actual results

      Fails to start

              rhn-support-zpytela Zdenek Pytela
              rhn-support-rmetrich Renaud Métrich
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Jan Fiala Jan Fiala
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated:
                Resolved: