Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-56350

[rhel-10] nodejs executables in /usr/lib/node_modules/npm/bin are not properly labeled

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • rhel-10.0
    • rhel-10.0.beta
    • selinux-policy
    • None
    • selinux-policy-40.13.11-1.el10
    • None
    • Moderate
    • 2
    • rhel-sst-security-selinux
    • ssg_security
    • 15
    • 1
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • No
    • Red Hat Enterprise Linux
    • SELINUX 241016 - 241106, SELINUX 241106 - 241127
    • Hide

      A newly created npm based service runs successfully in unconfined_service_t domain in enforcing mode. No SELinux denials are triggered during the start or run of the service.

      Show
      A newly created npm based service runs successfully in unconfined_service_t domain in enforcing mode. No SELinux denials are triggered during the start or run of the service.
    • Fail
    • Automated
    • Bug Fix
    • Hide
      Cause (the user action or circumstances that trigger the bug):
      Label for the npm service executable has the generic lib_t type.
      Consequence (what the user experience is when the bug occurs):
      The npm service cannot be executed.
      Fix (what has changed to fix the bug; do not include overly technical details):
      The npm executable was explicitly labeled in the policy with the bin_t type.
      Result (what happens now that the patch is applied):
      The npm service starts successfully and runs in the unconfined_service_t domain.
      Show
      Cause (the user action or circumstances that trigger the bug): Label for the npm service executable has the generic lib_t type. Consequence (what the user experience is when the bug occurs): The npm service cannot be executed. Fix (what has changed to fix the bug; do not include overly technical details): The npm executable was explicitly labeled in the policy with the bin_t type. Result (what happens now that the patch is applied): The npm service starts successfully and runs in the unconfined_service_t domain.
    • Proposed
    • None

      What were you trying to do that didn't work?

      A customer wrote a service that executes nodejs /usr/bin/npm start command.
      With RHEL8 and later, this fails because /usr/bin/npm is a symlink to /usr/lib/node_modules/npm/bin/npm-cli.js which is labeled with lib_t:

      # ls -lZ /usr/bin/npm /usr/lib/node_modules/npm/bin/npm-cli.js
lrwxrwxrwx. 1 root root system_u:object_r:bin_t:s0 38 Mar  5 07:14 /usr/bin/npm -> ../lib/node_modules/npm/bin/npm-cli.js
-rwxr-xr-x. 1 root root system_u:object_r:lib_t:s0 50 Aug  9  2023 /usr/lib/node_modules/npm/bin/npm-cli.js

      This hence prevents the transition from init_t to unconfined_service_t to occur, since there is no transition for lib_t context, which is the context of the target of the symlink /usr/bin/npm.

      IMHO this is a bug in the policy, every location under /usr/lib/ having /bin/ directory should be labeled with bin_t by default.
      Checking the policy, we can already see such locations, e.g.:

      /usr/lib/ccache/bin(/.*)?                          all files          system_u:object_r:bin_t:s0 
/usr/lib/debug/bin(/.*)?                           regular file       system_u:object_r:bin_t:s0 
/usr/lib/debug/usr/bin(/.*)?                       regular file       system_u:object_r:bin_t:s0 
/usr/lib/erlang/erts.*/bin(/.*)?                   all files          system_u:object_r:bin_t:s0 
/usr/lib/libreoffice(/.*)?/bin(/.*)?               all files          system_u:object_r:bin_t:s0 
/usr/lib/mailman/bin(/.*)?                         all files          system_u:object_r:bin_t:s0 
/usr/lib/news/bin(/.*)?                            all files          system_u:object_r:bin_t:s0 
/usr/lib/portage/bin(/.*)?                         all files          system_u:object_r:bin_t:s0 
/usr/lib/qt.*/bin(/.*)?                            all files          system_u:object_r:bin_t:s0 
/usr/lib/xen/bin(/.*)?                             all files          system_u:object_r:bin_t:s0

      There is even 2 specific locations for programs, but none for /bin/:

      /usr/lib/.*/program(/.*)?                          all files          system_u:object_r:bin_t:s0 
/usr/lib/.*/scripts(/.*)?                          all files          system_u:object_r:bin_t:s0

      IMHO a new generic rule similar to the ones above should be added to the policy, and specific ones (e.g. for "portage", "qt", etc.) removed and replaced by this one below:

      /usr/lib/.*/bin(/.*)?                          all files          system_u:object_r:bin_t:s0

      Please provide the package NVR for which bug is seen:

      nodejs-22.4.1-3.el10.x86_64
      nodejs-docs-22.4.1-3.el10.noarch
      nodejs-full-i18n-22.4.1-3.el10.x86_64
      nodejs-libs-22.4.1-3.el10.x86_64
      nodejs-npm-10.8.1-1.22.4.1.3.el10.x86_64
      selinux-policy-40.13.9-1.el10.noarch
      selinux-policy-devel-40.13.9-1.el10.noarch
      selinux-policy-mls-40.13.9-1.el10.noarch
      selinux-policy-targeted-40.13.9-1.el10.noarch

      How reproducible:

      Always

      Steps to reproduce

      1. Install nodejs
      2. Create a custom service starting nodejs 
        [Service]
ExecStart=/usr/bin/npm start
      3. Start the service

      Expected results

      Starts properly

      Actual results

      Fails to start

              rhn-support-zpytela Zdenek Pytela
              rhn-support-rmetrich Renaud Métrich
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Jan Fiala Jan Fiala
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: