Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Normal
Fix Version/s: rhel-8.9.0
Affects Version/s: rhel-8.7.0
Component/s: fapolicyd
Labels:

Fixed in Build:
fapolicyd-1.3.2-1.el8
Regression:
None
Severity:
Moderate

Pool Team:

rhel-sst-security-special-projects

Internal Target Milestone:
20
Story Points:
None
ACKs Check:

QE ack, Dev ack
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
Yes
Sprint:
None

Acceptance Criteria:
- removing a file from the trustdb has immediate effect without the service restart
Git Pull Request:
https://gitlab.com/redhat/centos-stream/rpms/fapolicyd/-/merge_requests/15
Preliminary Testing:
Pass
Testable Builds:

Hide
https://centos.softwarefactory-project.io/logs/15/15/b721d60ccc0281dba7ce56d8b5a4c54938b9ad6d/check/mock-build/bf10b95/repo/

Show
https://centos.softwarefactory-project.io/logs/15/15/b721d60ccc0281dba7ce56d8b5a4c54938b9ad6d/check/mock-build/bf10b95/repo/
Test Coverage:
None

Release Note Type:
Bug Fix
Release Note Text:

Hide
.`fapolicyd` service no longer runs programs that are removed from the trusted database

Previously, the `fapolicyd` service incorrectly handled a program as trusted even after it was removed from the trusted database. As a result, entering the `fapolicyd-cli --update` command had no effect, and the program could be executed even after being removed. With this update, the `fapolicyd-cli --update` command correctly updates the trusted programs database, and removed programs can no longer be executed.

Show
.`fapolicyd` service no longer runs programs that are removed from the trusted database Previously, the `fapolicyd` service incorrectly handled a program as trusted even after it was removed from the trusted database. As a result, entering the `fapolicyd-cli --update` command had no effect, and the program could be executed even after being removed. With this update, the `fapolicyd-cli --update` command correctly updates the trusted programs database, and removed programs can no longer be executed.
Release Note Status:
Done

Experience:
Architecture:

All
Bugzilla Bug:
RHBZ: 2181472

PX Impact Score:
PX Priority Data:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

Description of problem:

Removing a program from trust database, then reloading fapolicyd, has no effect. The program can still execute, until fapolicyd is restarted, as shown in the example below:

Sample program:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
[user@vm-fapolicy8 ~]$ cat > hello.c << EOF
#include <stdio.h>
int main(int argc, char *argv[])
{
printf("Hello!\n");
return 0;
}
EOF

[user@vm-fapolicy8 ~]$ gcc -o hello hello.c
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Program initially untrusted:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
[user@vm-fapolicy8 ~]$ ./hello
-bash: ./hello: Operation not permitted
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Trusting the program:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
[root@vm-fapolicy8 ~]# fapolicyd-cli -f add /home/user/hello
[root@vm-fapolicy8 ~]# fapolicyd-cli -u
Fapolicyd was notified
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Program now trusted:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
[user@vm-fapolicy8 ~]$ ./hello
Hello!
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Untrusting the program:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
[root@vm-fapolicy8 ~]# fapolicyd-cli -f delete /home/user/hello
[root@vm-fapolicy8 ~]# fapolicyd-cli -u
Fapolicyd was notified
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Program untrusted again: (STILL EXECUTES!)
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
[user@vm-fapolicy8 ~]$ ./hello
Hello!
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Looks like a cache issue.

Version-Release number of selected component (if applicable):

fapolicyd-1.1.3-8.el8_7.1.x86_64

How reproducible:

Always, see above.

Acceptance Criteria:

removing a file from the trustdb has immediate effect without the service restart

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

AutoMilos-logs-J8043261.zip
84 kB
2023/07/07 1:44 PM

blocks

RHEL-622 fapolicyd still allows execution of a program after "untrusting" it

Closed

external trackers

Red Hat Customer Portal 03468540

Red Hat Issue Tracker RHELPLAN-152997

Red Hat Issue Tracker SECENGSP-5123

TCMS Test Case 612715

mentioned on

Commit - RHEL 8.9.0 ERRATUM

(2 mentioned on)

Assignee:: Dalibor Pospíšil

Reporter:: Renaud Métrich

Developer:: Radovan Sroka

QA Contact:: Dalibor Pospíšil

Doc Contact:: Parth Shah (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Created:: 2023/06/19 5:32 PM

Updated:: 2024/09/23 10:14 PM

Resolved:: 2023/11/14 7:01 AM

Target end:: 2023/07/17

Release Date:: 2023/11/14

Details

Description

Attachments

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates