Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-829

fapolicyd can create RPM DB files /var/lib/rpm/__db.xxx with bad ownership causing AVCs to occur

XMLWordPrintable

    • fapolicyd-1.3.2-1.el8
    • None
    • Moderate
    • rhel-sst-security-special-projects
    • ssg_security
    • 26
    • None
    • Dev ack
    • False
    • Hide

      None

      Show
      None
    • Yes
    • None
    • Bug Fix
    • Hide
      .`fapolicyd` service now creates RPM database files with correct ownership

      Previously, the `fapolicyd` service created and owned RPM database files in the `/var/lib/rpm/` directory. As a result, other programs were unable to access the files, which resulted in availability control errors. With this update, `fapolicyd` creates the files with correct ownership, and the errors no longer occur.
      Show
      .`fapolicyd` service now creates RPM database files with correct ownership Previously, the `fapolicyd` service created and owned RPM database files in the `/var/lib/rpm/` directory. As a result, other programs were unable to access the files, which resulted in availability control errors. With this update, `fapolicyd` creates the files with correct ownership, and the errors no longer occur.
    • Done
    • None

      Description of problem:

      Because fapolicyd executes with fapolicyd:fapolicyd user/group, it may happen that upon start, fapolicyd creates RPM DB files and owns them:
      -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

      1. ls -ld /var/lib/rpm/__*
        rw-r----. 1 fapolicyd fapolicyd 286720 Mar 9 14:13 /var/lib/rpm/__db.001
        rw-r----. 1 fapolicyd fapolicyd 90112 Mar 9 14:13 /var/lib/rpm/__db.002
        rw-r----. 1 fapolicyd fapolicyd 1318912 Mar 9 14:13 /var/lib/rpm/__db.003
                    • 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

      This leads to other services, such as rhsmcertd to throw AVCs:
      -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
      ... type=PROCTITLE msg=audit(02/22/2023 22:01:44.253:71037) : proctitle=/usr/libexec/platform-python /usr/libexec/rhsmcertd-worker
      ... type=PATH msg=audit(02/22/2023 22:01:44.253:71037) : item=0 name=/var/lib/rpm/__db.001 inode=135 dev=fd:04 mode=file,640 ouid=fapolicyd ogid=fapolicyd rdev=00:00 obj=system_u:object_r:rpm_var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
      ... type=CWD msg=audit(02/22/2023 22:01:44.253:71037) : cwd=/
      ... type=SYSCALL msg=audit(02/22/2023 22:01:44.253:71037) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x55b6c41d8650 a2=O_RDWR a3=0x0 items=1 ppid=1831 pid=305395 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmcertd-worke exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:rhsmcertd_t:s0 key=(null)
      ... type=AVC msg=audit(02/22/2023 22:01:44.253:71037) : avc: denied

      { dac_override }

      for pid=305395 comm=rhsmcertd-worke capability=dac_override scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:system_r:rhsmcertd_t:s0 tclass=capability permissive=0
      -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

      Additionally, "rpm -V" then complains because it's not in accordance with expected permissions and owner:
      -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

      1. rpm -V rpm
        .M...UG.. c /var/lib/rpm/__db.001
        .M...UG.. c /var/lib/rpm/__db.002
        .M...UG.. c /var/lib/rpm/__db.003
                    • 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

      The expected permissions and ownership are 600 / root:root:
      -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

      1. ls -ld /var/lib/rpm/__*
        rw------. 1 root root 286720 Mar 9 13:50 /var/lib/rpm/__db.001
        rw------. 1 root root 90112 Mar 9 13:50 /var/lib/rpm/__db.002
        rw------. 1 root root 1318912 Mar 9 13:50 /var/lib/rpm/__db.003
                    • 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

      Version-Release number of selected component (if applicable):

      fapolicyd-1.1.3-8.el8.x86_64 and latest fapolicyd-1.1.3-8.el8_7.1.x86_64

      How reproducible:

      Always

      Steps to Reproduce:
      1. Stop fapolicyd service

      1. systemctl stop fapolicyd

      2. Delete RPM files

      1. rm /var/lib/rpm/__*

      3. Start fapolicyd service

      1. systemctl start fapolicyd

      4. Check permissions and ownership

      Actual results:

      640 / fapolicyd:fapolicyd

      Expected results:

      600 / root:root

      Additional info:

      The reason for this is execution of rpm command (or librpm, didn't check) internally

      Acceptance Criteria:

      • no avc on the /var/lib/rpm files

              dapospis@redhat.com Dalibor Pospíšil
              rhn-support-rmetrich Renaud Métrich
              Radovan Sroka Radovan Sroka
              Dalibor Pospíšil Dalibor Pospíšil
              Parth Shah Parth Shah (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

                Created:
                Updated:
                Resolved: