Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-85808

fapolicyd not prevent execution of ldd in ImageMode

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Undefined Undefined
    • None
    • rhel-9.6, rhel-10.0
    • fapolicyd
    • None
    • rhel-security-special-projects
    • ssg_security
    • 4
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • SECENGSP Cycle 20, SECENGSP Cycle 21
    • None
    • Automated
    • Unspecified
    • Unspecified
    • Unspecified
    • x86_64, aarch64
    • None

      What were you trying to do that didn't work?

      Fapolicyd should prevent from execution of ldd for binary in case when it's not allowed.

      What is the impact of this issue to you?

      Scenario testing functionality failing due this issue.

       

      :: [ 11:22:57 ] :: [  BEGIN   ] :: Running 'su -c '/lib64/ld-linux-x86-64.so.2 /usr/bin/ls -la' - testuser1'
total 12
drwx------. 2 testuser1 testuser1  62 Apr  2 11:22 .
drwxr-xr-x. 3 root      root       23 Apr  2 11:22 ..
-rw-r--r--. 1 testuser1 testuser1  18 Apr  2 11:21 .bash_logout
-rw-r--r--. 1 testuser1 testuser1 144 Apr  2 11:21 .bash_profile
-rw-r--r--. 1 testuser1 testuser1 522 Apr  2 11:21 .bashrc
:: [ 11:22:57 ] :: [   FAIL   ] :: Command 'su -c '/lib64/ld-linux-x86-64.so.2 /usr/bin/ls -la' - testuser1' (Expected 126, got 0)
:: [ 11:22:57 ] :: [  BEGIN   ] :: Running 'su -c '/lib64/ld-linux-x86-64.so.2 /var/tmp/ls2 -la' - testuser1'
total 12
drwx------. 2 testuser1 testuser1  62 Apr  2 11:22 .
drwxr-xr-x. 3 root      root       23 Apr  2 11:22 ..
-rw-r--r--. 1 testuser1 testuser1  18 Apr  2 11:21 .bash_logout
-rw-r--r--. 1 testuser1 testuser1 144 Apr  2 11:21 .bash_profile
-rw-r--r--. 1 testuser1 testuser1 522 Apr  2 11:21 .bashrc
:: [ 11:22:57 ] :: [   FAIL   ] :: Command 'su -c '/lib64/ld-linux-x86-64.so.2 /var/tmp/ls2 -la' - testuser1' (Expected 126, got 0) 
      ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   non-root
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 11:22:02 ] :: [  BEGIN   ] :: Running 'su -c 'ldd /usr/bin/ls' - testuser1'
	linux-vdso.so.1 (0x00007ff6693bb000)
	libselinux.so.1 => /lib64/libselinux.so.1 (0x00007ff66935a000)
	libcap.so.2 => /lib64/libcap.so.2 (0x00007ff66934d000)
	libc.so.6 => /lib64/libc.so.6 (0x00007ff669174000)
	libpcre2-8.so.0 => /lib64/libpcre2-8.so.0 (0x00007ff6690d2000)
	/lib64/ld-linux-x86-64.so.2 (0x00007ff6693bd000)
:: [ 11:22:02 ] :: [   FAIL   ] :: Command 'su -c 'ldd /usr/bin/ls' - testuser1' (Expected 1-255, got 0)
:: [ 11:22:02 ] :: [   FAIL   ] :: File '/var/tmp/rlRun_LOG.Xl2yy5sM' should contain '126'

      Please provide the package NVR for which the bug is seen:

      fapolicyd-1.3.3-102.el10.x86_64

      How reproducible is this bug?:

      Running specified test scenario in image mode

      Steps to reproduce

      1.  git clone --branch pk_failing_image-mode https://gitlab.cee.redhat.com/special-projects/tests/fapolicyd.git
      2. install tmt tool for testing
      3. provision machine with targeted system
      4. TMT_SCRIPTS_DIR=/var/lib/tmt/scripts tmt --context distro=OS run -vvv discover plan -n /Plans/image-mode-failing provision -h connect -g IP_MACHINE -u root  execute

      Expected results

      Fapolicyd will prevent execution of ldd as in package-mode

      Actual results

      Fapolicyd didn't prevent execution of ldd as in package-mode

      LOGS:
      https://artifacts.osci.redhat.com/testing-farm/59c9b4aa-befc-4362-9421-4cf58bbf1c8f/ 

              rhn-engineering-plautrba Petr Lautrbach
              pkoncity2 Patrik Končitý
              Radovan Sroka Radovan Sroka (Inactive)
              Natália Bubáková Natália Bubáková
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: