-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
rhel-8.10, rhel-9.6, rhel-10.0
-
No
-
Low
-
rhel-security-selinux
-
ssg_security
-
None
-
False
-
False
-
-
None
-
Red Hat Enterprise Linux
-
None
-
None
-
None
-
Unspecified
-
Unspecified
-
Unspecified
-
None
When checking the fapolicyd trust database, it appears that multiple SELinux files are untrusted, including the binary policy, e.g.:
/etc/selinux/targeted/contexts/files/file_contexts miscompares: size sha256 /etc/selinux/targeted/policy/policy.33 miscompares: size sha256 /var/lib/selinux/targeted/active/commit_num miscompares: sha256 /var/lib/selinux/targeted/active/file_contexts miscompares: size sha256 /var/lib/selinux/targeted/active/modules_checksum miscompares: sha256 /var/lib/selinux/targeted/active/policy.kern miscompares: size sha256
This is an issue on hardened systems not running the default fapolicyd rules which may be considered as too loose, especially rule 2 commented out and rule 14 replaced by a denial rule, as shown below.
# fapolicyd-cli --list [...] 1. allow perm=any uid=0 : dir=/var/tmp/ 2. allow perm=any uid=0 trust=1 : all <<<<<< removed for hardening (see RHEL-1369) 3. allow perm=open exe=/usr/bin/rpm : all 4. allow perm=open exe=/usr/bin/python3.9 comm=dnf : all 5. deny_audit perm=any pattern=ld_so : all 6. deny_audit perm=any all : ftype=application/x-bad-elf 7. allow perm=open all : ftype=application/x-sharedlib trust=1 8. deny_audit perm=open all : ftype=application/x-sharedlib 9. allow perm=execute all : trust=1 10. allow perm=open all : ftype=%languages trust=1 11. deny_audit perm=any all : ftype=%languages 12. allow perm=any all : ftype=text/x-shellscript 13. deny_audit perm=execute all : all 14. allow perm=open all : all <<<<<<< replaced by "deny_audit perm-open all:all"
In my opinion, everything that SELinux tools produces has to be trusted.
Additional note
Once fapolicyd rules are hardened, executing semodule -R to reload the policy fails silently, as shown below:
# mv /etc/fapolicyd/rules.d/20-dracut.rules /etc/fapolicyd/rules.d/20-dracut.rules.hardened # mv /etc/fapolicyd/rules.d/95-allow-open.rules /etc/fapolicyd/rules.d/95-allow-open.rules.hardened # echo "deny_audit perm=open all : all" > /etc/fapolicyd/rules.d/95-deny-by-default-hardened.rules # fagenrules # fapolicyd-cli --list [...] 1. allow perm=open exe=/usr/bin/rpm : all 2. allow perm=open exe=/usr/bin/python3.9 comm=dnf : all 3. deny_audit perm=any pattern=ld_so : all 4. deny_audit perm=any all : ftype=application/x-bad-elf 5. allow perm=open all : ftype=application/x-sharedlib trust=1 6. deny_audit perm=open all : ftype=application/x-sharedlib 7. allow perm=execute all : trust=1 8. allow perm=open all : ftype=%languages trust=1 9. deny_audit perm=any all : ftype=%languages 10. allow perm=any all : ftype=text/x-shellscript 11. deny_audit perm=execute all : all 12. deny_audit perm=open all : all
Reload fapolicyd with new rules:
# fapolicyd --debug-deny [...]
Reload SELinux policy (fails but failure not detected):
# semodule -R --> no failure
Although fapolicyd denied the reloading (as expected):
05/31/2025 10:10:21 [ DEBUG ]: rule=12 dec=deny_audit perm=open auid=0 pid=2289 exe=/usr/sbin/load_policy : path=/etc/selinux/config ftype=text/plain trust=0 05/31/2025 10:10:21 [ DEBUG ]: rule=12 dec=deny_audit perm=open auid=0 pid=2289 exe=/usr/sbin/load_policy : path=/etc/selinux/targeted/policy/policy.33 ftype=application/octet-stream trust=0
There is hence a bug in semodule -R since it doesn't report the policy loading failed.
